divert(-1)
#
# Directory patterns (dir)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. directory type
#
#
# Regular file patterns (file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# Symbolic link patterns (lnk_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# (Un)named Pipes/FIFO patterns (fifo_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# (Un)named sockets patterns (sock_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# Block device node patterns (blk_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# Character device node patterns (chr_file)
#
# Parameters:
# 1. domain type
# 2. container (directory) type
# 3. file type
#
#
# File type_transition patterns
#
# filetrans_add_pattern(domain,dirtype,newtype,class(es),[filename])
#
#
# filetrans_pattern(domain,dirtype,newtype,class(es),[filename])
#
#
# unix domain socket patterns
#
########################################
#
# Macros for switching between source policy
# and loadable policy module support
#
##############################
#
# For adding the module statement
#
##############################
#
# For use in interfaces, to optionally insert a require block
#
# helper function, since m4 wont expand macros
# if a line is a comment (#):
##############################
#
# In the future interfaces should be in loadable modules
#
# template(name,rules)
#
##############################
#
# In the future interfaces should be in loadable modules
#
# interface(name,rules)
#
##############################
#
# Optional policy handling
#
##############################
#
# Determine if we should use the default
# tunable value as specified by the policy
# or if the override value should be used
#
##############################
#
# Extract booleans out of an expression.
# This needs to be reworked so expressions
# with parentheses can work.
##############################
#
# Tunable declaration
#
##############################
#
# Tunable policy handling
#
########################################
#
# Helper macros
#
#
# shiftn(num,list...)
#
# shift the list num times
#
#
# ifndef(expr,true_block,false_block)
#
# m4 does not have this.
#
#
# __endline__
#
# dummy macro to insert a newline. used for
# errprint, so the close parentheses can be
# indented correctly.
#
########################################
#
# refpolwarn(message)
#
# print a warning message
#
########################################
#
# refpolerr(message)
#
# print an error message. does not
# make anything fail.
#
########################################
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
#
########################################
#
# gen_context(context,mls_sensitivity,[mcs_categories])
#
########################################
#
# can_exec(domain,executable)
#
########################################
#
# gen_bool(name,default_value)
#
#
# Specified domain transition patterns
#
# compatibility:
#
# Automatic domain transition patterns
#
# compatibility:
#
# Dynamic transition pattern
#
#
# Other process permissions
#
########################################
#
# gen_cats(N)
#
# declares categores c0 to c(N-1)
#
########################################
#
# gen_sens(N)
#
# declares sensitivites s0 to s(N-1) with dominance
# in increasing numeric order with s0 lowest, s(N-1) highest
#
########################################
#
# gen_levels(N,M)
#
# levels from s0 to (N-1) with categories c0 to (M-1)
#
########################################
#
# Basic level names for system low and high
#
########################################
#
# Support macros for sets of object classes and permissions
#
# This file should only have object class and permission set macros - they
# can only reference object classes and/or permissions.
#
# All directory and file classes
#
#
# All non-directory file classes.
#
#
# Non-device file classes.
#
#
# Device file classes.
#
#
# All socket classes.
#
#
# Datagram socket classes.
#
#
# Stream socket classes.
#
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
########################################
#
# Macros for sets of permissions
#
#
# Permissions to mount and unmount file systems.
#
#
# Permissions for using sockets.
#
#
# Permissions for creating and using sockets.
#
#
# Permissions for using stream sockets.
#
#
# Permissions for creating and using stream sockets.
#
#
# Permissions for creating and using sockets.
#
#
# Permissions for creating and using sockets.
#
#
# Permissions for creating and using netlink sockets.
#
#
# Permissions for using netlink sockets for operations that modify state.
#
#
# Permissions for using netlink sockets for operations that observe state.
#
#
# Permissions for sending all signals.
#
#
# Permissions for sending and receiving network packets.
#
#
# Permissions for using System V IPC
#
########################################
#
# New permission sets
#
#
# Directory (dir)
#
#
# Regular file (file)
#
#
# Symbolic link (lnk_file)
#
#
# (Un)named Pipes/FIFOs (fifo_file)
#
#
# (Un)named Sockets (sock_file)
#
#
# Block device nodes (blk_file)
#
#
# Character device nodes (chr_file)
#
#
# Anonymous inode files (anon_inode)
#
########################################
#
# Special permission sets
#
#
# Use (read and write) terminals
#
#
# Sockets
#
#
# Keys
#
#
# Service
#
#
# perf_event
#
## Policy for the kernel modules, kernel image, and bootloader.
########################################
##
## Execute bootloader in the bootloader domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bootloader_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_domtrans'($*)) dnl
gen_require(`
type bootloader_t, bootloader_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, bootloader_exec_t, bootloader_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_domtrans'($*)) dnl
')
######################################
##
## Execute bootloader in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`bootloader_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_exec'($*)) dnl
gen_require(`
type bootloader_exec_t;
')
can_exec($1, bootloader_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_exec'($*)) dnl
')
########################################
##
## Execute bootloader interactively and do
## a domain transition to the bootloader domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bootloader_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_run'($*)) dnl
gen_require(`
type bootloader_t;
attribute_role bootloader_roles;
')
bootloader_domtrans($1)
roleattribute $2 bootloader_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_run'($*)) dnl
')
########################################
##
## Read the bootloader configuration file.
##
##
##
## Domain allowed access.
##
##
#
define(`bootloader_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_read_config'($*)) dnl
gen_require(`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_read_config'($*)) dnl
')
########################################
##
## Read and write the bootloader
## configuration file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`bootloader_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_rw_config'($*)) dnl
gen_require(`
type bootloader_etc_t;
')
allow $1 bootloader_etc_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_rw_config'($*)) dnl
')
########################################
##
## Manage the bootloader
## configuration file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`bootloader_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_manage_config'($*)) dnl
gen_require(`
type bootloader_etc_t;
')
manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_manage_config'($*)) dnl
')
########################################
##
## Read and write the bootloader
## temporary data in /tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`bootloader_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_rw_tmp_files'($*)) dnl
gen_require(`
type bootloader_tmp_t;
')
files_search_tmp($1)
allow $1 bootloader_tmp_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_rw_tmp_files'($*)) dnl
')
########################################
##
## Read and write the bootloader
## temporary data in /tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`bootloader_create_runtime_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_create_runtime_file'($*)) dnl
gen_require(`
type boot_runtime_t;
')
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1, boot_runtime_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_create_runtime_file'($*)) dnl
')
########################################
##
## Type transition files created in /etc
##
##
##
## Domain allowed access.
##
##
#
define(`bootloader_filetrans_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bootloader_filetrans_config'($*)) dnl
gen_require(`
type bootloader_etc_t;
')
files_etc_filetrans($1,bootloader_etc_t,file, "grub")
files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf")
files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bootloader_filetrans_config'($*)) dnl
')
##
## Determine of the console connected to the controlling terminal.
##
########################################
##
## Execute consoletype in the consoletype domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`consoletype_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consoletype_domtrans'($*)) dnl
gen_require(`
type consoletype_t, consoletype_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, consoletype_exec_t, consoletype_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consoletype_domtrans'($*)) dnl
')
########################################
##
## Execute consoletype in the consoletype domain, and
## allow the specified role the consoletype domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`consoletype_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consoletype_run'($*)) dnl
gen_require(`
type consoletype_t;
')
consoletype_domtrans($1)
role $2 types consoletype_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consoletype_run'($*)) dnl
')
########################################
##
## Execute consoletype in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`consoletype_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consoletype_exec'($*)) dnl
gen_require(`
type consoletype_exec_t;
')
corecmd_search_bin($1)
can_exec($1, consoletype_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consoletype_exec'($*)) dnl
')
## Policy for dmesg.
########################################
##
## Execute dmesg in the dmesg domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dmesg_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dmesg_domtrans'($*)) dnl
gen_require(`
type dmesg_t, dmesg_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dmesg_exec_t, dmesg_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dmesg_domtrans'($*)) dnl
')
########################################
##
## Execute dmesg in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dmesg_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dmesg_exec'($*)) dnl
gen_require(`
type dmesg_exec_t;
')
corecmd_search_bin($1)
can_exec($1, dmesg_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dmesg_exec'($*)) dnl
')
## Network analysis utilities
########################################
##
## Execute network utilities in the netutils domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`netutils_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_domtrans'($*)) dnl
gen_require(`
type netutils_t, netutils_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, netutils_exec_t, netutils_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_domtrans'($*)) dnl
')
########################################
##
## Execute network utilities in the netutils domain, and
## allow the specified role the netutils domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`netutils_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_run'($*)) dnl
gen_require(`
type netutils_t;
')
netutils_domtrans($1)
allow $1 netutils_t:process { signal sigkill };
role $2 types netutils_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_run'($*)) dnl
')
########################################
##
## Execute network utilities in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_exec'($*)) dnl
gen_require(`
type netutils_exec_t;
')
corecmd_search_bin($1)
can_exec($1, netutils_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_exec'($*)) dnl
')
########################################
##
## Send generic signals to network utilities.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_signal'($*)) dnl
gen_require(`
type netutils_t;
')
allow $1 netutils_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_signal'($*)) dnl
')
########################################
##
## Execute ping in the ping domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`netutils_domtrans_ping',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_domtrans_ping'($*)) dnl
gen_require(`
type ping_t, ping_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ping_exec_t, ping_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_domtrans_ping'($*)) dnl
')
########################################
##
## Send a kill (SIGKILL) signal to ping.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_kill_ping',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_kill_ping'($*)) dnl
gen_require(`
type ping_t;
')
allow $1 ping_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_kill_ping'($*)) dnl
')
########################################
##
## Send generic signals to ping.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_signal_ping',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_signal_ping'($*)) dnl
gen_require(`
type ping_t;
')
allow $1 ping_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_signal_ping'($*)) dnl
')
########################################
##
## Execute ping in the ping domain, and
## allow the specified role the ping domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`netutils_run_ping',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_run_ping'($*)) dnl
gen_require(`
type ping_t;
')
netutils_domtrans_ping($1)
role $2 types ping_t;
allow $1 ping_t:process { signal sigkill };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_run_ping'($*)) dnl
')
########################################
##
## Conditionally execute ping in the ping domain, and
## allow the specified role the ping domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`netutils_run_ping_cond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_run_ping_cond'($*)) dnl
gen_require(`
type ping_t;
bool selinuxuser_ping;
')
role $2 types ping_t;
if ( selinuxuser_ping ) {
netutils_domtrans_ping($1)
allow $1 ping_t:process { signal sigkill };
}
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_run_ping_cond'($*)) dnl
')
########################################
##
## Execute ping in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_exec_ping',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_exec_ping'($*)) dnl
gen_require(`
type ping_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ping_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_exec_ping'($*)) dnl
')
########################################
##
## Execute traceroute in the traceroute domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`netutils_domtrans_traceroute',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_domtrans_traceroute'($*)) dnl
gen_require(`
type traceroute_t, traceroute_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, traceroute_exec_t, traceroute_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_domtrans_traceroute'($*)) dnl
')
########################################
##
## Execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`netutils_run_traceroute',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_run_traceroute'($*)) dnl
gen_require(`
type traceroute_t;
')
netutils_domtrans_traceroute($1)
allow $1 traceroute_t:process { signal sigkill };
role $2 types traceroute_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_run_traceroute'($*)) dnl
')
########################################
##
## Conditionally execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`netutils_run_traceroute_cond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_run_traceroute_cond'($*)) dnl
gen_require(`
type traceroute_t;
bool selinuxuser_ping;
')
role $2 types traceroute_t;
if( selinuxuser_ping ) {
netutils_domtrans_traceroute($1)
allow $1 traceroute_t:process { signal sigkill };
}
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_run_traceroute_cond'($*)) dnl
')
########################################
##
## Execute traceroute in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`netutils_exec_traceroute',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netutils_exec_traceroute'($*)) dnl
gen_require(`
type traceroute_exec_t;
')
corecmd_search_bin($1)
can_exec($1, traceroute_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netutils_exec_traceroute'($*)) dnl
')
## Run shells with substitute user and group
#######################################
##
## Restricted su domain template.
##
##
##
## This template creates a derived domain which is allowed
## to change the linux user id, to run shells as a different
## user.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the user domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`su_restricted_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `su_restricted_domain_template'($*)) dnl
gen_require(`
type su_exec_t;
')
type $1_su_t;
domain_entry_file($1_su_t, su_exec_t)
domain_type($1_su_t)
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
allow $2 $1_su_t:process signal;
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
allow $1_su_t self:netlink_selinux_socket create_socket_perms;
# Transition from the user domain to this domain.
domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
kernel_getattr_core_if($1_su_t)
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
kernel_search_key($1_su_t)
kernel_link_key($1_su_t)
# for SSP
dev_read_urand($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dirs($1_su_t)
# for the rootok check
selinux_compute_access_vector($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
domain_use_interactive_fds($1_su_t)
init_dontaudit_use_fds($1_su_t)
init_dontaudit_use_script_ptys($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
init_search_script_keys($1_su_t)
init_getattr_initctl($1_su_t)
logging_send_syslog_msg($1_su_t)
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
auth_domtrans_upd_passwd($1_su_t)
optional_policy(`
locallogin_search_keys($1_su_t)
')
')
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
domain_obj_id_change_exemption($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
')
optional_policy(`
cron_read_pipes($1_su_t)
')
optional_policy(`
kerberos_use($1_su_t)
')
optional_policy(`
# used when the password has expired
usermanage_read_crack_db($1_su_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `su_restricted_domain_template'($*)) dnl
')
#######################################
##
## The role template for the su module.
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`su_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `su_role_template'($*)) dnl
gen_require(`
attribute su_domain_type;
type su_exec_t;
bool secure_mode;
')
type $1_su_t, su_domain_type;
userdom_user_application_domain($1_su_t, su_exec_t)
domain_interactive_fd($1_su_t)
role $2 types $1_su_t;
allow $1_su_t self:netlink_selinux_socket create_socket_perms;
allow $3 $1_su_t:process signal;
allow $1_su_t $3:key search;
# Transition from the user domain to this domain.
domtrans_pattern($3, su_exec_t, $1_su_t)
ps_process_pattern($3, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t, $3)
allow $3 $1_su_t:fd use;
allow $3 $1_su_t:fifo_file rw_file_perms;
allow $3 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_dontaudit_getattr_core_if($1_su_t)
auth_use_pam($1_su_t)
init_dontaudit_getattr_initctl($1_su_t)
mls_file_write_all_levels($1_su_t)
logging_send_syslog_msg($1_su_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `su_role_template'($*)) dnl
')
#######################################
##
## Execute su in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`su_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `su_exec'($*)) dnl
gen_require(`
type su_exec_t;
')
corecmd_search_bin($1)
can_exec($1, su_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `su_exec'($*)) dnl
')
## Execute a command with a substitute user
#######################################
##
## The role template for the sudo module.
##
##
##
## This template creates a derived domain which is allowed
## to change the linux user id, to run commands as a different
## user.
##
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## The user role.
##
##
##
##
## The user domain associated with the role.
##
##
#
define(`sudo_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sudo_role_template'($*)) dnl
gen_require(`
type sudo_exec_t;
type sudo_db_t;
attribute sudodomain;
')
##############################
#
# Declarations
#
type $1_sudo_t, sudodomain;
userdom_user_application_domain($1_sudo_t, sudo_exec_t)
domain_interactive_fd($1_sudo_t)
domain_role_change_exemption($1_sudo_t)
role $2 types $1_sudo_t;
userdom_home_manager($1_sudo_t)
type $1_sudo_tmp_t;
files_tmp_file($1_sudo_tmp_t)
allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
allow $1_sudo_t $3:dir search_dir_perms;;
allow $1_sudo_t $3:file read_file_perms;;
allow $1_sudo_t $3:key search;
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
userdom_domtrans_user_home($1_sudo_t, $3)
userdom_domtrans_user_tmp($1_sudo_t, $3)
domain_entry_file($3, sudo_exec_t)
domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
kernel_read_system_state($1_sudo_t)
seutil_libselinux_linked($1_sudo_t)
auth_run_chk_passwd($1_sudo_t, $2)
auth_use_nsswitch($1_sudo_t)
logging_send_syslog_msg($1_sudo_t)
logging_read_syslog_pid($1_sudo_t)
term_use_generic_ptys($1_sudo_t)
term_setattr_generic_ptys($1_sudo_t)
optional_policy(`
mta_role($2, $1_sudo_t)
')
optional_policy(`
rpm_run($1_sudo_t, $2)
')
optional_policy(`
kerberos_manage_host_rcache($1_sudo_t)
kerberos_read_config($1_sudo_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sudo_role_template'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the sudo domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sudo_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sudo_sigchld'($*)) dnl
gen_require(`
attribute sudodomain;
')
allow $1 sudodomain:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sudo_sigchld'($*)) dnl
')
#######################################
##
## Allow execute sudo in called domain.
## This interfaces is added for nova-stack policy.
##
##
##
## Domain allowed access.
##
##
#
define(`sudo_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sudo_exec'($*)) dnl
gen_require(`
type sudo_exec_t;
')
can_exec($1, sudo_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sudo_exec'($*)) dnl
')
######################################
##
## Allow to manage sudo database in called domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sudo_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sudo_manage_db'($*)) dnl
gen_require(`
type sudo_db_t;
')
manage_dirs_pattern($1, sudo_db_t, sudo_db_t)
manage_files_pattern($1, sudo_db_t, sudo_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sudo_manage_db'($*)) dnl
')
## Policy for managing user accounts.
########################################
##
## Execute chfn in the chfn domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usermanage_domtrans_chfn',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_chfn'($*)) dnl
gen_require(`
type chfn_t, chfn_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, chfn_exec_t, chfn_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_chfn'($*)) dnl
')
########################################
##
## Execute chfn in the chfn domain, and
## allow the specified role the chfn domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`usermanage_run_chfn',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_chfn'($*)) dnl
gen_require(`
attribute_role chfn_roles;
type chfn_t;
')
usermanage_domtrans_chfn($1)
roleattribute $2 chfn_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_chfn'($*)) dnl
')
########################################
##
## Execute groupadd in the groupadd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usermanage_domtrans_groupadd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_groupadd'($*)) dnl
gen_require(`
type groupadd_t, groupadd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, groupadd_exec_t, groupadd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_groupadd'($*)) dnl
')
########################################
##
## Check access to the groupadd executable.
##
##
##
## Domain allowed access.
##
##
#
define(`usermanage_access_check_groupadd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_access_check_groupadd'($*)) dnl
gen_require(`
type groupadd_exec_t;
')
corecmd_search_bin($1)
allow $1 groupadd_exec_t:file { getattr_file_perms execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_access_check_groupadd'($*)) dnl
')
########################################
##
## Execute groupadd in the groupadd domain, and
## allow the specified role the groupadd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`usermanage_run_groupadd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_groupadd'($*)) dnl
gen_require(`
type groupadd_t;
attribute_role groupadd_roles;
')
usermanage_domtrans_groupadd($1)
roleattribute $2 groupadd_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_groupadd'($*)) dnl
')
########################################
##
## Execute passwd in the passwd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usermanage_domtrans_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_passwd'($*)) dnl
gen_require(`
type passwd_t, passwd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, passwd_exec_t, passwd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_passwd'($*)) dnl
')
########################################
##
## Send sigkills to passwd.
##
##
##
## Domain allowed access.
##
##
#
define(`usermanage_kill_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_kill_passwd'($*)) dnl
gen_require(`
type passwd_t;
')
allow $1 passwd_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_kill_passwd'($*)) dnl
')
########################################
##
## Check if the passwd binary is executable.
##
##
##
## Domain allowed access.
##
##
#
define(`usermanage_check_exec_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_check_exec_passwd'($*)) dnl
gen_require(`
type passwd_exec_t;
')
allow $1 passwd_exec_t:file { execute getattr_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_check_exec_passwd'($*)) dnl
')
########################################
##
## Execute passwd in the passwd domain, and
## allow the specified role the passwd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`usermanage_run_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_passwd'($*)) dnl
gen_require(`
type passwd_t;
attribute_role passwd_roles;
')
usermanage_domtrans_passwd($1)
roleattribute $2 passwd_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_passwd'($*)) dnl
')
########################################
##
## Check access to the passwd executable
##
##
##
## Domain allowed access.
##
##
#
define(`usermanage_access_check_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_access_check_passwd'($*)) dnl
gen_require(`
type passwd_exec_t;
')
corecmd_search_bin($1)
allow $1 passwd_exec_t:file { getattr_file_perms execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_access_check_passwd'($*)) dnl
')
########################################
##
## Execute password admin functions in
## the admin passwd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usermanage_domtrans_admin_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_admin_passwd'($*)) dnl
gen_require(`
type sysadm_passwd_t, admin_passwd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_admin_passwd'($*)) dnl
')
########################################
##
## Execute passwd admin functions in the admin
## passwd domain, and allow the specified role
## the admin passwd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`usermanage_run_admin_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_admin_passwd'($*)) dnl
gen_require(`
type sysadm_passwd_t;
attribute_role sysadm_passwd_roles;
')
usermanage_domtrans_admin_passwd($1)
roleattribute $2 sysadm_passwd_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_admin_passwd'($*)) dnl
')
########################################
##
## Do not audit attempts to use useradd fds.
##
##
##
## Domain to not audit.
##
##
#
define(`usermanage_dontaudit_use_useradd_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_dontaudit_use_useradd_fds'($*)) dnl
gen_require(`
type useradd_t;
')
dontaudit $1 useradd_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_dontaudit_use_useradd_fds'($*)) dnl
')
########################################
##
## Execute useradd in the useradd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usermanage_domtrans_useradd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_useradd'($*)) dnl
gen_require(`
type useradd_t, useradd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, useradd_exec_t, useradd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_domtrans_useradd'($*)) dnl
')
########################################
##
## Check if the useradd binaries are executable.
##
##
##
## Domain allowed access.
##
##
#
define(`usermanage_check_exec_useradd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_check_exec_useradd'($*)) dnl
gen_require(`
type useradd_exec_t;
')
allow $1 useradd_exec_t:file { execute getattr_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_check_exec_useradd'($*)) dnl
')
########################################
##
## Execute useradd in the useradd domain, and
## allow the specified role the useradd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`usermanage_run_useradd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_run_useradd'($*)) dnl
gen_require(`
attribute_role useradd_roles;
type useradd_t;
')
usermanage_domtrans_useradd($1)
roleattribute $2 useradd_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_run_useradd'($*)) dnl
')
########################################
##
## Check access to the useradd executable.
##
##
##
## Domain allowed access.
##
##
#
define(`usermanage_access_check_useradd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_access_check_useradd'($*)) dnl
gen_require(`
type useradd_exec_t;
')
corecmd_search_bin($1)
allow $1 useradd_exec_t:file { getattr_file_perms execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_access_check_useradd'($*)) dnl
')
########################################
##
## Read the crack database.
##
##
##
## Domain allowed access.
##
##
#
define(`usermanage_read_crack_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usermanage_read_crack_db'($*)) dnl
gen_require(`
type crack_db_t;
')
files_search_var($1)
read_files_pattern($1, crack_db_t, crack_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usermanage_read_crack_db'($*)) dnl
')
## Filesystem namespacing/polyinstantiation application.
########################################
##
## Execute a domain transition to run seunshare.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seunshare_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seunshare_domtrans'($*)) dnl
gen_require(`
type seunshare_t, seunshare_exec_t;
')
domtrans_pattern($1, seunshare_exec_t, seunshare_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seunshare_domtrans'($*)) dnl
')
########################################
##
## Execute seunshare in the seunshare domain, and
## allow the specified role the seunshare domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`seunshare_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seunshare_run'($*)) dnl
gen_require(`
type seunshare_t;
')
seunshare_domtrans($1)
role $2 types seunshare_t;
allow $1 seunshare_t:process signal_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seunshare_run'($*)) dnl
')
########################################
##
## The role template for the seunshare module.
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`seunshare_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seunshare_role_template'($*)) dnl
gen_require(`
attribute seunshare_domain;
type seunshare_exec_t;
')
type $1_seunshare_t, seunshare_domain;
application_domain($1_seunshare_t, seunshare_exec_t)
role $2 types $1_seunshare_t;
kernel_read_system_state($1_seunshare_t)
domain_dyntrans_type($1_seunshare_t)
auth_use_nsswitch($1_seunshare_t)
logging_send_syslog_msg($1_seunshare_t)
mls_process_set_level($1_seunshare_t)
domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
allow $1_seunshare_t $3:unix_stream_socket getattr;
# part of sandboxX.pp
optional_policy(`
sandbox_x_transition($1_seunshare_t, $2)
')
# part of sandbox.pp
optional_policy(`
sandbox_transition($1_seunshare_t, $2)
')
ps_process_pattern($3, $1_seunshare_t)
dontaudit $1_seunshare_t $3:file read;
allow $3 $1_seunshare_t:process signal_perms;
allow $3 $1_seunshare_t:fd use;
allow $1_seunshare_t $3:process transition;
dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
corecmd_bin_domtrans($1_seunshare_t, $1_t)
corecmd_shell_domtrans($1_seunshare_t, $1_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seunshare_role_template'($*)) dnl
')
## ABRT - automated bug-reporting tool
########################################
##
## abrt stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_stub'($*)) dnl
gen_require(`
type abrt_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_stub'($*)) dnl
')
######################################
##
## Creates types and rules for a basic
## ABRT daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`abrt_basic_types_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_basic_types_template'($*)) dnl
gen_require(`
attribute abrt_domain;
')
type $1_t, abrt_domain;
type $1_exec_t;
kernel_read_system_state($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_basic_types_template'($*)) dnl
')
######################################
##
## Execute abrt in the abrt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`abrt_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_domtrans'($*)) dnl
gen_require(`
type abrt_t, abrt_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, abrt_exec_t, abrt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_domtrans'($*)) dnl
')
######################################
##
## Execute abrt_dump_oops in the abrt_dump_oops_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`abrt_dump_oops_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_dump_oops_domtrans'($*)) dnl
gen_require(`
type abrt_dump_oops_t, abrt_dump_oops_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_dump_oops_domtrans'($*)) dnl
')
######################################
##
## Execute abrt in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_exec'($*)) dnl
gen_require(`
type abrt_exec_t;
')
corecmd_search_bin($1)
can_exec($1, abrt_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_exec'($*)) dnl
')
########################################
##
## Send a null signal to abrt.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_signull'($*)) dnl
gen_require(`
type abrt_t;
')
allow $1 abrt_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_signull'($*)) dnl
')
########################################
##
## Allow the domain to read abrt state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_read_state'($*)) dnl
gen_require(`
type abrt_t;
')
kernel_search_proc($1)
ps_process_pattern($1, abrt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_read_state'($*)) dnl
')
########################################
##
## Connect to abrt over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_stream_connect'($*)) dnl
gen_require(`
type abrt_t, abrt_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_stream_connect'($*)) dnl
')
########################################
##
## Send and receive messages from
## abrt over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_dbus_chat'($*)) dnl
gen_require(`
type abrt_t;
class dbus send_msg;
')
allow $1 abrt_t:dbus send_msg;
allow abrt_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_dbus_chat'($*)) dnl
')
#####################################
##
## Execute abrt-helper in the abrt-helper domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`abrt_domtrans_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_domtrans_helper'($*)) dnl
gen_require(`
type abrt_helper_t, abrt_helper_exec_t;
')
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_domtrans_helper'($*)) dnl
')
########################################
##
## Execute abrt helper in the abrt_helper domain, and
## allow the specified role the abrt_helper domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`abrt_run_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_run_helper'($*)) dnl
gen_require(`
attribute_role abrt_helper_roles;
')
abrt_domtrans_helper($1)
roleattribute $2 abrt_helper_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_run_helper'($*)) dnl
')
########################################
##
## Read abrt cache
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_read_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_read_cache'($*)) dnl
gen_require(`
type abrt_var_cache_t;
')
read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_read_cache'($*)) dnl
')
########################################
##
## Append abrt cache
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_append_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_append_cache'($*)) dnl
gen_require(`
type abrt_var_cache_t;
')
allow $1 abrt_var_cache_t:file append_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_append_cache'($*)) dnl
')
########################################
##
## Read/Write inherited abrt cache
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_rw_inherited_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_rw_inherited_cache'($*)) dnl
gen_require(`
type abrt_var_cache_t;
')
allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_rw_inherited_cache'($*)) dnl
')
########################################
##
## Manage abrt cache
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_manage_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_manage_cache'($*)) dnl
gen_require(`
type abrt_var_cache_t;
')
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_manage_cache'($*)) dnl
')
########################################
##
## Map abrt cache
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_map_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_map_cache'($*)) dnl
gen_require(`
type abrt_var_cache_t;
')
allow $1 abrt_var_cache_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_map_cache'($*)) dnl
')
####################################
##
## Read abrt configuration file.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_read_config'($*)) dnl
gen_require(`
type abrt_etc_t;
')
files_search_etc($1)
read_files_pattern($1, abrt_etc_t, abrt_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_read_config'($*)) dnl
')
####################################
##
## Dontaudit read abrt configuration file.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_dontaudit_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_dontaudit_read_config'($*)) dnl
gen_require(`
type abrt_etc_t;
')
files_search_etc($1)
dontaudit $1 abrt_etc_t:dir list_dir_perms;
dontaudit $1 abrt_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_dontaudit_read_config'($*)) dnl
')
######################################
##
## Read abrt logs.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_read_log'($*)) dnl
gen_require(`
type abrt_var_log_t;
')
logging_search_logs($1)
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_read_log'($*)) dnl
')
######################################
##
## Read abrt PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_read_pid_files'($*)) dnl
gen_require(`
type abrt_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_read_pid_files'($*)) dnl
')
######################################
##
## Create, read, write, and delete abrt PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_manage_pid_files'($*)) dnl
gen_require(`
type abrt_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_manage_pid_files'($*)) dnl
')
########################################
##
## Read and write abrt fifo files.
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_rw_fifo_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_rw_fifo_file'($*)) dnl
gen_require(`
type abrt_t;
')
allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_rw_fifo_file'($*)) dnl
')
########################################
##
## Execute abrt server in the abrt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`abrt_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_systemctl'($*)) dnl
gen_require(`
type abrt_t;
type abrt_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 abrt_unit_file_t:file manage_file_perms;
allow $1 abrt_unit_file_t:service manage_service_perms;
ps_process_pattern($1, abrt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_systemctl'($*)) dnl
')
#####################################
##
## All of the rules required to administrate
## an abrt environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the abrt domain.
##
##
##
#
define(`abrt_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_admin'($*)) dnl
gen_require(`
type abrt_t, abrt_etc_t;
type abrt_var_cache_t, abrt_var_log_t;
type abrt_var_run_t, abrt_tmp_t;
type abrt_initrc_exec_t;
type abrt_unit_file_t;
')
allow $1 abrt_t:process { signal_perms };
ps_process_pattern($1, abrt_t)
tunable_policy(`deny_ptrace',`',`
allow $1 abrt_t:process ptrace;
')
init_labeled_script_domtrans($1, abrt_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, abrt_etc_t)
logging_list_logs($1)
admin_pattern($1, abrt_var_log_t)
files_list_var($1)
admin_pattern($1, abrt_var_cache_t)
files_list_pids($1)
admin_pattern($1, abrt_var_run_t)
files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
abrt_systemctl($1)
admin_pattern($1, abrt_unit_file_t)
allow $1 abrt_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_admin'($*)) dnl
')
####################################
##
## Execute abrt-retrace in the abrt-retrace domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`abrt_domtrans_retrace_worker',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_domtrans_retrace_worker'($*)) dnl
gen_require(`
type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_domtrans_retrace_worker'($*)) dnl
')
######################################
##
## Manage abrt retrace server cache
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_manage_spool_retrace',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_manage_spool_retrace'($*)) dnl
gen_require(`
type abrt_retrace_spool_t;
')
manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_manage_spool_retrace'($*)) dnl
')
#####################################
##
## Read abrt retrace server cache
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_read_spool_retrace',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_read_spool_retrace'($*)) dnl
gen_require(`
type abrt_retrace_spool_t;
')
list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_read_spool_retrace'($*)) dnl
')
#####################################
##
## Read abrt retrace server cache
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_read_cache_retrace',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_read_cache_retrace'($*)) dnl
gen_require(`
type abrt_retrace_cache_t;
')
list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_read_cache_retrace'($*)) dnl
')
########################################
##
## Do not audit attempts to write abrt sock files
##
##
##
## Domain to not audit.
##
##
#
define(`abrt_dontaudit_write_sock_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_dontaudit_write_sock_file'($*)) dnl
gen_require(`
type abrt_t;
')
dontaudit $1 abrt_t:sock_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_dontaudit_write_sock_file'($*)) dnl
')
########################################
##
## Transition to abrt named content
##
##
##
## Domain allowed access.
##
##
#
define(`abrt_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `abrt_filetrans_named_content'($*)) dnl
gen_require(`
type abrt_tmp_t;
type abrt_etc_t;
type abrt_var_cache_t;
type abrt_var_run_t;
')
files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `abrt_filetrans_named_content'($*)) dnl
')
## AccountsService and daemon for manipulating user account information via D-Bus.
########################################
##
## Execute a domain transition to
## run accountsd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`accountsd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_domtrans'($*)) dnl
gen_require(`
type accountsd_t, accountsd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, accountsd_exec_t, accountsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_domtrans'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write Accounts Daemon fifo files.
##
##
##
## Domain to not audit.
##
##
#
define(`accountsd_dontaudit_rw_fifo_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_dontaudit_rw_fifo_file'($*)) dnl
gen_require(`
type accountsd_t;
')
dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_dontaudit_rw_fifo_file'($*)) dnl
')
########################################
##
## Send and receive messages from
## accountsd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`accountsd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_dbus_chat'($*)) dnl
gen_require(`
type accountsd_t;
class dbus send_msg;
')
allow $1 accountsd_t:dbus send_msg;
allow accountsd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_dbus_chat'($*)) dnl
')
########################################
##
## Search accountsd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`accountsd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_search_lib'($*)) dnl
gen_require(`
type accountsd_var_lib_t;
')
allow $1 accountsd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_search_lib'($*)) dnl
')
########################################
##
## Watch accountsd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`accountsd_watch_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_watch_lib'($*)) dnl
gen_require(`
type accountsd_var_lib_t;
')
files_search_var_lib($1)
watch_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_watch_lib'($*)) dnl
')
########################################
##
## Read accountsd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`accountsd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_read_lib_files'($*)) dnl
gen_require(`
type accountsd_var_lib_t;
')
files_search_var_lib($1)
allow $1 accountsd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## accountsd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`accountsd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_manage_lib_files'($*)) dnl
gen_require(`
type accountsd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_manage_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an accountsd environment.
##
##
##
## Domain allowed to transition.
##
##
#
define(`accountsd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_systemctl'($*)) dnl
gen_require(`
type accountsd_t;
type accountsd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 accountsd_unit_file_t:file read_file_perms;
allow $1 accountsd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, accountsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an accountsd environment
##
##
##
## Domain allowed access.
##
##
#
define(`accountsd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `accountsd_admin'($*)) dnl
gen_require(`
type accountsd_t;
type accountsd_unit_file_t;
')
allow $1 accountsd_t:process signal_perms;
ps_process_pattern($1, accountsd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 accountsd_t:process ptrace;
')
accountsd_manage_lib_files($1)
accountsd_systemctl($1)
admin_pattern($1, accountsd_unit_file_t)
allow $1 accountsd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `accountsd_admin'($*)) dnl
')
## Berkeley process accounting.
########################################
##
## Transition to the accounting
## management domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`acct_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `acct_domtrans'($*)) dnl
gen_require(`
type acct_t, acct_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, acct_exec_t, acct_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `acct_domtrans'($*)) dnl
')
########################################
##
## Execute accounting management tools
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`acct_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `acct_exec'($*)) dnl
gen_require(`
type acct_exec_t;
')
corecmd_search_bin($1)
can_exec($1, acct_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `acct_exec'($*)) dnl
')
########################################
##
## Execute accounting management data
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`acct_exec_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `acct_exec_data'($*)) dnl
gen_require(`
type acct_data_t;
')
files_search_var($1)
can_exec($1, acct_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `acct_exec_data'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## process accounting data.
##
##
##
## Domain allowed access.
##
##
#
define(`acct_manage_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `acct_manage_data'($*)) dnl
gen_require(`
type acct_data_t;
')
files_search_var($1)
manage_files_pattern($1, acct_data_t, acct_data_t)
manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `acct_manage_data'($*)) dnl
')
########################################
##
## Dontaudit Attempts to list acct_data directory
##
##
##
## Domain to not audit.
##
##
#
define(`acct_dontaudit_list_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `acct_dontaudit_list_data'($*)) dnl
gen_require(`
type acct_data_t;
')
dontaudit $1 acct_data_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `acct_dontaudit_list_data'($*)) dnl
')
#######################################
##
## All of the rules required to
## administrate an acct environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`acct_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `acct_admin'($*)) dnl
gen_require(`
type acct_t, acct_initrc_exec_t, acct_data_t;
')
allow $1 acct_t:process { signal_perms };
ps_process_pattern($1, acct_t)
tunable_policy(`deny_ptrace',`',`
allow $1 acct_t:process ptrace;
')
init_labeled_script_domtrans($1, acct_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 acct_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, acct_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `acct_admin'($*)) dnl
')
## Andrew Filesystem server.
########################################
##
## Execute a domain transition to run the
## afs client.
##
##
##
## Domain allowed to transition.
##
##
#
define(`afs_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `afs_domtrans'($*)) dnl
gen_require(`
type afs_t, afs_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, afs_exec_t, afs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `afs_domtrans'($*)) dnl
')
########################################
##
## Read and write afs client UDP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`afs_rw_udp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `afs_rw_udp_sockets'($*)) dnl
gen_require(`
type afs_t;
')
allow $1 afs_t:udp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `afs_rw_udp_sockets'($*)) dnl
')
########################################
##
## Read AFS config data
##
##
##
## Domain allowed access.
##
##
#
define(`afs_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `afs_read_config'($*)) dnl
gen_require(`
type afs_config_t;
')
read_files_pattern($1, afs_config_t, afs_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `afs_read_config'($*)) dnl
')
########################################
##
## Read and write afs cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`afs_rw_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `afs_rw_cache'($*)) dnl
gen_require(`
type afs_cache_t;
')
files_search_var($1)
allow $1 afs_cache_t:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `afs_rw_cache'($*)) dnl
')
########################################
##
## Execute afs server in the afs domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`afs_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `afs_initrc_domtrans'($*)) dnl
gen_require(`
type afs_initrc_exec_t;
')
init_labeled_script_domtrans($1, afs_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `afs_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an afs environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`afs_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `afs_admin'($*)) dnl
gen_require(`
attribute afs_domain;
type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
type afs_ka_db_t, afs_vl_db_t, afs_config_t;
type afs_logfile_t, afs_cache_t, afs_files_t;
')
allow $1 afs_t:process signal_perms;
ps_process_pattern($1, afs_t)
tunable_policy(`deny_ptrace',`',`
allow $1 afs_t:process ptrace;
')
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 afs_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, afs_config_t)
files_search_var($1)
admin_pattern($1, afs_cache_t)
files_search_var_lib($1)
admin_pattern($1, { afs_dbdir_t afs_pt_db_t afs_ka_db_t })
admin_pattern($1, afs_vl_db_t)
logging_search_logs($1)
admin_pattern($1, afs_logfile_t)
admin_pattern($1, afs_files_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `afs_admin'($*)) dnl
')
## Automatic IPv6 Connectivity Client Utility.
########################################
##
## Execute a domain transition to run aiccu.
##
##
##
## Domain allowed to transition.
##
##
#
define(`aiccu_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aiccu_domtrans'($*)) dnl
gen_require(`
type aiccu_t, aiccu_exec_t;
')
domtrans_pattern($1, aiccu_exec_t, aiccu_t)
corecmd_search_bin($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aiccu_domtrans'($*)) dnl
')
########################################
##
## Execute aiccu server in the aiccu domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`aiccu_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aiccu_initrc_domtrans'($*)) dnl
gen_require(`
type aiccu_initrc_exec_t;
')
init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aiccu_initrc_domtrans'($*)) dnl
')
########################################
##
## Read aiccu PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`aiccu_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aiccu_read_pid_files'($*)) dnl
gen_require(`
type aiccu_var_run_t;
')
allow $1 aiccu_var_run_t:file read_file_perms;
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aiccu_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an aiccu environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`aiccu_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aiccu_admin'($*)) dnl
gen_require(`
type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
type aiccu_var_run_t;
')
allow $1 aiccu_t:process signal_perms;
ps_process_pattern($1, aiccu_t)
tunable_policy(`deny_ptrace',`',`
allow $1 aiccu_t:process ptrace;
')
aiccu_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, aiccu_etc_t)
files_list_etc($1)
admin_pattern($1, aiccu_var_run_t)
files_list_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aiccu_admin'($*)) dnl
')
## Aide filesystem integrity checker.
########################################
##
## Execute aide in the aide domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`aide_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aide_domtrans'($*)) dnl
gen_require(`
type aide_t, aide_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, aide_exec_t, aide_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aide_domtrans'($*)) dnl
')
########################################
##
## Execute aide programs in the AIDE
## domain and allow the specified role
## the AIDE domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`aide_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aide_run'($*)) dnl
gen_require(`
attribute_role aide_roles;
')
aide_domtrans($1)
roleattribute $2 aide_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aide_run'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an aide environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`aide_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aide_admin'($*)) dnl
gen_require(`
type aide_t, aide_db_t, aide_log_t;
')
allow $1 aide_t:process signal_perms;
ps_process_pattern($1, aide_t)
tunable_policy(`deny_ptrace',`',`
allow $1 aide_t:process ptrace;
')
aide_run($1, $2)
files_list_etc($1)
admin_pattern($1, aide_db_t)
logging_list_logs($1)
admin_pattern($1, aide_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aide_admin'($*)) dnl
')
## Aisexec Cluster Engine.
########################################
##
## Execute a domain transition to run aisexec.
##
##
##
## Domain allowed to transition.
##
##
#
define(`aisexec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aisexec_domtrans'($*)) dnl
gen_require(`
type aisexec_t, aisexec_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, aisexec_exec_t, aisexec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aisexec_domtrans'($*)) dnl
')
#####################################
##
## Connect to aisexec over a unix
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`aisexec_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aisexec_stream_connect'($*)) dnl
gen_require(`
type aisexec_t, aisexec_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aisexec_stream_connect'($*)) dnl
')
#######################################
##
## Read aisexec log files content.
##
##
##
## Domain allowed access.
##
##
#
define(`aisexec_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aisexec_read_log'($*)) dnl
gen_require(`
type aisexec_var_log_t;
')
logging_search_logs($1)
list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aisexec_read_log'($*)) dnl
')
######################################
##
## All of the rules required to
## administrate an aisexec environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`aisexecd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `aisexecd_admin'($*)) dnl
gen_require(`
type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
type aisexec_initrc_exec_t;
')
allow $1 aisexec_t:process signal_perms;
ps_process_pattern($1, aisexec_t)
tunable_policy(`deny_ptrace',`',`
allow $1 aisexec_t:process ptrace;
')
init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, aisexec_var_lib_t)
logging_list_logs($1)
admin_pattern($1, aisexec_var_log_t)
files_list_pids($1)
admin_pattern($1, aisexec_var_run_t)
files_list_tmp($1)
admin_pattern($1, aisexec_tmp_t)
admin_pattern($1, aisexec_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `aisexecd_admin'($*)) dnl
')
## policy for ajaxterm
########################################
##
## Execute a domain transition to run ajaxterm.
##
##
##
## Domain allowed access.
##
##
#
define(`ajaxterm_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ajaxterm_domtrans'($*)) dnl
gen_require(`
type ajaxterm_t, ajaxterm_exec_t;
')
domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ajaxterm_domtrans'($*)) dnl
')
########################################
##
## Execute ajaxterm server in the ajaxterm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ajaxterm_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ajaxterm_initrc_domtrans'($*)) dnl
gen_require(`
type ajaxterm_initrc_exec_t;
')
init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ajaxterm_initrc_domtrans'($*)) dnl
')
#######################################
##
## Read and write the ajaxterm pty type.
##
##
##
## Domain allowed access.
##
##
#
define(`ajaxterm_rw_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ajaxterm_rw_ptys'($*)) dnl
gen_require(`
type ajaxterm_devpts_t;
')
allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ajaxterm_rw_ptys'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ajaxterm environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ajaxterm_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ajaxterm_admin'($*)) dnl
gen_require(`
type ajaxterm_t, ajaxterm_initrc_exec_t;
')
allow $1 ajaxterm_t:process signal_perms;
ps_process_pattern($1, ajaxterm_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ajaxterm_t:process ptrace;
')
ajaxterm_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ajaxterm_initrc_exec_t system_r;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ajaxterm_admin'($*)) dnl
')
## Advanced Linux Sound Architecture utilities.
########################################
##
## Role access for alsa.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`alsa_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_role'($*)) dnl
refpolicywarn(`$0($*) has been deprecated')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_role'($*)) dnl
')
########################################
##
## Execute a domain transition to run Alsa.
##
##
##
## Domain allowed to transition.
##
##
#
define(`alsa_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_domtrans'($*)) dnl
gen_require(`
type alsa_t, alsa_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, alsa_exec_t, alsa_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run
## Alsa, and allow the specified role
## the Alsa domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`alsa_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_run'($*)) dnl
gen_require(`
attribute_role alsa_roles;
')
alsa_domtrans($1)
roleattribute $2 alsa_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_run'($*)) dnl
')
########################################
##
## Read and write Alsa semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_rw_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_rw_semaphores'($*)) dnl
gen_require(`
type alsa_t;
')
allow $1 alsa_t:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_rw_semaphores'($*)) dnl
')
########################################
##
## Read and write Alsa shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_rw_shared_mem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_rw_shared_mem'($*)) dnl
gen_require(`
type alsa_t;
')
allow $1 alsa_t:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_rw_shared_mem'($*)) dnl
')
########################################
##
## Read writable Alsa configuration content.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_read_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_read_rw_config'($*)) dnl
gen_require(`
type alsa_etc_rw_t;
')
files_search_etc($1)
allow $1 alsa_etc_rw_t:dir list_dir_perms;
read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
ifdef(`distro_debian',`
files_search_usr($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_read_rw_config'($*)) dnl
')
########################################
##
## Manage writable Alsa config files.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_manage_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_manage_rw_config'($*)) dnl
gen_require(`
type alsa_etc_rw_t;
')
files_search_etc($1)
allow $1 alsa_etc_rw_t:dir list_dir_perms;
manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
ifdef(`distro_debian',`
files_search_usr($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_manage_rw_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## alsa home files.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_manage_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_manage_home_files'($*)) dnl
gen_require(`
type alsa_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
alsa_filetrans_home_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_manage_home_files'($*)) dnl
')
########################################
##
## Read Alsa home files.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_read_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_read_home_files'($*)) dnl
gen_require(`
type alsa_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_read_home_files'($*)) dnl
')
########################################
##
## Relabel alsa home files.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_relabel_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_relabel_home_files'($*)) dnl
gen_require(`
type alsa_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_relabel_home_files'($*)) dnl
')
########################################
##
## Read Alsa lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_read_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_read_lib'($*)) dnl
gen_require(`
type alsa_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_read_lib'($*)) dnl
')
########################################
##
## Transition to alsa named content
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_filetrans_home_content'($*)) dnl
gen_require(`
type alsa_home_t;
')
userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_filetrans_home_content'($*)) dnl
')
########################################
##
## Transition to alsa named content
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_filetrans_named_content'($*)) dnl
gen_require(`
type alsa_home_t;
type alsa_etc_rw_t;
type alsa_var_lib_t;
')
files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_filetrans_named_content'($*)) dnl
')
########################################
##
## Execute alsa server in the alsa domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`alsa_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_systemctl'($*)) dnl
gen_require(`
type alsa_t;
type alsa_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 alsa_unit_file_t:file read_file_perms;
allow $1 alsa_unit_file_t:service manage_service_perms;
ps_process_pattern($1, alsa_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_systemctl'($*)) dnl
')
#########################################
##
## Write Alsa lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`alsa_write_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `alsa_write_lib'($*)) dnl
gen_require(`
type alsa_var_lib_t;
')
files_search_var_lib($1)
write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `alsa_write_lib'($*)) dnl
')
## Advanced Maryland Automatic Network Disk Archiver.
########################################
##
## Execute a domain transition to run
## Amanda recover.
##
##
##
## Domain allowed to transition.
##
##
#
define(`amanda_domtrans_recover',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amanda_domtrans_recover'($*)) dnl
gen_require(`
type amanda_recover_t, amanda_recover_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amanda_domtrans_recover'($*)) dnl
')
########################################
##
## Execute a domain transition to run
## Amanda recover, and allow the specified
## role the Amanda recover domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`amanda_run_recover',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amanda_run_recover'($*)) dnl
gen_require(`
attribute_role amanda_recover_roles;
')
amanda_domtrans_recover($1)
roleattribute $2 amanda_recover_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amanda_run_recover'($*)) dnl
')
########################################
##
## Search Amanda library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`amanda_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amanda_search_lib'($*)) dnl
gen_require(`
type amanda_usr_lib_t;
')
files_search_usr($1)
allow $1 amanda_usr_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amanda_search_lib'($*)) dnl
')
########################################
##
## Do not audit attempts to read /etc/dumpdates.
##
##
##
## Domain to not audit.
##
##
#
define(`amanda_dontaudit_read_dumpdates',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amanda_dontaudit_read_dumpdates'($*)) dnl
gen_require(`
type amanda_dumpdates_t;
')
dontaudit $1 amanda_dumpdates_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amanda_dontaudit_read_dumpdates'($*)) dnl
')
########################################
##
## Read and write /etc/dumpdates.
##
##
##
## Domain allowed access.
##
##
#
define(`amanda_rw_dumpdates_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amanda_rw_dumpdates_files'($*)) dnl
gen_require(`
type amanda_dumpdates_t;
')
files_search_etc($1)
allow $1 amanda_dumpdates_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amanda_rw_dumpdates_files'($*)) dnl
')
########################################
##
## Search Amanda library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`amanda_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amanda_manage_lib'($*)) dnl
gen_require(`
type amanda_usr_lib_t;
')
files_search_usr($1)
allow $1 amanda_usr_lib_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amanda_manage_lib'($*)) dnl
')
########################################
##
## Read and append amanda log files.
##
##
##
## Domain allowed access.
##
##
#
define(`amanda_append_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amanda_append_log_files'($*)) dnl
gen_require(`
type amanda_log_t;
')
logging_search_logs($1)
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amanda_append_log_files'($*)) dnl
')
#######################################
##
## Search Amanda var library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`amanda_search_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amanda_search_var_lib'($*)) dnl
gen_require(`
type amanda_var_lib_t;
')
files_search_var_lib($1)
allow $1 amanda_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amanda_search_var_lib'($*)) dnl
')
## High-performance interface between an email server and content checkers.
########################################
##
## Execute a domain transition to run amavis.
##
##
##
## Domain allowed to transition.
##
##
#
define(`amavis_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_domtrans'($*)) dnl
gen_require(`
type amavis_t, amavis_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, amavis_exec_t, amavis_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_domtrans'($*)) dnl
')
########################################
##
## Execute amavis server in the amavis domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`amavis_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_initrc_domtrans'($*)) dnl
gen_require(`
type amavis_initrc_exec_t;
')
init_labeled_script_domtrans($1, amavis_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_initrc_domtrans'($*)) dnl
')
########################################
##
## Read amavis spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_read_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_read_spool_files'($*)) dnl
gen_require(`
type amavis_spool_t;
')
files_search_spool($1)
read_files_pattern($1, amavis_spool_t, amavis_spool_t)
allow $1 amavis_spool_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_read_spool_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## amavis spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_manage_spool_files'($*)) dnl
gen_require(`
type amavis_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t)
manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_manage_spool_files'($*)) dnl
')
########################################
##
## Create objects in the amavis spool directories
## with a private type.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`amavis_spool_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_spool_filetrans'($*)) dnl
gen_require(`
type amavis_spool_t;
')
files_search_spool($1)
filetrans_pattern($1, amavis_spool_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_spool_filetrans'($*)) dnl
')
########################################
##
## Search amavis lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_search_lib'($*)) dnl
gen_require(`
type amavis_var_lib_t;
')
allow $1 amavis_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_search_lib'($*)) dnl
')
########################################
##
## Read amavis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_read_lib_files'($*)) dnl
gen_require(`
type amavis_var_lib_t;
')
read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
allow $1 amavis_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_read_lib_files'($*)) dnl
')
########################################
##
## Read and write amavis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_rw_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_rw_lib_files'($*)) dnl
gen_require(`
type amavis_var_lib_t;
')
rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
allow $1 amavis_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_rw_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## amavis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_manage_lib_files'($*)) dnl
gen_require(`
type amavis_var_lib_t;
')
manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_manage_lib_files'($*)) dnl
')
########################################
##
## Set attributes of amavis pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_setattr_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_setattr_pid_files'($*)) dnl
gen_require(`
type amavis_var_run_t;
')
allow $1 amavis_var_run_t:file setattr_file_perms;
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_setattr_pid_files'($*)) dnl
')
########################################
##
## Create amavis pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`amavis_create_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_create_pid_files'($*)) dnl
gen_require(`
type amavis_var_run_t;
')
allow $1 amavis_var_run_t:dir add_entry_dir_perms;
allow $1 amavis_var_run_t:file create_file_perms;
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_create_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an amavis environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`amavis_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amavis_admin'($*)) dnl
gen_require(`
type amavis_t, amavis_tmp_t, amavis_var_log_t;
type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
')
allow $1 amavis_t:process signal_perms;
ps_process_pattern($1, amavis_t)
tunable_policy(`deny_ptrace',`',`
allow $1 amavis_t:process ptrace;
')
amavis_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, amavis_etc_t)
admin_pattern($1, amavis_quarantine_t)
files_list_spool($1)
admin_pattern($1, amavis_spool_t)
files_list_tmp($1)
admin_pattern($1, amavis_tmp_t)
files_list_var_lib($1)
admin_pattern($1, amavis_var_lib_t)
logging_list_logs($1)
admin_pattern($1, amavis_var_log_t)
files_list_pids($1)
admin_pattern($1, amavis_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amavis_admin'($*)) dnl
')
## Abstract Machine Test Utility.
########################################
##
## Execute a domain transition to run Amtu.
##
##
##
## Domain allowed to transition.
##
##
#
define(`amtu_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amtu_domtrans'($*)) dnl
gen_require(`
type amtu_t, amtu_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, amtu_exec_t, amtu_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amtu_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run
## Amtu, and allow the specified role
## the Amtu domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`amtu_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amtu_run'($*)) dnl
gen_require(`
attribute_role amtu_roles;
')
amtu_domtrans($1)
roleattribute $2 amtu_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amtu_run'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an amtu environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`amtu_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `amtu_admin'($*)) dnl
gen_require(`
type amtu_t, amtu_initrc_exec_t;
')
allow $1 amtu_t:process { ptrace signal_perms };
ps_process_pattern($1, amtu_t)
init_labeled_script_domtrans($1, amtu_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 amtu_initrc_exec_t system_r;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `amtu_admin'($*)) dnl
')
## Anaconda installer.
########################################
##
## Execute a domain transition to run install.
##
##
##
## Domain allowed to transition.
##
##
#
define(`anaconda_domtrans_install',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `anaconda_domtrans_install'($*)) dnl
gen_require(`
type install_t, install_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, install_exec_t, install_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `anaconda_domtrans_install'($*)) dnl
')
########################################
##
## Execute install in the install
## domain, and allow the specified
## role the install domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`anaconda_run_install',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `anaconda_run_install'($*)) dnl
gen_require(`
type install_t;
type install_exec_t;
attribute_role install_roles;
')
anaconda_domtrans_install($1)
roleattribute $2 install_roles;
role_transition $2 install_exec_t system_r;
optional_policy(`
rpm_transition_script(install_t, $2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `anaconda_run_install'($*)) dnl
')
########################################
##
## Execute preupgrade in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`anaconda_exec_preupgrade',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `anaconda_exec_preupgrade'($*)) dnl
gen_require(`
type preupgrade_exec_t;
')
corecmd_search_bin($1)
can_exec($1, preupgrade_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `anaconda_exec_preupgrade'($*)) dnl
')
########################################
##
## Execute a domain transition to run preupgrade.
##
##
##
## Domain allowed to transition.
##
##
#
define(`anaconda_domtrans_preupgrade',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `anaconda_domtrans_preupgrade'($*)) dnl
gen_require(`
type preupgrade_t, preupgrade_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, preupgrade_exec_t, preupgrade_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `anaconda_domtrans_preupgrade'($*)) dnl
')
########################################
##
## Read preupgrade lib files
##
##
##
## Domain allowed access.
##
##
#
define(`anaconda_read_lib_files_preupgrade',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `anaconda_read_lib_files_preupgrade'($*)) dnl
gen_require(`
type preupgrade_data_t;
')
read_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `anaconda_read_lib_files_preupgrade'($*)) dnl
')
########################################
##
## Manage preupgrade lib files
##
##
##
## Domain allowed access.
##
##
#
define(`anaconda_manage_lib_files_preupgrade',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `anaconda_manage_lib_files_preupgrade'($*)) dnl
gen_require(`
type preupgrade_data_t;
')
manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t)
manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `anaconda_manage_lib_files_preupgrade'($*)) dnl
')
## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan
######################################
##
## Creates types and rules for a basic
## antivirus domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`antivirus_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_domain_template'($*)) dnl
gen_require(`
attribute antivirus_domain;
')
typeattribute $1 antivirus_domain;
kernel_read_system_state($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_domain_template'($*)) dnl
')
#######################################
##
## Execute a domain transition to run antivirus program.
##
##
##
## Domain allowed to transition.
##
##
#
define(`antivirus_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_domtrans'($*)) dnl
gen_require(`
type antivirus_t, antivirus_exec_t;
')
domtrans_pattern($1, antivirus_exec_t, antivirus_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_domtrans'($*)) dnl
')
#######################################
##
## Execute antivirus program without a transition.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_exec'($*)) dnl
gen_require(`
type antivirus_exec_t;
')
can_exec($1, antivirus_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_exec'($*)) dnl
')
#######################################
##
## Connect to run antivirus program.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_stream_connect'($*)) dnl
gen_require(`
type antivirus_t, antivirus_db_t, antivirus_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_stream_connect'($*)) dnl
')
#######################################
##
## Allow the specified domain to append
## to antivirus log files.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_append_log'($*)) dnl
gen_require(`
type antivirus_log_t;
')
logging_search_logs($1)
allow $1 antivirus_log_t:dir list_dir_perms;
append_files_pattern($1, antivirus_log_t, antivirus_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_append_log'($*)) dnl
')
#######################################
##
## Read antivirus configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_read_config'($*)) dnl
gen_require(`
type antivirus_conf_t;
')
files_search_etc($1)
allow $1 antivirus_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_read_config'($*)) dnl
')
#######################################
##
## Search antivirus db content directories.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_search_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_search_db'($*)) dnl
gen_require(`
type antivirus_db_t;
')
files_search_var_lib($1)
files_search_spool($1)
allow $1 antivirus_db_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_search_db'($*)) dnl
')
######################################
##
## Read antivirus db content directories.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_read_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_read_db'($*)) dnl
gen_require(`
type antivirus_db_t;
')
files_search_var_lib($1)
files_search_spool($1)
read_files_pattern($1, antivirus_db_t, antivirus_db_t)
read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_read_db'($*)) dnl
')
#####################################
##
## Read and write antivirus db content directories.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_rw_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_rw_db'($*)) dnl
gen_require(`
type antivirus_db_t;
')
files_search_var_lib($1)
files_search_spool($1)
write_files_pattern($1, antivirus_db_t, antivirus_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_rw_db'($*)) dnl
')
####################################
##
## Manage antivirus db content directories.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_manage_db'($*)) dnl
gen_require(`
type antivirus_db_t;
')
files_search_var_lib($1)
files_search_spool($1)
manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_manage_db'($*)) dnl
')
#######################################
##
## Manage antivirus pid content.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_manage_pid'($*)) dnl
gen_require(`
type antivirus_var_run_t;
')
manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_manage_pid'($*)) dnl
')
######################################
##
## Read antivirus state files.
##
##
##
## Domain allowed access.
##
##
#
define(`antivirus_read_state_clamd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_read_state_clamd'($*)) dnl
gen_require(`
type antivirus_t;
')
kernel_search_proc($1)
ps_process_pattern($1, antivirus_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_read_state_clamd'($*)) dnl
')
######################################
##
## Execute antivirus server in the antivirus domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`antivirus_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_systemctl'($*)) dnl
gen_require(`
type antivirus_t;
type antivirus_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 antivirus_unit_file_t:file read_file_perms;
allow $1 antivirus_unit_file_t:service manage_service_perms;
ps_process_pattern($1, antivirus_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_systemctl'($*)) dnl
')
#######################################
##
## All of the rules required to administrate
## an antivirus programs environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the clamav domain.
##
##
##
#
define(`antivirus_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `antivirus_admin'($*)) dnl
gen_require(`
attribute antivirus_domain;
type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
type antivirus_initrc_exec_t, antivirus_unit_file_t;
')
allow $1 antivirus_t:process signal_perms;
ps_process_pattern($1, antivirus_t)
tunable_policy(`deny_ptrace',`',`
allow $1 antivirus_t:process ptrace;
')
init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 antivirus_initrc_exec_t system_r;
allow $2 system_r;
antivirus_systemctl($1)
admin_pattern($1, antivirus_unit_file_t)
allow $1 antivirus_unit_file_t:service all_service_perms;
files_list_etc($1)
admin_pattern($1, antivirus_conf_t)
files_list_var_lib($1)
admin_pattern($1, antivirus_db_t)
logging_list_logs($1)
admin_pattern($1, antivirus_log_t)
files_list_pids($1)
admin_pattern($1, antivirus_var_run_t)
files_list_tmp($1)
admin_pattern($1, antivirus_tmp_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `antivirus_admin'($*)) dnl
')
## Apache web server
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
define(`apache_user_content_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_user_content_template'($*)) dnl
gen_require(`
attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t;
attribute httpd_script_type, httpd_user_content_type;
')
#This type is for webpages
type $1_content_t; # customizable;
typeattribute $1_content_t httpd_user_content_type;
typealias $1_content_t alias { httpd_$1_content_t httpd_$1_script_ro_t };
files_type($1_content_t)
# This type is used for .htaccess files
type $1_htaccess_t, httpd_content_type; # customizable;
typeattribute $1_htaccess_t httpd_user_content_type;
typealias $1_htaccess_t alias {httpd_$1_htaccess_t };
files_type($1_htaccess_t)
# Type that CGI scripts run as
type $1_script_t, httpd_script_type;
typealias $1_script_t alias { httpd_$1_script_t };
domain_type($1_script_t)
role system_r types $1_script_t;
kernel_read_system_state($1_script_t)
# This type is used for executable scripts files
type $1_script_exec_t, httpd_script_exec_type; # customizable;
typeattribute $1_script_exec_t httpd_user_content_type;
typealias $1_script_exec_t alias { httpd_$1_script_exec_t };
domain_entry_file($1_script_t, $1_script_exec_t)
type $1_rw_content_t; # customizable
typeattribute $1_rw_content_t httpd_user_content_type;
typealias $1_rw_content_t alias { httpd_$1_rw_content_t $1_script_rw_t $1_content_rw_t };
files_type($1_rw_content_t)
type $1_ra_content_t, httpd_content_type; # customizable
typeattribute $1_ra_content_t httpd_user_content_type;
typealias $1_ra_content_t alias { httpd_$1_ra_content_t $1_script_ra_t $1_content_ra_t };
files_type($1_ra_content_t)
# Allow the script process to search the cgi directory, and users directory
allow $1_script_t $1_content_t:dir search_dir_perms;
can_exec($1_script_t, $1_script_exec_t)
allow $1_script_t $1_script_exec_t:dir list_dir_perms;
allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
allow $1_script_t $1_content_t:dir list_dir_perms;
read_files_pattern($1_script_t, $1_content_t, $1_content_t)
read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
allow $1_script_t $1_rw_content_t:file map;
allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
')
tunable_policy(`httpd_enable_cgi',`
allow $1_script_t $1_script_exec_t:file entrypoint;
domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
# apache runs the script:
domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
allow httpd_t $1_script_t:unix_dgram_socket sendto;
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_user_content_template'($*)) dnl
')
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
define(`apache_content_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_content_template'($*)) dnl
gen_require(`
attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t;
attribute httpd_script_type, httpd_content_type;
')
#This type is for webpages
type $1_content_t; # customizable;
typeattribute $1_content_t httpd_content_type;
typealias $1_content_t alias httpd_$1_script_ro_t;
files_type($1_content_t)
# This type is used for .htaccess files
type $1_htaccess_t, httpd_content_type; # customizable;
typeattribute $1_htaccess_t httpd_content_type;
files_type($1_htaccess_t)
# Type that CGI scripts run as
type $1_script_t, httpd_script_type;
typealias $1_script_t alias { httpd_$1_script_t };
domain_type($1_script_t)
role system_r types $1_script_t;
kernel_read_system_state($1_script_t)
# This type is used for executable scripts files
type $1_script_exec_t, httpd_script_exec_type; # customizable;
typeattribute $1_script_exec_t httpd_content_type;
domain_entry_file($1_script_t, $1_script_exec_t)
type $1_rw_content_t; # customizable
typeattribute $1_rw_content_t httpd_content_type;
typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t };
files_type($1_rw_content_t)
type $1_ra_content_t, httpd_content_type; # customizable
typeattribute $1_ra_content_t httpd_content_type;
typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t };
files_type($1_ra_content_t)
# Allow the script process to search the cgi directory, and users directory
allow $1_script_t $1_content_t:dir search_dir_perms;
can_exec($1_script_t, $1_script_exec_t)
allow $1_script_t $1_script_exec_t:dir list_dir_perms;
allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t)
allow $1_script_t $1_content_t:dir list_dir_perms;
read_files_pattern($1_script_t, $1_content_t, $1_content_t)
read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t)
manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t)
allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms };
read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t)
')
tunable_policy(`httpd_enable_cgi',`
allow $1_script_t $1_script_exec_t:file entrypoint;
domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t)
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t)
allow httpd_exec_scripts $1_script_exec_t:file read_file_perms;
# apache runs the script:
domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t)
allow httpd_t $1_script_t:unix_dgram_socket sendto;
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_content_template'($*)) dnl
')
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving new type names.
##
##
##
##
## The prefix to be used for deriving old type names.
##
##
#
define(`apache_content_alias_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_content_alias_template'($*)) dnl
typealias $1_htaccess_t alias httpd_$2_htaccess_t;
#typealias $1_script_t alias httpd_$2_script_t;
typealias $1_script_exec_t alias httpd_$2_script_exec_t;
typealias $1_content_t alias httpd_$2_content_t;
typealias $1_rw_content_t alias httpd_$2_script_rw_content_t;
typealias $1_ra_content_t alias httpd_$2_script_ra_content_t;
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_content_alias_template'($*)) dnl
')
########################################
##
## Role access for apache
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`apache_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_role'($*)) dnl
gen_require(`
attribute httpdcontent;
type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
')
role $1 types httpd_user_script_t;
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
apache_exec_modules($2)
apache_filetrans_home_content($2)
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($2, httpdcontent, httpd_user_script_t)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_role'($*)) dnl
')
########################################
##
## Read httpd user scripts executables.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_user_scripts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_user_scripts'($*)) dnl
gen_require(`
type httpd_user_script_exec_t;
')
allow $1 httpd_user_script_exec_t:dir list_dir_perms;
read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_user_scripts'($*)) dnl
')
########################################
##
## Read user web content.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_user_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_user_content'($*)) dnl
gen_require(`
type httpd_user_content_t;
')
allow $1 httpd_user_content_t:dir list_dir_perms;
read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_user_content'($*)) dnl
')
########################################
##
## Manage user web content.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_user_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_user_content'($*)) dnl
gen_require(`
type httpd_user_content_t;
')
allow $1 httpd_user_content_t:dir manage_dir_perms;
manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_user_content'($*)) dnl
')
########################################
##
## Transition to apache.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apache_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans'($*)) dnl
gen_require(`
type httpd_t, httpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, httpd_exec_t, httpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans'($*)) dnl
')
######################################
##
## Allow the specified domain to execute apache
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_exec'($*)) dnl
gen_require(`
type httpd_exec_t;
')
can_exec($1, httpd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_exec'($*)) dnl
')
######################################
##
## Allow the specified domain to execute apache suexec
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_exec_suexec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_exec_suexec'($*)) dnl
gen_require(`
type httpd_suexec_exec_t;
')
can_exec($1, httpd_suexec_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_exec_suexec'($*)) dnl
')
#######################################
##
## Send a generic signal to apache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_signal'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_signal'($*)) dnl
')
########################################
##
## Send a null signal to apache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_signull'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_signull'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to apache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_sigchld'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_sigchld'($*)) dnl
')
########################################
##
## Allow the domain to read apache state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_state'($*)) dnl
gen_require(`
type httpd_t;
')
kernel_search_proc($1)
ps_process_pattern($1, httpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_state'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from Apache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_use_fds'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write Apache
## unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_rw_fifo_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_fifo_file'($*)) dnl
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_fifo_file'($*)) dnl
')
########################################
##
## Allow attempts to read and write Apache
## unix domain stream sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_rw_stream_sockets'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:unix_stream_socket { getattr read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_rw_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write Apache
## unix domain stream sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_stream_sockets'($*)) dnl
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write Apache
## TCP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type httpd_t;
')
dontaudit $1 httpd_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Create, read, write, and delete all web content.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_manage_all_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_all_content'($*)) dnl
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
')
manage_dirs_pattern($1, httpdcontent, httpdcontent)
manage_files_pattern($1, httpdcontent, httpdcontent)
manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_all_content'($*)) dnl
')
########################################
##
## Allow domain to set the attributes
## of the APACHE cache directory.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_setattr_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_setattr_cache_dirs'($*)) dnl
gen_require(`
type httpd_cache_t;
')
allow $1 httpd_cache_t:dir setattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_setattr_cache_dirs'($*)) dnl
')
########################################
##
## Allow the specified domain to list
## Apache cache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_list_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_list_cache'($*)) dnl
gen_require(`
type httpd_cache_t;
')
list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_list_cache'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## and write Apache cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_rw_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_rw_cache_files'($*)) dnl
gen_require(`
type httpd_cache_t;
')
allow $1 httpd_cache_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_rw_cache_files'($*)) dnl
')
########################################
##
## Allow the specified domain to delete
## Apache cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_delete_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_delete_cache_dirs'($*)) dnl
gen_require(`
type httpd_cache_t;
')
delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_delete_cache_dirs'($*)) dnl
')
########################################
##
## Allow the specified domain to delete
## Apache cache.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_delete_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_delete_cache_files'($*)) dnl
gen_require(`
type httpd_cache_t;
')
delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_delete_cache_files'($*)) dnl
')
########################################
##
## Allow the specified domain to search
## apache configuration dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_search_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_search_config'($*)) dnl
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
allow $1 httpd_config_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_search_config'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_config'($*)) dnl
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
allow $1 httpd_config_t:dir list_dir_perms;
read_files_pattern($1, httpd_config_t, httpd_config_t)
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_config'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## apache configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_config'($*)) dnl
gen_require(`
type httpd_config_t;
')
files_search_etc($1)
manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
manage_files_pattern($1, httpd_config_t, httpd_config_t)
read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_config'($*)) dnl
')
########################################
##
## Execute the Apache helper program with
## a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_domtrans_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans_helper'($*)) dnl
gen_require(`
type httpd_helper_t, httpd_helper_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans_helper'($*)) dnl
')
########################################
##
## Execute the Apache helper program with
## a domain transition, and allow the
## specified role the Apache helper domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`apache_run_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_run_helper'($*)) dnl
gen_require(`
type httpd_helper_t;
')
apache_domtrans_helper($1)
role $2 types httpd_helper_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_run_helper'($*)) dnl
')
########################################
##
## dontaudit attempts to read
## apache log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_dontaudit_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_read_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
dontaudit $1 httpd_log_t:file read_file_perms;
dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
allow $1 httpd_log_t:dir list_dir_perms;
read_files_pattern($1, httpd_log_t, httpd_log_t)
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## to apache log files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_append_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
allow $1 httpd_log_t:dir list_dir_perms;
append_files_pattern($1, httpd_log_t, httpd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_append_log'($*)) dnl
')
########################################
##
## Allow the specified domain to create
# apache's log directories.
##
##
##
## Domain allowed access
##
##
#
define(`apache_create_log_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_create_log_dirs'($*)) dnl
gen_require(`
type httpd_log_t;
')
create_dirs_pattern($1, httpd_log_t, httpd_log_t)
logging_search_logs($1)
setattr_dirs_pattern($1, httpd_log_t, httpd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_create_log_dirs'($*)) dnl
')
#######################################
##
## Allow the specified domain to write
## to apache log files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_write_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_write_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
allow $1 httpd_log_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_write_log'($*)) dnl
')
########################################
##
## Do not audit attempts to append to the
## Apache logs.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_append_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
dontaudit $1 httpd_log_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_append_log'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## to apache var lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_lib'($*)) dnl
gen_require(`
type httpd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_lib'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## to apache log files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_log'($*)) dnl
gen_require(`
type httpd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
manage_files_pattern($1, httpd_log_t, httpd_log_t)
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_log'($*)) dnl
')
########################################
##
## Do not audit attempts to search Apache
## module directories.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_search_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_search_modules'($*)) dnl
gen_require(`
type httpd_modules_t;
')
dontaudit $1 httpd_modules_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_search_modules'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## the apache module directories.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_modules'($*)) dnl
gen_require(`
type httpd_modules_t;
')
read_files_pattern($1, httpd_modules_t, httpd_modules_t)
allow $1 httpd_modules_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_modules'($*)) dnl
')
########################################
##
## Allow the specified domain to list
## the contents of the apache modules
## directory.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_list_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_list_modules'($*)) dnl
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir list_dir_perms;
read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_list_modules'($*)) dnl
')
########################################
##
## Allow the specified domain to execute
## apache modules.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_exec_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_exec_modules'($*)) dnl
gen_require(`
type httpd_modules_t;
')
allow $1 httpd_modules_t:dir list_dir_perms;
allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
can_exec($1, httpd_modules_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_exec_modules'($*)) dnl
')
########################################
##
## Execute a domain transition to run httpd_rotatelogs.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apache_domtrans_rotatelogs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans_rotatelogs'($*)) dnl
gen_require(`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans_rotatelogs'($*)) dnl
')
#######################################
##
## Execute httpd_rotatelogs in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apache_exec_rotatelogs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_exec_rotatelogs'($*)) dnl
gen_require(`
type httpd_rotatelogs_exec_t;
')
can_exec($1, httpd_rotatelogs_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_exec_rotatelogs'($*)) dnl
')
#######################################
##
## Execute httpd system scripts in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apache_exec_sys_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_exec_sys_script'($*)) dnl
gen_require(`
type httpd_sys_script_exec_t;
')
allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
can_exec($1, httpd_sys_script_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_exec_sys_script'($*)) dnl
')
########################################
##
## Allow the specified domain to list
## apache system content files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_list_sys_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_list_sys_content'($*)) dnl
gen_require(`
type httpd_sys_content_t;
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_list_sys_content'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## apache system content files.
##
##
##
## Domain allowed access.
##
##
##
#
# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
define(`apache_manage_sys_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_sys_content'($*)) dnl
gen_require(`
type httpd_sys_content_t;
')
files_search_var($1)
manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_sys_content'($*)) dnl
')
######################################
##
## Allow the specified domain to read
## apache system content rw files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_read_sys_content_rw_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_sys_content_rw_files'($*)) dnl
gen_require(`
type httpd_sys_rw_content_t;
')
read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_sys_content_rw_files'($*)) dnl
')
######################################
##
## Allow the specified domain to read
## apache system content rw dirs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_read_sys_content_rw_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_sys_content_rw_dirs'($*)) dnl
gen_require(`
type httpd_sys_rw_content_t;
')
list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_sys_content_rw_dirs'($*)) dnl
')
######################################
##
## Allow the specified domain to manage
## apache system content rw files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_manage_sys_content_rw',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_sys_content_rw'($*)) dnl
gen_require(`
type httpd_sys_rw_content_t;
')
files_search_var($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_sys_content_rw'($*)) dnl
')
########################################
##
## Allow the specified domain to delete
## apache system content rw files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_delete_sys_content_rw',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_delete_sys_content_rw'($*)) dnl
gen_require(`
type httpd_sys_rw_content_t;
')
files_search_tmp($1)
delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_delete_sys_content_rw'($*)) dnl
')
########################################
##
## Execute all web scripts in the system
## script domain.
##
##
##
## Domain allowed to transition.
##
##
#
# cjp: this interface specifically added to allow
# sysadm_t to run scripts
define(`apache_domtrans_sys_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans_sys_script'($*)) dnl
gen_require(`
attribute httpdcontent;
type httpd_sys_script_exec_t;
type httpd_sys_script_t, httpd_sys_content_t;
')
tunable_policy(`httpd_enable_cgi',`
domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans_sys_script'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write Apache
## system script unix domain stream sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_rw_sys_script_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_sys_script_stream_sockets'($*)) dnl
gen_require(`
type httpd_sys_script_t;
')
dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_sys_script_stream_sockets'($*)) dnl
')
########################################
##
## Execute all user scripts in the user
## script domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apache_domtrans_all_scripts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_domtrans_all_scripts'($*)) dnl
gen_require(`
attribute httpd_exec_scripts;
')
typeattribute $1 httpd_exec_scripts;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_domtrans_all_scripts'($*)) dnl
')
########################################
##
## Execute all user scripts in the user
## script domain. Add user script domains
## to the specified role.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`apache_run_all_scripts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_run_all_scripts'($*)) dnl
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
')
role $2 types httpd_script_domains;
apache_domtrans_all_scripts($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_run_all_scripts'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache squirrelmail data.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_squirrelmail_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_squirrelmail_data'($*)) dnl
gen_require(`
type httpd_squirrelmail_t;
')
read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_squirrelmail_data'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## apache squirrelmail data.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_append_squirrelmail_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_append_squirrelmail_data'($*)) dnl
gen_require(`
type httpd_squirrelmail_t;
')
allow $1 httpd_squirrelmail_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_append_squirrelmail_data'($*)) dnl
')
########################################
##
## Search apache system content.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_search_sys_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_search_sys_content'($*)) dnl
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_search_sys_content'($*)) dnl
')
########################################
##
## Read apache system content.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_sys_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_sys_content'($*)) dnl
gen_require(`
type httpd_sys_content_t;
')
allow $1 httpd_sys_content_t:dir list_dir_perms;
read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_sys_content'($*)) dnl
')
########################################
##
## Search apache system CGI directories.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_search_sys_scripts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_search_sys_scripts'($*)) dnl
gen_require(`
type httpd_sys_content_t, httpd_sys_script_exec_t;
')
search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_search_sys_scripts'($*)) dnl
')
########################################
##
## Create, read, write, and delete all user web content.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_manage_all_user_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_all_user_content'($*)) dnl
gen_require(`
attribute httpd_user_content_type, httpd_user_script_exec_type;
')
manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_all_user_content'($*)) dnl
')
########################################
##
## Search system script state directory.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_search_sys_script_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_search_sys_script_state'($*)) dnl
gen_require(`
type httpd_sys_script_t;
')
allow $1 httpd_sys_script_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_search_sys_script_state'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_tmp_dirs'($*)) dnl
gen_require(`
type httpd_tmp_t;
')
files_search_tmp($1)
list_dirs_pattern($1, httpd_tmp_t, httpd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_tmp_dirs'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_tmp_files'($*)) dnl
gen_require(`
type httpd_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_tmp_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## apache tmp lnk files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_tmp_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_tmp_symlinks'($*)) dnl
gen_require(`
type httpd_tmp_t;
')
files_search_tmp($1)
read_lnk_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_tmp_symlinks'($*)) dnl
')
######################################
##
## Dontaudit attempts to read and write
## apache tmp files.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_tmp_files'($*)) dnl
gen_require(`
type httpd_tmp_t;
')
dontaudit $1 httpd_tmp_t:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_tmp_files'($*)) dnl
')
########################################
##
## Dontaudit attempts to write
## apache tmp files.
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_write_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_write_tmp_files'($*)) dnl
gen_require(`
type httpd_tmp_t;
')
dontaudit $1 httpd_tmp_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_write_tmp_files'($*)) dnl
')
########################################
##
## Execute CGI in the specified domain.
##
##
##
## Execute CGI in the specified domain.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain run the cgi script in.
##
##
##
##
## Type of the executable to enter the cgi domain.
##
##
#
define(`apache_cgi_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_cgi_domain'($*)) dnl
gen_require(`
type httpd_t, httpd_sys_script_exec_t;
')
domtrans_pattern(httpd_t, $2, $1)
apache_search_sys_scripts($1)
allow httpd_t $1:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_cgi_domain'($*)) dnl
')
########################################
##
## Execute httpd server in the httpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apache_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_systemctl'($*)) dnl
gen_require(`
type httpd_t;
type httpd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 httpd_unit_file_t:file read_file_perms;
allow $1 httpd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, httpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate an apache environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`apache_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_admin'($*)) dnl
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
type httpd_t, httpd_config_t, httpd_log_t;
type httpd_modules_t, httpd_lock_t, httpd_bool_t;
type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
type httpd_unit_file_t;
')
allow $1 httpd_t:process signal_perms;
ps_process_pattern($1, httpd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 httpd_t:process ptrace;
')
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 httpd_initrc_exec_t system_r;
allow $2 system_r;
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
files_list_etc($1)
admin_pattern($1, httpd_config_t)
logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
admin_pattern($1, httpd_lock_t)
files_lock_filetrans($1, httpd_lock_t, file)
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
admin_pattern($1, httpdcontent)
admin_pattern($1, httpd_script_exec_type)
seutil_domtrans_setfiles($1)
files_list_tmp($1)
admin_pattern($1, httpd_tmp_t)
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
apache_systemctl($1)
admin_pattern($1, httpd_unit_file_t)
allow $1 httpd_unit_file_t:service all_service_perms;
apache_filetrans_named_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_admin'($*)) dnl
')
########################################
##
## dontaudit read and write an leaked file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`apache_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dontaudit_leaks'($*)) dnl
gen_require(`
type httpd_t;
type httpd_tmp_t;
')
dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 httpd_t:tcp_socket { read write };
dontaudit $1 httpd_t:unix_dgram_socket { read write };
dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
dontaudit $1 httpd_tmp_t:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dontaudit_leaks'($*)) dnl
')
########################################
##
## Transition to apache named content
##
##
##
## Domain allowed access.
##
##
#
define(`apache_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_filetrans_named_content'($*)) dnl
gen_require(`
type httpd_sys_content_t, httpd_sys_rw_content_t;
type httpd_tmp_t;
')
apache_filetrans_home_content($1)
files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud")
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_filetrans_named_content'($*)) dnl
')
########################################
##
## Allow any httpd_exec_t to be an entrypoint of this domain
##
##
##
## Domain allowed access.
##
##
##
#
define(`apache_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_entrypoint'($*)) dnl
gen_require(`
type httpd_exec_t;
')
allow $1 httpd_exec_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_entrypoint'($*)) dnl
')
########################################
##
## Execute a httpd_exec_t in the specified domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`apache_exec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_exec_domtrans'($*)) dnl
gen_require(`
type httpd_exec_t;
')
domtrans_pattern($1, httpd_exec_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_exec_domtrans'($*)) dnl
')
########################################
##
## Transition to apache home content
##
##
##
## Domain allowed access.
##
##
#
define(`apache_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_filetrans_home_content'($*)) dnl
gen_require(`
type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
type httpd_user_content_ra_t;
')
userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_filetrans_home_content'($*)) dnl
')
########################################
##
## Read apache pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_read_pid_files'($*)) dnl
gen_require(`
type httpd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_read_pid_files'($*)) dnl
')
########################################
##
## Manage apache pid objects.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_manage_pid_files'($*)) dnl
gen_require(`
type httpd_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, httpd_var_run_t, httpd_var_run_t)
manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_manage_pid_files'($*)) dnl
')
########################################
##
## Send and receive messages from
## httpd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_dbus_chat'($*)) dnl
gen_require(`
type httpd_t;
class dbus send_msg;
')
allow $1 httpd_t:dbus send_msg;
allow httpd_t $1:dbus send_msg;
ps_process_pattern(httpd_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_dbus_chat'($*)) dnl
')
########################################
##
## Delete the httpd tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_delete_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_delete_tmp'($*)) dnl
gen_require(`
type httpd_tmp_t;
')
allow $1 httpd_tmp_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_delete_tmp'($*)) dnl
')
########################################
##
## Allow httpd noatsecure
##
##
##
## Domain allowed access.
##
##
#
define(`apache_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_noatsecure'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:process { noatsecure };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_noatsecure'($*)) dnl
')
#######################################
##
## Allow the specified domain to ioctl an
## httpd with a unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`apache_ioctl_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apache_ioctl_stream_sockets'($*)) dnl
gen_require(`
type httpd_t;
')
allow $1 httpd_t:unix_stream_socket ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apache_ioctl_stream_sockets'($*)) dnl
')
## APC UPS monitoring daemon.
########################################
##
## Execute a domain transition to
## run apcupsd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apcupsd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_domtrans'($*)) dnl
gen_require(`
type apcupsd_t, apcupsd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_domtrans'($*)) dnl
')
########################################
##
## Execute apcupsd server in the
## apcupsd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apcupsd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_initrc_domtrans'($*)) dnl
gen_require(`
type apcupsd_initrc_exec_t;
')
init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_initrc_domtrans'($*)) dnl
')
########################################
##
## Read apcupsd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`apcupsd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_read_pid_files'($*)) dnl
gen_require(`
type apcupsd_var_run_t;
')
files_search_pids($1)
allow $1 apcupsd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_read_pid_files'($*)) dnl
')
########################################
##
## Read apcupsd power files.
##
##
##
## Domain allowed access.
##
##
#
define(`apcupsd_read_power_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_read_power_files'($*)) dnl
gen_require(`
type apcupsd_power_t;
')
allow $1 apcupsd_power_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_read_power_files'($*)) dnl
')
########################################
##
## Read apcupsd log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`apcupsd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_read_log'($*)) dnl
gen_require(`
type apcupsd_log_t;
')
logging_search_logs($1)
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_read_log'($*)) dnl
')
########################################
##
## Append apcupsd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`apcupsd_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_append_log'($*)) dnl
gen_require(`
type apcupsd_log_t;
')
logging_search_logs($1)
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_append_log'($*)) dnl
')
########################################
##
## Execute a domain transition to
## run apcupsd_cgi_script.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apcupsd_cgi_script_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_cgi_script_domtrans'($*)) dnl
gen_require(`
type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t;
')
files_search_var($1)
domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t)
optional_policy(`
apache_search_sys_content($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_cgi_script_domtrans'($*)) dnl
')
########################################
##
## Execute apcupsd server in the apcupsd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apcupsd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_systemctl'($*)) dnl
gen_require(`
type apcupsd_t;
type apcupsd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 apcupsd_unit_file_t:file read_file_perms;
allow $1 apcupsd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, apcupsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_systemctl'($*)) dnl
')
########################################
##
## Create configuration files in /var/lock
## with a named file type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`apcupsd_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_filetrans_named_content'($*)) dnl
gen_require(`
type apcupsd_lock_t;
')
files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_filetrans_named_content'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an apcupsd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`apcupsd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apcupsd_admin'($*)) dnl
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
type apcupsd_unit_file_t;
type apcupsd_power_t;
')
allow $1 apcupsd_t:process signal_perms;
ps_process_pattern($1, apcupsd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 apcupsd_t:process ptrace;
')
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
allow $2 system_r;
files_list_var($1)
admin_pattern($1, apcupsd_lock_t)
logging_list_logs($1)
admin_pattern($1, apcupsd_log_t)
files_list_tmp($1)
admin_pattern($1, apcupsd_tmp_t)
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
apcupsd_systemctl($1)
admin_pattern($1, apcupsd_unit_file_t)
allow $1 apcupsd_unit_file_t:service all_service_perms;
manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apcupsd_admin'($*)) dnl
')
## Advanced power management.
########################################
##
## Execute apm in the apm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apm_domtrans_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apm_domtrans_client'($*)) dnl
gen_require(`
type apm_t, apm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, apm_exec_t, apm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apm_domtrans_client'($*)) dnl
')
########################################
##
## Execute apm in the apm domain
## and allow the specified role
## the apm domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`apm_run_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apm_run_client'($*)) dnl
gen_require(`
attribute_role apm_roles;
')
apm_domtrans_client($1)
roleattribute $2 apm_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apm_run_client'($*)) dnl
')
########################################
##
## Use apmd file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apm_use_fds'($*)) dnl
gen_require(`
type apmd_t;
')
allow $1 apmd_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apm_use_fds'($*)) dnl
')
########################################
##
## Write apmd unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_write_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apm_write_pipes'($*)) dnl
gen_require(`
type apmd_t;
')
allow $1 apmd_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apm_write_pipes'($*)) dnl
')
########################################
##
## Read and write to apmd unix
## stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apm_rw_stream_sockets'($*)) dnl
gen_require(`
type apmd_t;
')
allow $1 apmd_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apm_rw_stream_sockets'($*)) dnl
')
########################################
##
## Append apmd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apm_append_log'($*)) dnl
gen_require(`
type apmd_log_t;
')
logging_search_logs($1)
allow $1 apmd_log_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apm_append_log'($*)) dnl
')
########################################
##
## Connect to apmd over an unix
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`apm_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apm_stream_connect'($*)) dnl
gen_require(`
type apmd_t, apmd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apm_stream_connect'($*)) dnl
')
########################################
##
## Execute apmd server in the apmd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apmd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apmd_systemctl'($*)) dnl
gen_require(`
type apmd_t;
type apmd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 apmd_unit_file_t:file read_file_perms;
allow $1 apmd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, apmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apmd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an apm environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`apm_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apm_admin'($*)) dnl
gen_require(`
type apmd_t, apmd_initrc_exec_t, apmd_log_t;
type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t;
type apmd_tmp_t;
')
allow $1 apmd_t:process { signal_perms };
ps_process_pattern($1, apmd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 apmd_t:process ptrace;
')
init_labeled_script_domtrans($1, apmd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, apmd_log_t)
files_search_locks($1)
admin_pattern($1, apmd_lock_t)
files_search_pids($1)
admin_pattern($1, apmd_var_run_t)
files_search_var_lib($1)
admin_pattern($1, apmd_var_lib_t)
files_search_tmp($1)
admin_pattern($1, apmd_tmp_t)
apm_run_client($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apm_admin'($*)) dnl
')
## Advanced package tool.
########################################
##
## Execute apt programs in the apt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`apt_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_domtrans'($*)) dnl
gen_require(`
type apt_t, apt_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, apt_exec_t, apt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_domtrans'($*)) dnl
')
########################################
##
## Execute the apt in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`apt_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_exec'($*)) dnl
gen_require(`
type apt_exec_t;
')
corecmd_search_bin($1)
can_exec($1, apt_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_exec'($*)) dnl
')
########################################
##
## Execute apt programs in the apt domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`apt_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_run'($*)) dnl
gen_require(`
attribute_role apt_roles;
')
apt_domtrans($1)
roleattribute $2 apt_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_run'($*)) dnl
')
########################################
##
## Use apt file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`apt_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_use_fds'($*)) dnl
gen_require(`
type apt_t;
')
allow $1 apt_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## apt file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`apt_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_dontaudit_use_fds'($*)) dnl
gen_require(`
type apt_t;
')
dontaudit $1 apt_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Read apt unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`apt_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_read_pipes'($*)) dnl
gen_require(`
type apt_t;
')
allow $1 apt_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_read_pipes'($*)) dnl
')
########################################
##
## Read and write apt unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`apt_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_rw_pipes'($*)) dnl
gen_require(`
type apt_t;
')
allow $1 apt_t:fifo_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_rw_pipes'($*)) dnl
')
########################################
##
## Read and write apt ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`apt_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_use_ptys'($*)) dnl
gen_require(`
type apt_devpts_t;
')
allow $1 apt_devpts_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_use_ptys'($*)) dnl
')
########################################
##
## Read apt package cache content.
##
##
##
## Domain allowed access.
##
##
#
define(`apt_read_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_read_cache'($*)) dnl
gen_require(`
type apt_var_cache_t;
')
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
allow $1 apt_var_cache_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_read_cache'($*)) dnl
')
########################################
##
## Read apt package database content.
##
##
##
## Domain allowed access.
##
##
#
define(`apt_read_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_read_db'($*)) dnl
gen_require(`
type apt_var_lib_t;
')
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir list_dir_perms;
read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_read_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## apt package database content.
##
##
##
## Domain allowed access.
##
##
#
define(`apt_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_manage_db'($*)) dnl
gen_require(`
type apt_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
manage_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_manage_db'($*)) dnl
')
########################################
##
## Do not audit attempts to create,
## read, write, and delete apt
## package database content.
##
##
##
## Domain to not audit.
##
##
#
define(`apt_dontaudit_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `apt_dontaudit_manage_db'($*)) dnl
gen_require(`
type apt_var_lib_t;
')
dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
dontaudit $1 apt_var_lib_t:file manage_file_perms;
dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `apt_dontaudit_manage_db'($*)) dnl
')
## Ethernet activity monitor.
########################################
##
## Execute arpwatch server in the
## arpwatch domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`arpwatch_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_initrc_domtrans'($*)) dnl
gen_require(`
type arpwatch_initrc_exec_t;
')
init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_initrc_domtrans'($*)) dnl
')
########################################
##
## Search arpwatch data file directories.
##
##
##
## Domain allowed access.
##
##
#
define(`arpwatch_search_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_search_data'($*)) dnl
gen_require(`
type arpwatch_data_t;
')
files_search_var_lib($1)
allow $1 arpwatch_data_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_search_data'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## arpwatch data files.
##
##
##
## Domain allowed access.
##
##
#
define(`arpwatch_manage_data_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_manage_data_files'($*)) dnl
gen_require(`
type arpwatch_data_t;
')
files_search_var_lib($1)
manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_manage_data_files'($*)) dnl
')
########################################
##
## Read and write arpwatch temporary
## files.
##
##
##
## Domain allowed access.
##
##
#
define(`arpwatch_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_rw_tmp_files'($*)) dnl
gen_require(`
type arpwatch_tmp_t;
')
files_search_tmp($1)
allow $1 arpwatch_tmp_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_rw_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## arpwatch temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`arpwatch_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_manage_tmp_files'($*)) dnl
gen_require(`
type arpwatch_tmp_t;
')
files_search_tmp($1)
allow $1 arpwatch_tmp_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_manage_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write arpwatch packet sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`arpwatch_dontaudit_rw_packet_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_dontaudit_rw_packet_sockets'($*)) dnl
gen_require(`
type arpwatch_t;
')
dontaudit $1 arpwatch_t:packet_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_dontaudit_rw_packet_sockets'($*)) dnl
')
########################################
##
## Execute arpwatch server in the arpwatch domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`arpwatch_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_systemctl'($*)) dnl
gen_require(`
type arpwatch_t;
type arpwatch_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 arpwatch_unit_file_t:file read_file_perms;
allow $1 arpwatch_unit_file_t:service manage_service_perms;
ps_process_pattern($1, arpwatch_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an arpwatch environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`arpwatch_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_admin'($*)) dnl
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
type arpwatch_data_t, arpwatch_var_run_t;
type arpwatch_unit_file_t;
')
allow $1 arpwatch_t:process signal_perms;
ps_process_pattern($1, arpwatch_t)
tunable_policy(`deny_ptrace',`',`
allow $1 arpwatch_t:process ptrace;
')
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, arpwatch_tmp_t)
files_list_var($1)
admin_pattern($1, arpwatch_data_t)
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
arpwatch_systemctl($1)
admin_pattern($1, arpwatch_unit_file_t)
allow $1 arpwatch_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_admin'($*)) dnl
')
########################################
##
## Create objects in the arpwatch home directory
## with an automatic type transition to a specified type
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object being created.
##
##
##
##
## The class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`arpwatch_data_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `arpwatch_data_filetrans'($*)) dnl
gen_require(`
type arpwatch_data_t;
')
filetrans_pattern($1, arpwatch_data_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `arpwatch_data_filetrans'($*)) dnl
')
## Asterisk IP telephony server.
######################################
##
## Execute asterisk in the asterisk domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`asterisk_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `asterisk_domtrans'($*)) dnl
gen_require(`
type asterisk_t, asterisk_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, asterisk_exec_t, asterisk_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `asterisk_domtrans'($*)) dnl
')
######################################
##
## Execute asterisk in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`asterisk_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `asterisk_exec'($*)) dnl
gen_require(`
type asterisk_exec_t;
')
corecmd_search_bin($1)
can_exec($1, asterisk_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `asterisk_exec'($*)) dnl
')
#####################################
##
## Connect to asterisk over a unix domain.
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`asterisk_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `asterisk_stream_connect'($*)) dnl
gen_require(`
type asterisk_t, asterisk_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `asterisk_stream_connect'($*)) dnl
')
#######################################
##
## Set attributes of asterisk log
## files and directories.
##
##
##
## Domain allowed access.
##
##
#
define(`asterisk_setattr_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `asterisk_setattr_logs'($*)) dnl
gen_require(`
type asterisk_log_t;
')
setattr_files_pattern($1, asterisk_log_t, asterisk_log_t)
setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `asterisk_setattr_logs'($*)) dnl
')
#######################################
##
## Set attributes of the asterisk
## PID content.
##
##
##
## Domain allowed access.
##
##
#
define(`asterisk_setattr_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `asterisk_setattr_pid_files'($*)) dnl
gen_require(`
type asterisk_var_run_t;
')
setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `asterisk_setattr_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an asterisk environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`asterisk_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `asterisk_admin'($*)) dnl
gen_require(`
type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
allow $1 asterisk_t:process signal_perms;
ps_process_pattern($1, asterisk_t)
tunable_policy(`deny_ptrace',`',`
allow $1 asterisk_t:process ptrace;
')
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
allow $2 system_r;
asterisk_exec($1)
files_list_tmp($1)
admin_pattern($1, asterisk_tmp_t)
files_list_etc($1)
admin_pattern($1, asterisk_etc_t)
logging_list_logs($1)
admin_pattern($1, asterisk_log_t)
files_list_spool($1)
admin_pattern($1, asterisk_spool_t)
files_list_var_lib($1)
admin_pattern($1, asterisk_var_lib_t)
files_list_pids($1)
admin_pattern($1, asterisk_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `asterisk_admin'($*)) dnl
')
## policy for authconfig
########################################
##
## Execute TEMPLATE in the authconfig domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`authconfig_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `authconfig_domtrans'($*)) dnl
gen_require(`
type authconfig_t, authconfig_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, authconfig_exec_t, authconfig_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `authconfig_domtrans'($*)) dnl
')
########################################
##
## Search authconfig lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`authconfig_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `authconfig_search_lib'($*)) dnl
gen_require(`
type authconfig_var_lib_t;
')
allow $1 authconfig_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `authconfig_search_lib'($*)) dnl
')
########################################
##
## Read authconfig lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`authconfig_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `authconfig_read_lib_files'($*)) dnl
gen_require(`
type authconfig_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `authconfig_read_lib_files'($*)) dnl
')
########################################
##
## Manage authconfig lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`authconfig_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `authconfig_manage_lib_files'($*)) dnl
gen_require(`
type authconfig_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `authconfig_manage_lib_files'($*)) dnl
')
########################################
##
## Manage authconfig lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`authconfig_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `authconfig_manage_lib_dirs'($*)) dnl
gen_require(`
type authconfig_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `authconfig_manage_lib_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an authconfig environment
##
##
##
## Domain allowed access.
##
##
#
define(`authconfig_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `authconfig_admin'($*)) dnl
gen_require(`
type authconfig_t;
type authconfig_var_lib_t;
')
allow $1 authconfig_t:process { ptrace signal_perms };
ps_process_pattern($1, authconfig_t)
files_search_var_lib($1)
admin_pattern($1, authconfig_var_lib_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `authconfig_admin'($*)) dnl
')
## Filesystem automounter service.
########################################
##
## Execute automount in the automount domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`automount_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_domtrans'($*)) dnl
gen_require(`
type automount_t, automount_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, automount_exec_t, automount_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_domtrans'($*)) dnl
')
########################################
##
## Send generic signals to automount.
##
##
##
## Domain allowed access.
##
##
#
define(`automount_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_signal'($*)) dnl
gen_require(`
type automount_t;
')
allow $1 automount_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_signal'($*)) dnl
')
########################################
##
## Execute automount in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`automount_exec_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_exec_config'($*)) dnl
refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
files_exec_etc_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_exec_config'($*)) dnl
')
########################################
##
## Read automount process state.
##
##
##
## Domain to allow access.
##
##
#
define(`automount_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_read_state'($*)) dnl
gen_require(`
type automount_t;
')
kernel_search_proc($1)
allow $1 automount_t:dir list_dir_perms;
read_files_pattern($1, automount_t, automount_t)
read_lnk_files_pattern($1, automount_t, automount_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_read_state'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## automount file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`automount_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_dontaudit_use_fds'($*)) dnl
gen_require(`
type automount_t;
')
dontaudit $1 automount_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Write to a automount unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`automount_write_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_write_pipes'($*)) dnl
gen_require(`
type automount_t;
')
allow $1 automount_t:fd use;
allow $1 automount_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_write_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to write
## automount unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`automount_dontaudit_write_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_dontaudit_write_pipes'($*)) dnl
gen_require(`
type automount_t;
')
dontaudit $1 automount_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_dontaudit_write_pipes'($*)) dnl
')
########################################
##
## Allow domain to search of automount temporary
## directories.
##
##
##
## Domain to not audit.
##
##
#
define(`automount_search_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_search_tmp_dirs'($*)) dnl
gen_require(`
type automount_tmp_t;
')
search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_search_tmp_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get
## attributes of automount temporary
## directories.
##
##
##
## Domain to not audit.
##
##
#
define(`automount_dontaudit_getattr_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_dontaudit_getattr_tmp_dirs'($*)) dnl
gen_require(`
type automount_tmp_t;
')
dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_dontaudit_getattr_tmp_dirs'($*)) dnl
')
########################################
##
## Execute automount server in the automount domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`automount_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_systemctl'($*)) dnl
gen_require(`
type automount_t;
type automount_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 automount_unit_file_t:file read_file_perms;
allow $1 automount_unit_file_t:service manage_service_perms;
ps_process_pattern($1, automount_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an automount environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`automount_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `automount_admin'($*)) dnl
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
type automount_unit_file_t, automount_keytab_t;
')
allow $1 automount_t:process signal_perms;
ps_process_pattern($1, automount_t)
tunable_policy(`deny_ptrace',`',`
allow $1 automount_t:process ptrace;
')
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, automount_keytab_t)
files_list_var($1)
admin_pattern($1, automount_lock_t)
files_list_tmp($1)
admin_pattern($1, automount_tmp_t)
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
automount_systemctl($1)
admin_pattern($1, automount_unit_file_t)
allow $1 automount_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `automount_admin'($*)) dnl
')
## mDNS/DNS-SD daemon implementing Apple ZeroConf architecture.
########################################
##
## Execute avahi server in the avahi domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`avahi_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_domtrans'($*)) dnl
gen_require(`
type avahi_exec_t, avahi_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, avahi_exec_t, avahi_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_domtrans'($*)) dnl
')
########################################
##
## Execute avahi init scripts in the
## init script domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`avahi_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_initrc_domtrans'($*)) dnl
gen_require(`
type avahi_initrc_exec_t;
')
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_initrc_domtrans'($*)) dnl
')
########################################
##
## Send generic signals to avahi.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_signal'($*)) dnl
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_signal'($*)) dnl
')
########################################
##
## Send kill signals to avahi.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_kill'($*)) dnl
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_kill'($*)) dnl
')
########################################
##
## Send null signals to avahi.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_signull'($*)) dnl
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_signull'($*)) dnl
')
########################################
##
## Send and receive messages from
## avahi over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_dbus_chat'($*)) dnl
gen_require(`
type avahi_t;
class dbus send_msg;
')
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_dbus_chat'($*)) dnl
')
########################################
##
## Connect to avahi using a unix
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_stream_connect'($*)) dnl
gen_require(`
type avahi_t, avahi_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_stream_connect'($*)) dnl
')
########################################
##
## Create avahi pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_create_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_create_pid_dirs'($*)) dnl
gen_require(`
type avahi_var_run_t;
')
files_search_pids($1)
allow $1 avahi_var_run_t:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_create_pid_dirs'($*)) dnl
')
########################################
##
## Set attributes of avahi pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_setattr_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_setattr_pid_dirs'($*)) dnl
gen_require(`
type avahi_var_run_t;
')
files_search_pids($1)
allow $1 avahi_var_run_t:dir setattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_setattr_pid_dirs'($*)) dnl
')
########################################
##
## Create, read, and write avahi pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`avahi_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_manage_pid_files'($*)) dnl
gen_require(`
type avahi_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_manage_pid_files'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## avahi pid directories.
##
##
##
## Domain to not audit.
##
##
#
define(`avahi_dontaudit_search_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_dontaudit_search_pid'($*)) dnl
gen_require(`
type avahi_var_run_t;
')
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_dontaudit_search_pid'($*)) dnl
')
########################################
##
## Execute avahi server in the avahi domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`avahi_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_systemctl'($*)) dnl
gen_require(`
type avahi_t;
type avahi_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 avahi_unit_file_t:file read_file_perms;
allow $1 avahi_unit_file_t:service manage_service_perms;
ps_process_pattern($1, avahi_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_systemctl'($*)) dnl
')
########################################
##
## Create specified objects in generic
## pid directories with the avahi pid file type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`avahi_filetrans_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_filetrans_pid'($*)) dnl
gen_require(`
type avahi_var_run_t;
')
files_pid_filetrans($1, avahi_var_run_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_filetrans_pid'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an avahi environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`avahi_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `avahi_admin'($*)) dnl
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
type avahi_unit_file_t;
type avahi_var_lib_t;
')
allow $1 avahi_t:process signal_perms;
ps_process_pattern($1, avahi_t)
tunable_policy(`deny_ptrace',`',`
allow $1 avahi_t:process ptrace;
')
avahi_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, avahi_var_run_t)
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
avahi_systemctl($1)
admin_pattern($1, avahi_unit_file_t)
allow $1 avahi_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `avahi_admin'($*)) dnl
')
## Log file analyzer for advanced statistics.
########################################
##
## Execute the awstats program in
## the awstats domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`awstats_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `awstats_domtrans'($*)) dnl
gen_require(`
type awstats_t, awstats_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, awstats_exec_t, awstats_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `awstats_domtrans'($*)) dnl
')
########################################
##
## Read and write awstats unnamed pipes. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`awstats_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `awstats_rw_pipes'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `awstats_rw_pipes'($*)) dnl
')
########################################
##
## Execute awstats cgi scripts in the caller domain. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`awstats_cgi_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `awstats_cgi_exec'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `awstats_cgi_exec'($*)) dnl
')
## System backup scripts.
########################################
##
## Execute backup in the backup domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`backup_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `backup_domtrans'($*)) dnl
gen_require(`
type backup_t, backup_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, backup_exec_t, backup_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `backup_domtrans'($*)) dnl
')
########################################
##
## Execute backup in the backup
## domain, and allow the specified
## role the backup domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`backup_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `backup_run'($*)) dnl
gen_require(`
attribute_role backup_roles;
')
backup_domtrans($1)
roleattribute $2 backup_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `backup_run'($*)) dnl
')
########################################
##
## Create, read, and write backup
## store files.
##
##
##
## Domain allowed access.
##
##
#
define(`backup_manage_store_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `backup_manage_store_files'($*)) dnl
gen_require(`
type backup_store_t;
')
files_search_var($1)
manage_files_pattern($1, backup_store_t, backup_store_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `backup_manage_store_files'($*)) dnl
')
## Cross platform network backup.
########################################
##
## Execute bacula admin bacula
## admin domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bacula_domtrans_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bacula_domtrans_admin'($*)) dnl
gen_require(`
type bacula_admin_t, bacula_admin_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bacula_domtrans_admin'($*)) dnl
')
########################################
##
## Execute user interfaces in the
## bacula admin domain, and allow the
## specified role the bacula admin domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bacula_run_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bacula_run_admin'($*)) dnl
gen_require(`
attribute_role bacula_admin_roles;
')
bacula_domtrans_admin($1)
roleattribute $2 bacula_admin_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bacula_run_admin'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an bacula environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bacula_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bacula_admin'($*)) dnl
gen_require(`
type bacula_t, bacula_etc_t, bacula_log_t;
type bacula_spool_t, bacula_var_lib_t;
type bacula_var_run_t, bacula_initrc_exec_t;
attribute_role bacula_admin_roles;
')
allow $1 bacula_t:process { ptrace signal_perms };
ps_process_pattern($1, bacula_t)
init_labeled_script_domtrans($1, bacula_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bacula_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, bacula_etc_t)
logging_search_logs($1)
admin_pattern($1, bacula_log_t)
files_search_var($1)
admin_pattern($1, bacula_spool_t)
files_search_var_lib($1)
admin_pattern($1, bacula_var_lib_t)
files_search_pids($1)
admin_pattern($1, bacula_var_run_t)
bacula_run_admin($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bacula_admin'($*)) dnl
')
## configuration management suite.
########################################
##
## Execute bcfg2 in the bcfg2 domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bcfg2_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bcfg2_domtrans'($*)) dnl
gen_require(`
type bcfg2_t, bcfg2_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bcfg2_domtrans'($*)) dnl
')
########################################
##
## Execute bcfg2 server in the bcfg2 domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bcfg2_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bcfg2_initrc_domtrans'($*)) dnl
gen_require(`
type bcfg2_initrc_exec_t;
')
init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bcfg2_initrc_domtrans'($*)) dnl
')
########################################
##
## Search bcfg2 lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`bcfg2_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bcfg2_search_lib'($*)) dnl
gen_require(`
type bcfg2_var_lib_t;
')
allow $1 bcfg2_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bcfg2_search_lib'($*)) dnl
')
########################################
##
## Read bcfg2 lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`bcfg2_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bcfg2_read_lib_files'($*)) dnl
gen_require(`
type bcfg2_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bcfg2_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## bcfg2 lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`bcfg2_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bcfg2_manage_lib_files'($*)) dnl
gen_require(`
type bcfg2_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bcfg2_manage_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## bcfg2 lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`bcfg2_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bcfg2_manage_lib_dirs'($*)) dnl
gen_require(`
type bcfg2_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bcfg2_manage_lib_dirs'($*)) dnl
')
########################################
##
## Execute bcfg2 server in the bcfg2 domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bcfg2_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bcfg2_systemctl'($*)) dnl
gen_require(`
type bcfg2_t;
type bcfg2_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 bcfg2_unit_file_t:file read_file_perms;
allow $1 bcfg2_unit_file_t:service manage_service_perms;
ps_process_pattern($1, bcfg2_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bcfg2_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an bcfg2 environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bcfg2_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bcfg2_admin'($*)) dnl
gen_require(`
type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
type bcfg2_var_run_t;
type bcfg2_unit_file_t;
')
allow $1 bcfg2_t:process { signal_perms };
ps_process_pattern($1, bcfg2_t)
tunable_policy(`deny_ptrace',`',`
allow $1 bcfg2_t:process ptrace;
')
bcfg2_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 bcfg2_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, bcfg2_var_run_t)
files_search_var_lib($1)
admin_pattern($1, bcfg2_var_lib_t)
bcfg2_systemctl($1)
admin_pattern($1, bcfg2_unit_file_t)
allow $1 bcfg2_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bcfg2_admin'($*)) dnl
')
## Berkeley Internet name domain DNS server.
########################################
##
## Execute bind server in the bind domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bind_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_initrc_domtrans'($*)) dnl
gen_require(`
type named_initrc_exec_t;
')
init_labeled_script_domtrans($1, named_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute bind server in the bind domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bind_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_systemctl'($*)) dnl
gen_require(`
type named_unit_file_t;
type named_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 named_unit_file_t:file read_file_perms;
allow $1 named_unit_file_t:service manage_service_perms;
ps_process_pattern($1, named_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_systemctl'($*)) dnl
')
########################################
##
## Execute ndc in the ndc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bind_domtrans_ndc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_domtrans_ndc'($*)) dnl
gen_require(`
type ndc_t, ndc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ndc_exec_t, ndc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_domtrans_ndc'($*)) dnl
')
########################################
##
## Send generic signals to bind.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_signal'($*)) dnl
gen_require(`
type named_t;
')
allow $1 named_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_signal'($*)) dnl
')
########################################
##
## Send null signals to bind.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_signull'($*)) dnl
gen_require(`
type named_t;
')
allow $1 named_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_signull'($*)) dnl
')
########################################
##
## Send kill signals to bind.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_kill'($*)) dnl
gen_require(`
type named_t;
')
allow $1 named_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_kill'($*)) dnl
')
########################################
##
## Execute ndc in the ndc domain, and
## allow the specified role the ndc domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bind_run_ndc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_run_ndc'($*)) dnl
gen_require(`
attribute_role ndc_roles;
')
bind_domtrans_ndc($1)
roleattribute $2 ndc_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_run_ndc'($*)) dnl
')
########################################
##
## Execute bind in the named domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bind_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_domtrans'($*)) dnl
gen_require(`
type named_t, named_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, named_exec_t, named_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_domtrans'($*)) dnl
')
########################################
##
## Read dnssec key files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_dnssec_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_read_dnssec_keys'($*)) dnl
gen_require(`
type named_conf_t, named_zone_t, dnssec_t;
')
read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_read_dnssec_keys'($*)) dnl
')
########################################
##
## Mmap dnssec key files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_map_dnssec_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_map_dnssec_keys'($*)) dnl
gen_require(`
type named_conf_t, named_zone_t, dnssec_t;
')
allow $1 dnssec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_map_dnssec_keys'($*)) dnl
')
########################################
##
## Read bind named configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_read_config'($*)) dnl
gen_require(`
type named_conf_t;
')
allow $1 named_conf_t:dir list_dir_perms;
read_files_pattern($1, named_conf_t, named_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_read_config'($*)) dnl
')
########################################
##
## Write bind named configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_write_config'($*)) dnl
gen_require(`
type named_conf_t;
')
write_files_pattern($1, named_conf_t, named_conf_t)
allow $1 named_conf_t:file setattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_write_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## bind configuration directories.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_manage_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_manage_config_dirs'($*)) dnl
gen_require(`
type named_conf_t;
')
manage_dirs_pattern($1, named_conf_t, named_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_manage_config_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## BIND configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_manage_config'($*)) dnl
gen_require(`
type named_conf_t;
')
manage_files_pattern($1, named_conf_t, named_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_manage_config'($*)) dnl
')
########################################
##
## Search bind cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_search_cache'($*)) dnl
gen_require(`
type named_conf_t, named_cache_t, named_zone_t;
')
files_search_var($1)
allow $1 named_conf_t:dir search_dir_perms;
allow $1 named_zone_t:dir search_dir_perms;
allow $1 named_cache_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_search_cache'($*)) dnl
')
########################################
##
## Read bind cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_read_cache'($*)) dnl
gen_require(`
type named_cache_t;
')
files_search_var($1)
allow $1 named_cache_t:dir list_dir_perms;
read_files_pattern($1, named_cache_t, named_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_read_cache'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## and write Bind cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_rw_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_rw_cache'($*)) dnl
gen_require(`
type named_cache_t;
')
allow $1 named_cache_t:dir list_dir_perms;
allow $1 named_cache_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_rw_cache'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## bind cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_manage_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_manage_cache'($*)) dnl
gen_require(`
type named_cache_t, named_zone_t;
')
files_search_var($1)
allow $1 named_zone_t:dir search_dir_perms;
manage_files_pattern($1, named_cache_t, named_cache_t)
manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_manage_cache'($*)) dnl
')
########################################
##
## Read bind pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_read_pid_files'($*)) dnl
gen_require(`
type named_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, named_var_run_t, named_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_read_pid_files'($*)) dnl
')
########################################
##
## Set attributes of bind pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_setattr_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_setattr_pid_dirs'($*)) dnl
gen_require(`
type named_var_run_t;
')
allow $1 named_var_run_t:dir setattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_setattr_pid_dirs'($*)) dnl
')
########################################
##
## Set attributes of bind zone directories.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_setattr_zone_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_setattr_zone_dirs'($*)) dnl
gen_require(`
type named_zone_t;
')
allow $1 named_zone_t:dir setattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_setattr_zone_dirs'($*)) dnl
')
########################################
##
## Read bind zone files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_zone',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_read_zone'($*)) dnl
gen_require(`
type named_zone_t;
')
files_search_var($1)
read_files_pattern($1, named_zone_t, named_zone_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_read_zone'($*)) dnl
')
########################################
##
## Read BIND zone files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_read_log'($*)) dnl
gen_require(`
type named_zone_t;
type named_log_t;
')
files_search_var($1)
allow $1 named_zone_t:dir search_dir_perms;
read_files_pattern($1, named_log_t, named_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_read_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## bind zone files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_manage_zone_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_manage_zone_dirs'($*)) dnl
gen_require(`
type named_zone_t;
')
files_search_var($1)
allow $1 named_zone_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_manage_zone_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## bind zone files.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_manage_zone',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_manage_zone'($*)) dnl
gen_require(`
type named_zone_t;
')
files_search_var($1)
manage_files_pattern($1, named_zone_t, named_zone_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_manage_zone'($*)) dnl
')
########################################
##
## Send and receive datagrams to and from named. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`bind_udp_chat_named',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_udp_chat_named'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_udp_chat_named'($*)) dnl
')
########################################
##
## Allow the domain to read bind state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_read_state'($*)) dnl
gen_require(`
type named_t;
')
kernel_search_proc($1)
ps_process_pattern($1, named_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_read_state'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an bind environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bind_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_admin'($*)) dnl
gen_require(`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
type named_keytab_t, named_unit_file_t;
')
allow $1 named_t:process signal_perms;
ps_process_pattern($1, named_t)
tunable_policy(`deny_ptrace',`',`
allow $1 named_t:process ptrace;
')
bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, named_tmp_t)
logging_list_logs($1)
admin_pattern($1, named_log_t)
files_list_etc($1)
admin_pattern($1, { named_keytab_t named_conf_t })
admin_pattern($1, named_keytab_t)
files_list_var($1)
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
files_list_pids($1)
admin_pattern($1, named_var_run_t)
admin_pattern($1, named_unit_file_t)
bind_systemctl($1)
allow $1 named_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_admin'($*)) dnl
')
######################################
##
## Execute bind in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`bind_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bind_exec'($*)) dnl
gen_require(`
type named_exec_t;
')
corecmd_search_bin($1)
can_exec($1, named_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bind_exec'($*)) dnl
')
## BIRD Internet Routing Daemon.
########################################
##
## All of the rules required to
## administrate an bird environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bird_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bird_admin'($*)) dnl
gen_require(`
type bird_t, bird_etc_t, bird_log_t;
type bird_var_run_t, bird_initrc_exec_t;
')
allow $1 bird_t:process { ptrace signal_perms };
ps_process_pattern($1, bird_t)
init_labeled_script_domtrans($1, bird_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bird_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, bird_etc_t)
logging_list_logs($1)
admin_pattern($1, bird_log_t)
files_list_pids($1)
admin_pattern($1, bird_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bird_admin'($*)) dnl
')
## Tunnels instant messaging traffic to a virtual IRC channel.
########################################
##
## Read bitlbee configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`bitlbee_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bitlbee_read_config'($*)) dnl
gen_require(`
type bitlbee_conf_t;
')
files_search_etc($1)
allow $1 bitlbee_conf_t:dir list_dir_perms;
allow $1 bitlbee_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bitlbee_read_config'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an bitlbee environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bitlbee_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bitlbee_admin'($*)) dnl
gen_require(`
type bitlbee_t, bitlbee_conf_t, bitlbee_var_t;
type bitlbee_initrc_exec_t, bitlbee_var_run_t;
type bitlbee_log_t, bitlbee_tmp_t;
')
allow $1 bitlbee_t:process signal_perms;
ps_process_pattern($1, bitlbee_t)
tunable_policy(`deny_ptrace',`',`
allow $1 bitlbee_t:process ptrace;
')
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, bitlbee_conf_t)
logging_search_logs($1)
admin_pattern($1, bitlbee_log_t)
files_search_tmp($1)
admin_pattern($1, bitlbee_tmp_t)
files_search_pids($1)
admin_pattern($1, bitlbee_var_run_t)
files_search_var_lib($1)
admin_pattern($1, bitlbee_var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bitlbee_admin'($*)) dnl
')
## The blkmapd daemon performs device discovery and mapping for pNFS block layout client.
########################################
##
## Execute blkmapd_exec_t in the blkmapd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`blkmapd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blkmapd_domtrans'($*)) dnl
gen_require(`
type blkmapd_t, blkmapd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, blkmapd_exec_t, blkmapd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blkmapd_domtrans'($*)) dnl
')
######################################
##
## Execute blkmapd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`blkmapd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blkmapd_exec'($*)) dnl
gen_require(`
type blkmapd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, blkmapd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blkmapd_exec'($*)) dnl
')
########################################
##
## Execute blkmapd server in the blkmapd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`blkmapd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blkmapd_initrc_domtrans'($*)) dnl
gen_require(`
type blkmapd_initrc_exec_t;
')
init_labeled_script_domtrans($1, blkmapd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blkmapd_initrc_domtrans'($*)) dnl
')
########################################
##
## Read blkmapd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`blkmapd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blkmapd_read_pid_files'($*)) dnl
gen_require(`
type blkmapd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blkmapd_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an blkmapd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`blkmapd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blkmapd_admin'($*)) dnl
gen_require(`
type blkmapd_t;
type blkmapd_initrc_exec_t;
type blkmapd_var_run_t;
')
allow $1 blkmapd_t:process { signal_perms };
ps_process_pattern($1, blkmapd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 blkmapd_t:process ptrace;
')
blkmapd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 blkmapd_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, blkmapd_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blkmapd_admin'($*)) dnl
')
## Tool to manage Bluetooth devices.
########################################
##
## Execute blueman in the blueman domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`blueman_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blueman_domtrans'($*)) dnl
gen_require(`
type blueman_t, blueman_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, blueman_exec_t, blueman_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blueman_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## blueman over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`blueman_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blueman_dbus_chat'($*)) dnl
gen_require(`
type blueman_t;
class dbus send_msg;
')
allow $1 blueman_t:dbus send_msg;
allow blueman_t $1:dbus send_msg;
ps_process_pattern(blueman_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blueman_dbus_chat'($*)) dnl
')
########################################
##
## Search blueman lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`blueman_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blueman_search_lib'($*)) dnl
gen_require(`
type blueman_var_lib_t;
')
allow $1 blueman_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blueman_search_lib'($*)) dnl
')
########################################
##
## Read blueman lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`blueman_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blueman_read_lib_files'($*)) dnl
gen_require(`
type blueman_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blueman_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## blueman lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`blueman_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `blueman_manage_lib_files'($*)) dnl
gen_require(`
type blueman_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `blueman_manage_lib_files'($*)) dnl
')
## Bluetooth tools and system services.
########################################
##
## Role access for bluetooth.
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`bluetooth_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_role'($*)) dnl
gen_require(`
attribute_role bluetooth_helper_roles;
type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t;
type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_var_run_t;
')
########################################
#
# Declarations
#
roleattribute $1 bluetooth_helper_roles;
########################################
#
# Policy
#
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
ps_process_pattern($2, bluetooth_helper_t)
allow $2 bluetooth_helper_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 bluetooth_helper_t:process ptrace;
')
allow $2 bluetooth_t:socket rw_socket_perms;
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
bluetooth_stream_connect($2)
stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_role'($*)) dnl
')
#####################################
##
## Connect to bluetooth over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`bluetooth_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_stream_connect'($*)) dnl
gen_require(`
type bluetooth_t, bluetooth_var_run_t;
type bluetooth_tmp_t;
')
files_search_pids($1)
allow $1 bluetooth_t:socket rw_socket_perms;
stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t)
tunable_policy(`deny_bluetooth',`',`
allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_stream_connect'($*)) dnl
')
########################################
##
## Execute bluetooth in the bluetooth domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bluetooth_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_domtrans'($*)) dnl
gen_require(`
type bluetooth_t, bluetooth_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_domtrans'($*)) dnl
')
########################################
##
## Read bluetooth configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`bluetooth_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_read_config'($*)) dnl
gen_require(`
type bluetooth_conf_t;
')
allow $1 bluetooth_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_read_config'($*)) dnl
')
########################################
##
## Send and receive messages from
## bluetooth over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`bluetooth_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_dbus_chat'($*)) dnl
gen_require(`
type bluetooth_t;
class dbus send_msg;
')
allow $1 bluetooth_t:dbus send_msg;
allow bluetooth_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_dbus_chat'($*)) dnl
')
########################################
##
## dontaudit Send and receive messages from
## bluetooth over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`bluetooth_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type bluetooth_t;
class dbus send_msg;
')
dontaudit $1 bluetooth_t:dbus send_msg;
dontaudit bluetooth_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
##
##
##
## Domain allowed to transition.
##
##
#
define(`bluetooth_domtrans_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_domtrans_helper'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_domtrans_helper'($*)) dnl
')
########################################
##
## Execute bluetooth_helper in the bluetooth_helper domain, and
## allow the specified role the bluetooth_helper domain. (Deprecated)
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
##
## The type of the terminal allow the bluetooth_helper domain to use.
##
##
##
#
define(`bluetooth_run_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_run_helper'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_run_helper'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## bluetooth process state files.
##
##
##
## Domain to not audit.
##
##
#
define(`bluetooth_dontaudit_read_helper_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_dontaudit_read_helper_state'($*)) dnl
gen_require(`
type bluetooth_helper_t;
')
dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
dontaudit $1 bluetooth_helper_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_dontaudit_read_helper_state'($*)) dnl
')
########################################
##
## Execute bluetooth server in the bluetooth domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bluetooth_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_systemctl'($*)) dnl
gen_require(`
type bluetooth_t;
type bluetooth_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 bluetooth_unit_file_t:file read_file_perms;
allow $1 bluetooth_unit_file_t:service manage_service_perms;
ps_process_pattern($1, bluetooth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an bluetooth environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`bluetooth_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bluetooth_admin'($*)) dnl
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
')
allow $1 bluetooth_t:process signal_perms;
ps_process_pattern($1, bluetooth_t)
tunable_policy(`deny_ptrace',`',`
allow $1 bluetooth_t:process ptrace;
')
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
files_list_var($1)
admin_pattern($1, bluetooth_lock_t)
files_list_etc($1)
admin_pattern($1, { bluetooth_conf_t bluetooth_conf_rw_t })
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
bluetooth_systemctl($1)
admin_pattern($1, bluetooth_unit_file_t)
allow $1 bluetooth_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bluetooth_admin'($*)) dnl
')
## policy for boinc
########################################
##
## Execute a domain transition to run boinc.
##
##
##
## Domain allowed to transition.
##
##
#
define(`boinc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_domtrans'($*)) dnl
gen_require(`
type boinc_t, boinc_exec_t;
')
domtrans_pattern($1, boinc_exec_t, boinc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_domtrans'($*)) dnl
')
#######################################
##
## Execute boinc server in the boinc domain.
##
##
##
## Domain allowed access.
##
##
#
define(`boinc_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_initrc_domtrans'($*)) dnl
gen_require(`
type boinc_initrc_exec_t;
')
init_labeled_script_domtrans($1, boinc_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_initrc_domtrans'($*)) dnl
')
#######################################
##
## Dontaudit getattr on boinc lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`boinc_dontaudit_getattr_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_dontaudit_getattr_lib'($*)) dnl
gen_require(`
type boinc_var_lib_t;
')
dontaudit $1 boinc_var_lib_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_dontaudit_getattr_lib'($*)) dnl
')
########################################
##
## Search boinc lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`boinc_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_search_lib'($*)) dnl
gen_require(`
type boinc_var_lib_t;
')
allow $1 boinc_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_search_lib'($*)) dnl
')
########################################
##
## Read boinc lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`boinc_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_read_lib_files'($*)) dnl
gen_require(`
type boinc_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## boinc lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`boinc_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_manage_lib_files'($*)) dnl
gen_require(`
type boinc_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_manage_lib_files'($*)) dnl
')
########################################
##
## Manage boinc var_lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`boinc_manage_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_manage_var_lib'($*)) dnl
gen_require(`
type boinc_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_manage_var_lib'($*)) dnl
')
#######################################
##
## Execute boinc server in the boinc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`boinc_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_systemctl'($*)) dnl
gen_require(`
type boinc_t;
type boinc_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 boinc_unit_file_t:file read_file_perms;
allow $1 boinc_unit_file_t:service manage_service_perms;
ps_process_pattern($1, boinc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an boinc environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`boinc_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boinc_admin'($*)) dnl
gen_require(`
type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
type boinc_unit_file_t;
')
allow $1 boinc_t:process signal_perms;
ps_process_pattern($1, boinc_t)
tunable_policy(`deny_ptrace',`',`
allow $1 boinc_t:process ptrace;
')
boinc_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 boinc_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, boinc_var_lib_t)
boinc_systemctl($1)
admin_pattern($1, boinc_unit_file_t)
allow $1 boinc_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boinc_admin'($*)) dnl
')
## policy for boltd
########################################
##
## Execute boltd_exec_t in the boltd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`boltd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_domtrans'($*)) dnl
gen_require(`
type boltd_t, boltd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, boltd_exec_t, boltd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_domtrans'($*)) dnl
')
######################################
##
## Execute boltd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_exec'($*)) dnl
gen_require(`
type boltd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, boltd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_exec'($*)) dnl
')
########################################
##
## Search boltd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_search_lib'($*)) dnl
gen_require(`
type boltd_var_lib_t;
')
allow $1 boltd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_search_lib'($*)) dnl
')
########################################
##
## Read boltd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_read_lib_files'($*)) dnl
gen_require(`
type boltd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, boltd_var_lib_t, boltd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_read_lib_files'($*)) dnl
')
########################################
##
## Manage boltd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_manage_lib_files'($*)) dnl
gen_require(`
type boltd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, boltd_var_lib_t, boltd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_manage_lib_files'($*)) dnl
')
########################################
##
## Manage boltd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_manage_lib_dirs'($*)) dnl
gen_require(`
type boltd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, boltd_var_lib_t, boltd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_manage_lib_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an boltd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`boltd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_admin'($*)) dnl
gen_require(`
type boltd_t;
type boltd_var_lib_t;
')
allow $1 boltd_t:process { signal_perms };
ps_process_pattern($1, boltd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 boltd_t:process ptrace;
')
files_search_var_lib($1)
admin_pattern($1, boltd_var_lib_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_admin'($*)) dnl
')
########################################
##
## Mounton boltd lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_mounton_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_mounton_var_lib'($*)) dnl
gen_require(`
type boltd_var_lib_t;
')
allow $1 boltd_var_lib_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_mounton_var_lib'($*)) dnl
')
########################################
##
## Mounton boltd var_run directory.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_mounton_var_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_mounton_var_run'($*)) dnl
gen_require(`
type boltd_var_run_t;
')
allow $1 boltd_var_run_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_mounton_var_run'($*)) dnl
')
######################################
##
## Write to boltd named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_write_var_run_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_write_var_run_pipes'($*)) dnl
gen_require(`
type boltd_var_run_t;
')
allow $1 boltd_var_run_t:fd use;
allow $1 boltd_var_run_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_write_var_run_pipes'($*)) dnl
')
########################################
##
## Send messages to boltd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`boltd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `boltd_dbus_chat'($*)) dnl
gen_require(`
type boltd_t;
class dbus send_msg;
')
allow $1 boltd_t:dbus send_msg;
allow boltd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `boltd_dbus_chat'($*)) dnl
')
## Utilities for configuring the Linux ethernet bridge.
########################################
##
## Execute a domain transition to run brctl.
##
##
##
## Domain allowed to transition.
##
##
#
define(`brctl_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `brctl_domtrans'($*)) dnl
gen_require(`
type brctl_t, brctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `brctl_domtrans'($*)) dnl
')
########################################
##
## Execute brctl in the brctl domain, and
## allow the specified role the brctl domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`brctl_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `brctl_run'($*)) dnl
gen_require(`
attribute_role brctl_roles;
')
brctl_domtrans($1)
roleattribute $2 brctl_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `brctl_run'($*)) dnl
')
## brltty is refreshable braille display driver for Linux/Unix
########################################
##
## Execute brltty in the brltty domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`brltty_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `brltty_domtrans'($*)) dnl
gen_require(`
type brltty_t, brltty_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, brltty_exec_t, brltty_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `brltty_domtrans'($*)) dnl
')
########################################
##
## Execute brltty server in the brltty domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`brltty_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `brltty_systemctl'($*)) dnl
gen_require(`
type brltty_t;
type brltty_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 brltty_unit_file_t:file read_file_perms;
allow $1 brltty_unit_file_t:service manage_service_perms;
ps_process_pattern($1, brltty_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `brltty_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an brltty environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`brltty_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `brltty_admin'($*)) dnl
gen_require(`
type brltty_t;
type brltty_unit_file_t;
')
allow $1 brltty_t:process { signal_perms };
ps_process_pattern($1, brltty_t)
tunable_policy(`deny_ptrace',`',`
allow $1 brltty_t:process ptrace;
')
brltty_systemctl($1)
admin_pattern($1, brltty_unit_file_t)
allow $1 brltty_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `brltty_admin'($*)) dnl
')
## Bugtracker.
########################################
##
## Search bugzilla directories.
##
##
##
## Domain allowed access.
##
##
#
define(`bugzilla_search_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bugzilla_search_content'($*)) dnl
gen_require(`
type bugzilla_content_t;
')
allow $1 bugzilla_content_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bugzilla_search_content'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write bugzilla script unix domain
## stream sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`bugzilla_dontaudit_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bugzilla_dontaudit_rw_stream_sockets'($*)) dnl
gen_require(`
type bugzilla_script_t;
')
dontaudit $1 bugzilla_script_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bugzilla_dontaudit_rw_stream_sockets'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an bugzilla environment.
##
##
##
## Domain allowed access.
##
##
#
define(`bugzilla_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bugzilla_admin'($*)) dnl
gen_require(`
type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t;
type bugzilla_rw_content_t, bugzilla_script_exec_t;
type bugzilla_htaccess_t, bugzilla_tmp_t;
')
allow $1 bugzilla_script_t:process signal_perms;
ps_process_pattern($1, bugzilla_script_t)
tunable_policy(`deny_ptrace',`',`
allow $1 bugzilla_script_t:process ptrace;
')
files_list_tmp($1)
admin_pattern($1, bugzilla_tmp_t)
files_list_var_lib(bugzilla_script_t)
admin_pattern($1, bugzilla_script_exec_t)
admin_pattern($1, bugzilla_script_t)
admin_pattern($1, bugzilla_content_t)
admin_pattern($1, bugzilla_htaccess_t)
admin_pattern($1, bugzilla_ra_content_t)
files_search_tmp($1)
files_search_var_lib($1)
admin_pattern($1, bugzilla_rw_content_t)
optional_policy(`
apache_list_sys_content($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bugzilla_admin'($*)) dnl
')
## policy for bumblebee
########################################
##
## Execute bumblebee in the bumblebee domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bumblebee_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bumblebee_domtrans'($*)) dnl
gen_require(`
type bumblebee_t, bumblebee_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bumblebee_domtrans'($*)) dnl
')
########################################
##
## Read bumblebee PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`bumblebee_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bumblebee_read_pid_files'($*)) dnl
gen_require(`
type bumblebee_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bumblebee_read_pid_files'($*)) dnl
')
########################################
##
## Execute bumblebee server in the bumblebee domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`bumblebee_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bumblebee_systemctl'($*)) dnl
gen_require(`
type bumblebee_t;
type bumblebee_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 bumblebee_unit_file_t:file read_file_perms;
allow $1 bumblebee_unit_file_t:service manage_service_perms;
ps_process_pattern($1, bumblebee_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bumblebee_systemctl'($*)) dnl
')
########################################
##
## Connect to bumblebee over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`bumblebee_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bumblebee_stream_connect'($*)) dnl
gen_require(`
type bumblebee_t, bumblebee_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bumblebee_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an bumblebee environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`bumblebee_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `bumblebee_admin'($*)) dnl
gen_require(`
type bumblebee_t;
type bumblebee_var_run_t;
type bumblebee_unit_file_t;
')
allow $1 bumblebee_t:process { signal_perms };
ps_process_pattern($1, bumblebee_t)
tunable_policy(`deny_ptrace',`',`
allow $1 bumblebee_t:process ptrace;
')
files_search_pids($1)
admin_pattern($1, bumblebee_var_run_t)
bumblebee_systemctl($1)
admin_pattern($1, bumblebee_unit_file_t)
allow $1 bumblebee_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `bumblebee_admin'($*)) dnl
')
###############################################################################
#
# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
# Written by David Howells (dhowells@redhat.com)
# Karl MacMillan (kmacmill@redhat.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version
# 2 of the License, or (at your option) any later version.
#
###############################################################################
#
# Define the policy interface for the CacheFiles userspace management daemon.
#
## policy for cachefilesd
########################################
##
## Execute a domain transition to run cachefilesd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cachefilesd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cachefilesd_domtrans'($*)) dnl
gen_require(`
type cachefilesd_t, cachefilesd_exec_t;
')
domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cachefilesd_domtrans'($*)) dnl
')
## Squid log analysis.
########################################
##
## Execute the calamaris in
## the calamaris domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`calamaris_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `calamaris_domtrans'($*)) dnl
gen_require(`
type calamaris_t, calamaris_exec_t;
')
files_search_etc($1)
domtrans_pattern($1, calamaris_exec_t, calamaris_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `calamaris_domtrans'($*)) dnl
')
########################################
##
## Execute calamaris in the
## calamaris domain, and allow the
## specified role the calamaris domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`calamaris_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `calamaris_run'($*)) dnl
gen_require(`
attribute_role calamaris_roles;
')
calamaris_domtrans($1)
roleattribute $2 calamaris_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `calamaris_run'($*)) dnl
')
#######################################
##
## Read calamaris www files.
##
##
##
## Domain allowed access.
##
##
#
define(`calamaris_read_www_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `calamaris_read_www_files'($*)) dnl
gen_require(`
type calamaris_www_t;
')
allow $1 calamaris_www_t:dir list_dir_perms;
read_files_pattern($1, calamaris_www_t, calamaris_www_t)
read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `calamaris_read_www_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an calamaris environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`calamaris_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `calamaris_admin'($*)) dnl
gen_require(`
type calamaris_t, calamaris_log_t, calamaris_www_t;
')
allow $1 calamaris_t:process { ptrace signal_perms };
ps_process_pattern($1, calamaris_t)
calamaris_run($1, $2)
logging_list_logs($1)
admin_pattern($1, calamaris_log_t)
apache_list_sys_content($1)
admin_pattern($1, calamaris_www_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `calamaris_admin'($*)) dnl
')
## PBX software.
########################################
##
## Execute callweaver in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`callweaver_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `callweaver_exec'($*)) dnl
gen_require(`
type callweaver_exec_t;
')
corecmd_search_bin($1)
can_exec($1, callweaver_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `callweaver_exec'($*)) dnl
')
########################################
##
## Connect to callweaver over a
## unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`callweaver_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `callweaver_stream_connect'($*)) dnl
gen_require(`
type callweaver_t, callweaver_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `callweaver_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an callweaver environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`callweaver_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `callweaver_admin'($*)) dnl
gen_require(`
type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t;
type callweaver_var_lib_t, callweaver_var_run_t, callweaver_spool_t;
')
allow $1 callweaver_t:process { ptrace signal_perms };
ps_process_pattern($1, callweaver_t)
init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 callweaver_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, callweaver_log_t)
files_search_pids($1)
admin_pattern($1, callweaver_var_run_t)
files_search_var_lib($1)
admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `callweaver_admin'($*)) dnl
')
## Kana-kanji conversion server.
########################################
##
## Connect to Canna using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`canna_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `canna_stream_connect'($*)) dnl
gen_require(`
type canna_t, canna_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `canna_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an canna environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`canna_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `canna_admin'($*)) dnl
gen_require(`
type canna_t, canna_log_t, canna_var_lib_t;
type canna_var_run_t, canna_initrc_exec_t;
')
allow $1 canna_t:process signal_perms;
ps_process_pattern($1, canna_t)
tunable_policy(`deny_ptrace',`',`
allow $1 canna_t:process ptrace;
')
init_labeled_script_domtrans($1, canna_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, canna_log_t)
files_list_var_lib($1)
admin_pattern($1, canna_var_lib_t)
files_list_pids($1)
admin_pattern($1, canna_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `canna_admin'($*)) dnl
')
## Cluster Configuration System.
########################################
##
## Execute a domain transition to run ccs.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ccs_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ccs_domtrans'($*)) dnl
gen_require(`
type ccs_t, ccs_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ccs_exec_t, ccs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ccs_domtrans'($*)) dnl
')
########################################
##
## Connect to ccs over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ccs_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ccs_stream_connect'($*)) dnl
gen_require(`
type ccs_t, ccs_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ccs_stream_connect'($*)) dnl
')
########################################
##
## Read cluster configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ccs_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ccs_read_config'($*)) dnl
gen_require(`
type cluster_conf_t;
')
files_search_etc($1)
read_files_pattern($1, cluster_conf_t, cluster_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ccs_read_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## cluster configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ccs_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ccs_manage_config'($*)) dnl
gen_require(`
type cluster_conf_t;
')
files_search_etc($1)
manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t)
manage_files_pattern($1, cluster_conf_t, cluster_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ccs_manage_config'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an ccs environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ccs_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ccs_admin'($*)) dnl
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
type ccs_var_lib_t, ccs_var_log_t;
type ccs_var_run_t, ccs_tmp_t;
')
allow $1 ccs_t:process { signal_perms };
ps_process_pattern($1, ccs_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ccs_t:process ptrace;
')
init_labeled_script_domtrans($1, ccs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ccs_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cluster_conf_t)
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
logging_search_logs($1)
admin_pattern($1, ccs_var_log_t)
files_search_pids($1)
admin_pattern($1, ccs_var_run_t)
files_search_tmp($1)
admin_pattern($1, ccs_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ccs_admin'($*)) dnl
')
## Record audio or data Compact Discs from a master.
########################################
##
## Role access for cdrecord.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`cdrecord_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cdrecord_role'($*)) dnl
gen_require(`
attribute_role cdrecord_roles;
type cdrecord_t, cdrecord_exec_t;
')
roleattribute $1 cdrecord_roles;
domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
allow $2 cdrecord_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 cdrecord_t:process ptrace;
')
ps_process_pattern($2, cdrecord_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cdrecord_role'($*)) dnl
')
## Remote certificate distribution framework.
########################################
##
## Execute a domain transition to run certmaster.
##
##
##
## Domain allowed to transition.
##
##
#
define(`certmaster_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmaster_domtrans'($*)) dnl
gen_require(`
type certmaster_t, certmaster_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, certmaster_exec_t, certmaster_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmaster_domtrans'($*)) dnl
')
####################################
##
## Execute certmaster in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`certmaster_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmaster_exec'($*)) dnl
gen_require(`
type certmaster_exec_t;
')
can_exec($1, certmaster_exec_t)
corecmd_search_bin($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmaster_exec'($*)) dnl
')
#######################################
##
## read certmaster logs.
##
##
##
## Domain allowed access.
##
##
#
define(`certmaster_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmaster_read_log'($*)) dnl
gen_require(`
type certmaster_var_log_t;
')
read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmaster_read_log'($*)) dnl
')
#######################################
##
## Append certmaster log files.
##
##
##
## Domain allowed access.
##
##
#
define(`certmaster_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmaster_append_log'($*)) dnl
gen_require(`
type certmaster_var_log_t;
')
append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmaster_append_log'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## certmaster log content.
##
##
##
## Domain allowed access.
##
##
#
define(`certmaster_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmaster_manage_log'($*)) dnl
gen_require(`
type certmaster_var_log_t;
')
manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmaster_manage_log'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an certmaster environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`certmaster_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmaster_admin'($*)) dnl
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
allow $1 certmaster_t:process signal_perms;
ps_process_pattern($1, certmaster_t)
tunable_policy(`deny_ptrace',`',`
allow $1 certmaster_t:process ptrace;
')
init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
miscfiles_manage_generic_cert_dirs($1)
miscfiles_manage_generic_cert_files($1)
admin_pattern($1, certmaster_etc_rw_t)
files_list_pids($1)
admin_pattern($1, certmaster_var_run_t)
logging_list_logs($1)
admin_pattern($1, certmaster_var_log_t)
files_list_var_lib($1)
admin_pattern($1, certmaster_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmaster_admin'($*)) dnl
')
## Certificate status monitor and PKI enrollment client.
########################################
##
## Execute a domain transition to run certmonger.
##
##
##
## Domain allowed to transition.
##
##
#
define(`certmonger_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmonger_domtrans'($*)) dnl
gen_require(`
type certmonger_t, certmonger_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, certmonger_exec_t, certmonger_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmonger_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## certmonger over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`certmonger_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmonger_dbus_chat'($*)) dnl
gen_require(`
type certmonger_t;
class dbus send_msg;
')
allow $1 certmonger_t:dbus send_msg;
allow certmonger_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmonger_dbus_chat'($*)) dnl
')
########################################
##
## Execute certmonger server in
## the certmonger domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`certmonger_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmonger_initrc_domtrans'($*)) dnl
gen_require(`
type certmonger_initrc_exec_t;
')
init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmonger_initrc_domtrans'($*)) dnl
')
########################################
##
## Read certmonger PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`certmonger_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmonger_read_pid_files'($*)) dnl
gen_require(`
type certmonger_var_run_t;
')
files_search_pids($1)
allow $1 certmonger_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmonger_read_pid_files'($*)) dnl
')
########################################
##
## Search certmonger lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`certmonger_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmonger_search_lib'($*)) dnl
gen_require(`
type certmonger_var_lib_t;
')
allow $1 certmonger_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmonger_search_lib'($*)) dnl
')
########################################
##
## Read certmonger lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`certmonger_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmonger_read_lib_files'($*)) dnl
gen_require(`
type certmonger_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmonger_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## certmonger lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`certmonger_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmonger_manage_lib_files'($*)) dnl
gen_require(`
type certmonger_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmonger_manage_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an certmonger environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`certmonger_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certmonger_admin'($*)) dnl
gen_require(`
type certmonger_t, certmonger_initrc_exec_t;
type certmonger_var_lib_t, certmonger_var_run_t;
')
ps_process_pattern($1, certmonger_t)
allow $1 certmonger_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $1 certmonger_t:process ptrace;
')
certmonger_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
files_list_pids($1)
admin_pattern($1, certmonger_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certmonger_admin'($*)) dnl
')
## Digital Certificate Tracking.
########################################
##
## Domain transition to certwatch.
##
##
##
## Domain allowed to transition.
##
##
#
define(`certwatch_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certwatch_domtrans'($*)) dnl
gen_require(`
type certwatch_exec_t, certwatch_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, certwatch_exec_t, certwatch_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certwatch_domtrans'($*)) dnl
')
########################################
##
## Execute certwatch in the certwatch
## domain, and allow the specified role
## the certwatch domain.
## backchannel.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`certwatch_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certwatch_run'($*)) dnl
gen_require(`
attribute_role certwatch_roles;
')
certwatch_domtrans($1)
roleattribute $2 certwatch_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certwatch_run'($*)) dnl
')
########################################
##
## Execute certwatch in the certwatch domain, and
## allow the specified role the certwatch domain,
## and use the caller's terminal. Has a sigchld
## backchannel. (Deprecated)
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
##
## The type of the terminal allow the certwatch domain to use.
##
##
##
#
define(`certwatach_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `certwatach_run'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.')
certwatch_run($*)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `certwatach_run'($*)) dnl
')
## System administration tool for networks.
#######################################
##
## The template to define a cfengine domain.
##
##
##
## Domain prefix to be used.
##
##
#
define(`cfengine_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cfengine_domain_template'($*)) dnl
gen_require(`
attribute cfengine_domain;
')
########################################
#
# Declarations
#
type cfengine_$1_t, cfengine_domain;
type cfengine_$1_exec_t;
init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
########################################
#
# Policy
#
kernel_read_system_state(cfengine_$1_t)
auth_use_nsswitch(cfengine_$1_t)
logging_send_syslog_msg(cfengine_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cfengine_domain_template'($*)) dnl
')
######################################
##
## Search cfengine lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cfengine_search_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cfengine_search_lib_files'($*)) dnl
gen_require(`
type cfengine_var_lib_t;
')
allow $1 cfengine_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cfengine_search_lib_files'($*)) dnl
')
########################################
##
## Read cfengine lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cfengine_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cfengine_read_lib_files'($*)) dnl
gen_require(`
type cfengine_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cfengine_read_lib_files'($*)) dnl
')
####################################
##
## Do not audit attempts to write
## cfengine log files.
##
##
##
## Domain to not audit.
##
##
#
define(`cfengine_dontaudit_write_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cfengine_dontaudit_write_log_files'($*)) dnl
gen_require(`
type cfengine_var_log_t;
')
dontaudit $1 cfengine_var_log_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cfengine_dontaudit_write_log_files'($*)) dnl
')
#####################################
##
## Allow the specified domain to append cfengine's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`cfengine_append_inherited_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cfengine_append_inherited_log'($*)) dnl
gen_require(`
type cfengine_var_log_t;
')
cfengine_search_lib_files($1)
allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cfengine_append_inherited_log'($*)) dnl
')
####################################
##
## Dontaudit the specified domain to write cfengine's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`cfengine_dontaudit_write_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cfengine_dontaudit_write_log'($*)) dnl
gen_require(`
type cfengine_var_log_t;
')
dontaudit $1 cfengine_var_log_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cfengine_dontaudit_write_log'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an cfengine environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cfengine_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cfengine_admin'($*)) dnl
gen_require(`
attribute cfengine_domain;
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
')
allow $1 cfengine_domain:process { signal_perms };
ps_process_pattern($1, cfengine_domain)
init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cfengine_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cfengine_admin'($*)) dnl
')
## libcg is a library that abstracts the control group file system in Linux.
########################################
##
## Execute a domain transition to run
## CG Clear.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cgroup_domtrans_cgclear',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgclear'($*)) dnl
gen_require(`
type cgclear_t, cgclear_exec_t;
')
domtrans_pattern($1, cgclear_exec_t, cgclear_t)
corecmd_search_bin($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgclear'($*)) dnl
')
########################################
##
## Execute a domain transition to run
## CG config parser.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cgroup_domtrans_cgconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgconfig'($*)) dnl
gen_require(`
type cgconfig_t, cgconfig_exec_t;
')
domtrans_pattern($1, cgconfig_exec_t, cgconfig_t)
corecmd_search_bin($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgconfig'($*)) dnl
')
########################################
##
## Execute a domain transition to run
## CG config parser.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cgroup_initrc_domtrans_cgconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cgroup_initrc_domtrans_cgconfig'($*)) dnl
gen_require(`
type cgconfig_initrc_exec_t;
')
init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cgroup_initrc_domtrans_cgconfig'($*)) dnl
')
########################################
##
## Execute a domain transition to run
## CG rules engine daemon.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cgroup_domtrans_cgred',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgred'($*)) dnl
gen_require(`
type cgred_t, cgred_exec_t;
')
domtrans_pattern($1, cgred_exec_t, cgred_t)
corecmd_search_bin($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgred'($*)) dnl
')
########################################
##
## Execute a domain transition to run
## CG rules engine daemon.
## domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cgroup_initrc_domtrans_cgred',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cgroup_initrc_domtrans_cgred'($*)) dnl
gen_require(`
type cgred_initrc_exec_t;
')
init_labeled_script_domtrans($1, cgred_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cgroup_initrc_domtrans_cgred'($*)) dnl
')
########################################
##
## Execute a domain transition to
## run CG Clear and allow the
## specified role the CG Clear
## domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cgroup_run_cgclear',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cgroup_run_cgclear'($*)) dnl
gen_require(`
type cgclear_t;
')
cgroup_domtrans_cgclear($1)
role $2 types cgclear_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cgroup_run_cgclear'($*)) dnl
')
########################################
##
## Connect to CG rules engine daemon
## over unix stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`cgroup_stream_connect_cgred',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cgroup_stream_connect_cgred'($*)) dnl
gen_require(`
type cgred_var_run_t, cgred_t;
')
stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cgroup_stream_connect_cgred'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an cgroup environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cgroup_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cgroup_admin'($*)) dnl
gen_require(`
type cgred_t, cgconfig_t, cgred_var_run_t;
type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
type cgrules_etc_t, cgclear_t;
')
allow $1 cgclear_t:process signal_perms;
ps_process_pattern($1, cgclear_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cgclear_t:process ptrace;
')
allow $1 cgconfig_t:process signal_perms;
ps_process_pattern($1, cgconfig_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cgconfig_t:process ptrace;
')
allow $1 cgred_t:process signal_perms;
ps_process_pattern($1, cgred_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cgred_t:process ptrace;
')
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
admin_pattern($1, cgred_var_run_t)
files_list_pids($1)
cgroup_initrc_domtrans_cgconfig($1)
cgroup_initrc_domtrans_cgred($1)
domain_system_change_exemption($1)
role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
allow $2 system_r;
cgroup_run_cgclear($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cgroup_admin'($*)) dnl
')
## policy for chrome
########################################
##
## Execute a domain transition to run chrome_sandbox.
##
##
##
## Domain allowed to transition.
##
##
#
define(`chrome_domtrans_sandbox',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chrome_domtrans_sandbox'($*)) dnl
gen_require(`
type chrome_sandbox_t, chrome_sandbox_exec_t;
')
domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
ps_process_pattern(chrome_sandbox_t, $1)
allow $1 chrome_sandbox_t:fd use;
dontaudit chrome_sandbox_t $1:socket_class_set getattr;
allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chrome_domtrans_sandbox'($*)) dnl
')
########################################
##
## Execute chrome_sandbox in the chrome_sandbox domain, and
## allow the specified role the chrome_sandbox domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the chrome_sandbox domain.
##
##
#
define(`chrome_run_sandbox',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chrome_run_sandbox'($*)) dnl
gen_require(`
type chrome_sandbox_t;
type chrome_sandbox_nacl_t;
')
chrome_domtrans_sandbox($1)
role $2 types chrome_sandbox_t;
role $2 types chrome_sandbox_nacl_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chrome_run_sandbox'($*)) dnl
')
########################################
##
## Role access for chrome sandbox
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`chrome_role_notrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chrome_role_notrans'($*)) dnl
gen_require(`
type chrome_sandbox_t;
type chrome_sandbox_tmpfs_t;
type chrome_sandbox_nacl_t;
')
role $1 types chrome_sandbox_t;
role $1 types chrome_sandbox_nacl_t;
ps_process_pattern($2, chrome_sandbox_t)
allow $2 chrome_sandbox_t:process signal_perms;
allow chrome_sandbox_t $2:unix_dgram_socket { read write };
allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;
allow chrome_sandbox_t $2:udp_socket rw_socket_perms;;
allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
allow $2 chrome_sandbox_t:shm rw_shm_perms;
allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chrome_role_notrans'($*)) dnl
')
########################################
##
## Role access for chrome sandbox
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`chrome_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chrome_role'($*)) dnl
chrome_role_notrans($1, $2)
chrome_domtrans_sandbox($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chrome_role'($*)) dnl
')
########################################
##
## Dontaudit read/write to a chrome_sandbox leaks
##
##
##
## Domain to not audit.
##
##
#
define(`chrome_dontaudit_sandbox_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chrome_dontaudit_sandbox_leaks'($*)) dnl
gen_require(`
type chrome_sandbox_t;
')
dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chrome_dontaudit_sandbox_leaks'($*)) dnl
')
## Chrony NTP background daemon.
#####################################
##
## Execute chronyd in the chronyd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`chronyd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_domtrans'($*)) dnl
gen_require(`
type chronyd_t, chronyd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_domtrans'($*)) dnl
')
########################################
##
## Execute chronyd server in the
## chronyd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`chronyd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_initrc_domtrans'($*)) dnl
gen_require(`
type chronyd_initrc_exec_t;
')
init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_initrc_domtrans'($*)) dnl
')
####################################
##
## Execute chronyd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_exec'($*)) dnl
gen_require(`
type chronyd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, chronyd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_exec'($*)) dnl
')
########################################
##
## Send generic signals to chronyd.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_signal'($*)) dnl
gen_require(`
type chronyd_t;
')
allow $1 chronyd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_signal'($*)) dnl
')
#####################################
##
## Read chronyd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_read_log'($*)) dnl
gen_require(`
type chronyd_var_log_t;
')
logging_search_logs($1)
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_read_log'($*)) dnl
')
########################################
##
## Read and write chronyd shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_rw_shm'($*)) dnl
gen_require(`
type chronyd_t, chronyd_tmpfs_t;
')
allow $1 chronyd_t:shm rw_shm_perms;
allow $1 chronyd_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_rw_shm'($*)) dnl
')
########################################
##
## Read chronyd keys files.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_read_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_read_keys'($*)) dnl
gen_require(`
type chronyd_keys_t;
')
read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_read_keys'($*)) dnl
')
########################################
##
## Append chronyd keys files.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_append_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_append_keys'($*)) dnl
gen_require(`
type chronyd_keys_t;
')
append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_append_keys'($*)) dnl
')
########################################
##
## Execute chronyd server in the chronyd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`chronyd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_systemctl'($*)) dnl
gen_require(`
type chronyd_t;
type chronyd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 chronyd_unit_file_t:file read_file_perms;
allow $1 chronyd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, chronyd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_systemctl'($*)) dnl
')
#######################################
##
## Connect to chronyd using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_stream_connect'($*)) dnl
gen_require(`
type chronyd_t, chronyd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_stream_connect'($*)) dnl
')
########################################
##
## Send to chronyd using a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_dgram_send'($*)) dnl
gen_require(`
type chronyd_t, chronyd_var_run_t;
')
files_search_pids($1)
dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_dgram_send'($*)) dnl
')
########################################
##
## Manage pid files used by chronyd
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_manage_pid'($*)) dnl
gen_require(`
type chronyd_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_manage_pid'($*)) dnl
')
######################################
##
## Create objects in /var/run
## with chronyd runtime private file type.
##
##
##
## Domain allowed access.
##
##
#
define(`chronyd_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_pid_filetrans'($*)) dnl
gen_require(`
type chronyd_var_run_t;
')
files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_pid_filetrans'($*)) dnl
')
####################################
##
## All of the rules required to
## administrate an chronyd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`chronyd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_admin'($*)) dnl
gen_require(`
type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
type chronyd_keys_t, chronyd_unit_file_t;
')
allow $1 chronyd_t:process signal_perms;
ps_process_pattern($1, chronyd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 chronyd_t:process ptrace;
')
init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
logging_list_logs($1)
admin_pattern($1, chronyd_var_log_t)
files_list_var_lib($1)
admin_pattern($1, chronyd_var_lib_t)
files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
admin_pattern($1, chronyd_tmpfs_t)
admin_pattern($1, chronyd_unit_file_t)
chronyd_systemctl($1)
allow $1 chronyd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_admin'($*)) dnl
')
#######################################
##
## Get chronyd service status
##
##
##
## Domain allowed to transition.
##
##
#
define(`chronyd_service_status',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_service_status'($*)) dnl
gen_require(`
type chronyd_unit_file_t;
')
allow $1 chronyd_unit_file_t:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_service_status'($*)) dnl
')
########################################
##
## Execute chronyc in the chronyc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`chronyd_domtrans_chronyc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_domtrans_chronyc'($*)) dnl
gen_require(`
type chronyc_t, chronyc_exec_t;
')
domtrans_pattern($1, chronyc_exec_t, chronyc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_domtrans_chronyc'($*)) dnl
')
########################################
##
## Execute chronyc in the chronyc domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`chronyd_run_chronyc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `chronyd_run_chronyc'($*)) dnl
gen_require(`
type chronyc_t;
attribute_role chronyc_roles;
')
chronyd_domtrans_chronyc($1)
roleattribute $2 chronyc_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `chronyd_run_chronyc'($*)) dnl
')
## openstack-cinder
######################################
##
## Manage cinder lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cinder_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cinder_manage_lib_files'($*)) dnl
gen_require(`
type cinder_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cinder_manage_lib_files'($*)) dnl
')
#######################################
##
## Creates types and rules for a basic
## openstack-cinder systemd daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`cinder_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cinder_domain_template'($*)) dnl
gen_require(`
attribute cinder_domain;
')
type cinder_$1_t, cinder_domain;
type cinder_$1_exec_t;
init_daemon_domain(cinder_$1_t, cinder_$1_exec_t)
type cinder_$1_unit_file_t;
systemd_unit_file(cinder_$1_unit_file_t)
type cinder_$1_tmp_t;
files_tmp_file(cinder_$1_tmp_t)
manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t)
files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir })
can_exec(cinder_$1_t, cinder_$1_tmp_t)
kernel_read_system_state(cinder_$1_t)
logging_send_syslog_msg(cinder_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cinder_domain_template'($*)) dnl
')
## Encrypted tunnel daemon.
########################################
##
## All of the rules required to
## administrate an cipe environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cipe_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cipe_admin'($*)) dnl
gen_require(`
type ciped_t, ciped_initrc_exec_t;
')
allow $1 ciped_t:process { ptrace signal_perms };
ps_process_pattern($1, ciped_t)
init_labeled_script_domtrans($1, ciped_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ciped_initrc_exec_t system_r;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cipe_admin'($*)) dnl
')
## ClamAV Virus Scanner
########################################
##
## Execute a domain transition to run clamd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`clamav_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_domtrans'($*)) dnl
gen_require(`
type clamd_t, clamd_exec_t;
')
domtrans_pattern($1, clamd_exec_t, clamd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_domtrans'($*)) dnl
')
########################################
##
## Connect to run clamd.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_stream_connect'($*)) dnl
gen_require(`
type clamd_t, clamd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_stream_connect'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## to clamav log files.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_append_log'($*)) dnl
gen_require(`
type clamd_var_log_t;
')
logging_search_logs($1)
allow $1 clamd_var_log_t:dir list_dir_perms;
append_files_pattern($1, clamd_var_log_t, clamd_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_append_log'($*)) dnl
')
########################################
##
## Read clamav configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_read_config'($*)) dnl
gen_require(`
type clamd_etc_t;
')
files_search_etc($1)
allow $1 clamd_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_read_config'($*)) dnl
')
########################################
##
## Search clamav libraries directories.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_search_lib'($*)) dnl
gen_require(`
type clamd_var_lib_t;
')
files_search_var_lib($1)
allow $1 clamd_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_search_lib'($*)) dnl
')
########################################
##
## Execute a domain transition to run clamscan.
##
##
##
## Domain allowed to transition.
##
##
#
define(`clamav_domtrans_clamscan',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_domtrans_clamscan'($*)) dnl
gen_require(`
type clamscan_t, clamscan_exec_t;
')
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_domtrans_clamscan'($*)) dnl
')
########################################
##
## Execute clamscan without a transition.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_exec_clamscan',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_exec_clamscan'($*)) dnl
gen_require(`
type clamscan_exec_t;
')
can_exec($1, clamscan_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_exec_clamscan'($*)) dnl
')
########################################
##
## Manage clamd pid content.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_manage_clamd_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_manage_clamd_pid'($*)) dnl
gen_require(`
type clamd_var_run_t;
')
manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_manage_clamd_pid'($*)) dnl
')
#######################################
##
## Read clamd state files.
##
##
##
## Domain allowed access.
##
##
#
define(`clamav_read_state_clamd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_read_state_clamd'($*)) dnl
gen_require(`
type clamd_t;
')
kernel_search_proc($1)
ps_process_pattern($1, clamd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_read_state_clamd'($*)) dnl
')
#######################################
##
## Execute clamd server in the clamd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`clamd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamd_systemctl'($*)) dnl
gen_require(`
type clamd_t;
type clamd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 clamd_unit_file_t:file read_file_perms;
allow $1 clamd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, clamd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an clamav environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the clamav domain.
##
##
##
#
define(`clamav_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clamav_admin'($*)) dnl
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
type clamd_unit_file_t;
')
allow $1 clamd_t:process signal_perms;
ps_process_pattern($1, clamd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 clamd_t:process ptrace;
allow $1 clamscan_t:process ptrace;
allow $1 freshclam_t:process ptrace;
')
allow $1 clamscan_t:process signal_perms;
ps_process_pattern($1, clamscan_t)
allow $1 freshclam_t:process signal_perms;
ps_process_pattern($1, freshclam_t)
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 clamd_initrc_exec_t system_r;
allow $2 system_r;
clamd_systemctl($1)
admin_pattern($1, clamd_unit_file_t)
allow $1 clamd_unit_file_t:service all_service_perms;
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
files_list_var_lib($1)
admin_pattern($1, clamd_var_lib_t)
logging_list_logs($1)
admin_pattern($1, clamd_var_log_t)
files_list_pids($1)
admin_pattern($1, clamd_var_run_t)
files_list_tmp($1)
admin_pattern($1, clamd_tmp_t)
admin_pattern($1, clamscan_tmp_t)
admin_pattern($1, freshclam_var_log_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clamav_admin'($*)) dnl
')
## Clock speed measurement and manipulation.
########################################
##
## Execute clockspeed utilities in
## the clockspeed_cli domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`clockspeed_domtrans_cli',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clockspeed_domtrans_cli'($*)) dnl
gen_require(`
type clockspeed_cli_t, clockspeed_cli_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clockspeed_domtrans_cli'($*)) dnl
')
########################################
##
## Execute clockspeed utilities in the
## clockspeed cli domain, and allow the
## specified role the clockspeed cli domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`clockspeed_run_cli',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clockspeed_run_cli'($*)) dnl
gen_require(`
attribute_role clockspeed_cli_roles;
')
clockspeed_domtrans_cli($1)
roleattribute $2 clockspeed_cli_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clockspeed_run_cli'($*)) dnl
')
## Clustered Mirror Log Server.
######################################
##
## Execute a domain transition to run clogd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`clogd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clogd_domtrans'($*)) dnl
gen_require(`
type clogd_t, clogd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, clogd_exec_t, clogd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clogd_domtrans'($*)) dnl
')
#####################################
##
## Connect to clogd over a unix domain
## stream socket. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`clogd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clogd_stream_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clogd_stream_connect'($*)) dnl
')
#####################################
##
## Read and write clogd semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`clogd_rw_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clogd_rw_semaphores'($*)) dnl
gen_require(`
type clogd_t;
')
allow $1 clogd_t:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clogd_rw_semaphores'($*)) dnl
')
########################################
##
## Read and write clogd shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`clogd_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clogd_rw_shm'($*)) dnl
gen_require(`
type clogd_t, clogd_tmpfs_t;
')
allow $1 clogd_t:shm rw_shm_perms;
allow $1 clogd_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clogd_rw_shm'($*)) dnl
')
## cloudform policy
#######################################
##
## Creates types and rules for a basic
## cloudform daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`cloudform_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloudform_domain_template'($*)) dnl
gen_require(`
attribute cloudform_domain;
')
type $1_t, cloudform_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
kernel_read_system_state($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloudform_domain_template'($*)) dnl
')
########################################
##
## Execute a domain transition to run cloud_init.
##
##
##
## Domain allowed access.
##
##
#
define(`cloudform_init_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloudform_init_domtrans'($*)) dnl
gen_require(`
type cloud_init_t, cloud_init_exec_t;
')
domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloudform_init_domtrans'($*)) dnl
')
######################################
##
## Execute mongod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`cloudform_exec_mongod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloudform_exec_mongod'($*)) dnl
gen_require(`
type mongod_exec_t;
')
can_exec($1, mongod_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloudform_exec_mongod'($*)) dnl
')
#######################################
##
## Allow read to cloud lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cloudform_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloudform_read_lib_files'($*)) dnl
gen_require(`
type cloud_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloudform_read_lib_files'($*)) dnl
')
#######################################
##
## Allow read to cloud lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cloudform_read_lib_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloudform_read_lib_lnk_files'($*)) dnl
gen_require(`
type cloud_var_lib_t;
')
files_search_var_lib($1)
read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloudform_read_lib_lnk_files'($*)) dnl
')
######################################
##
## Execute mongod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`cloudform_dontaudit_write_cloud_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloudform_dontaudit_write_cloud_log'($*)) dnl
gen_require(`
type cloud_log_t;
')
dontaudit $1 cloud_log_t:file write_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloudform_dontaudit_write_cloud_log'($*)) dnl
')
## Cluster mirror log daemon.
########################################
##
## Execute a domain transition to
## run cmirrord.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cmirrord_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cmirrord_domtrans'($*)) dnl
gen_require(`
type cmirrord_t, cmirrord_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cmirrord_domtrans'($*)) dnl
')
########################################
##
## Execute cmirrord server in the
## cmirrord domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cmirrord_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cmirrord_initrc_domtrans'($*)) dnl
gen_require(`
type cmirrord_initrc_exec_t;
')
init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cmirrord_initrc_domtrans'($*)) dnl
')
########################################
##
## Read cmirrord PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`cmirrord_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cmirrord_read_pid_files'($*)) dnl
gen_require(`
type cmirrord_var_run_t;
')
files_search_pids($1)
allow $1 cmirrord_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cmirrord_read_pid_files'($*)) dnl
')
#######################################
##
## Read and write cmirrord shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`cmirrord_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cmirrord_rw_shm'($*)) dnl
gen_require(`
type cmirrord_t, cmirrord_tmpfs_t;
')
allow $1 cmirrord_t:shm { rw_shm_perms destroy };
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cmirrord_rw_shm'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an cmirrord environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cmirrord_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cmirrord_admin'($*)) dnl
gen_require(`
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
')
allow $1 cmirrord_t:process signal_perms;
ps_process_pattern($1, cmirrord_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cmirrord_t:process ptrace;
')
cmirrord_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, cmirrord_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cmirrord_admin'($*)) dnl
')
## Cobbler installation server.
########################################
##
## Execute a domain transition to run cobblerd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cobblerd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobblerd_domtrans'($*)) dnl
gen_require(`
type cobblerd_t, cobblerd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobblerd_domtrans'($*)) dnl
')
########################################
##
## Execute cobblerd init scripts in
## the init script domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cobblerd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobblerd_initrc_domtrans'($*)) dnl
gen_require(`
type cobblerd_initrc_exec_t;
')
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobblerd_initrc_domtrans'($*)) dnl
')
########################################
##
## Read cobbler configuration dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`cobbler_list_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobbler_list_config'($*)) dnl
gen_require(`
type cobbler_etc_t;
')
list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobbler_list_config'($*)) dnl
')
########################################
##
## Read cobbler configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`cobbler_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobbler_read_config'($*)) dnl
gen_require(`
type cobbler_etc_t;
')
read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobbler_read_config'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## cobbler log files.
##
##
##
## Domain to not audit.
##
##
#
define(`cobbler_dontaudit_rw_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobbler_dontaudit_rw_log'($*)) dnl
gen_require(`
type cobbler_var_log_t;
')
dontaudit $1 cobbler_var_log_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobbler_dontaudit_rw_log'($*)) dnl
')
########################################
##
## Search cobbler lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`cobbler_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobbler_search_lib'($*)) dnl
gen_require(`
type cobbler_var_lib_t;
')
files_search_var_lib($1)
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobbler_search_lib'($*)) dnl
')
########################################
##
## Read cobbler lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cobbler_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobbler_read_lib_files'($*)) dnl
gen_require(`
type cobbler_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobbler_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## cobbler lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cobbler_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobbler_manage_lib_files'($*)) dnl
gen_require(`
type cobbler_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobbler_manage_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an cobbler environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cobblerd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobblerd_admin'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use cobbler_admin() instead.')
cobbler_admin($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobblerd_admin'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an cobbler environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cobbler_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cobbler_admin'($*)) dnl
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
type cobbler_etc_t, cobblerd_initrc_exec_t;
type cobbler_tmp_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms };
ps_process_pattern($1, cobblerd_t)
cobblerd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cobblerd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cobbler_etc_t)
files_search_tmp($1)
admin_pattern($1, cobbler_tmp_t)
files_search_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cobbler_admin'($*)) dnl
')
## policy for cockpit
########################################
##
## Execute TEMPLATE in the cockpit domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cockpit_ws_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_ws_domtrans'($*)) dnl
gen_require(`
type cockpit_ws_t, cockpit_ws_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_ws_domtrans'($*)) dnl
')
########################################
##
## Execute TEMPLATE in the cockpit domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cockpit_session_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_session_domtrans'($*)) dnl
gen_require(`
type cockpit_session_t, cockpit_session_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_session_domtrans'($*)) dnl
')
########################################
##
## Read and write cockpit_session_t unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_rw_pipes'($*)) dnl
gen_require(`
type cockpit_session_t;
')
allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_rw_pipes'($*)) dnl
')
########################################
##
## Create cockpit unix_stream_sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_manage_unix_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_manage_unix_stream_sockets'($*)) dnl
gen_require(`
type cockpit_ws_t;
')
allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_manage_unix_stream_sockets'($*)) dnl
')
########################################
##
## Search cockpit lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_search_lib'($*)) dnl
gen_require(`
type cockpit_var_lib_t;
')
allow $1 cockpit_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_search_lib'($*)) dnl
')
########################################
##
## Read cockpit lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_read_lib_files'($*)) dnl
gen_require(`
type cockpit_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_read_lib_files'($*)) dnl
')
########################################
##
## Manage cockpit lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_manage_lib_files'($*)) dnl
gen_require(`
type cockpit_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_manage_lib_files'($*)) dnl
')
########################################
##
## Manage cockpit lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_manage_lib_dirs'($*)) dnl
gen_require(`
type cockpit_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read cockpit pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_read_pid_files'($*)) dnl
gen_require(`
type cockpit_var_run_t;
')
read_files_pattern($1, cockpit_var_run_t, cockpit_var_run_t)
read_lnk_files_pattern($1, cockpit_var_run_t, cockpit_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_read_pid_files'($*)) dnl
')
########################################
##
## Manage cockpit pid dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_manage_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_manage_pid_dirs'($*)) dnl
gen_require(`
type cockpit_var_run_t;
')
manage_dirs_pattern($1, cockpit_var_run_t, cockpit_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_manage_pid_dirs'($*)) dnl
')
########################################
##
## Manage cockpit pid dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`cockpit_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_manage_pid_files'($*)) dnl
gen_require(`
type cockpit_var_run_t;
')
manage_files_pattern($1, cockpit_var_run_t, cockpit_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_manage_pid_files'($*)) dnl
')
########################################
##
## Execute cockpit server in the cockpit domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cockpit_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_systemctl'($*)) dnl
gen_require(`
type cockpit_ws_t;
type cockpit_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 cockpit_unit_file_t:file read_file_perms;
allow $1 cockpit_unit_file_t:service manage_service_perms;
ps_process_pattern($1, cockpit_ws_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an cockpit environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`cockpit_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cockpit_admin'($*)) dnl
gen_require(`
type cockpit_ws_t;
type cockpit_session_t;
type cockpit_var_lib_t;
type cockpit_var_run_t;
type cockpit_unit_file_t;
')
allow $1 cockpit_ws_t:process { signal_perms };
ps_process_pattern($1, cockpit_ws_t)
allow $1 cockpit_session_t:process { signal_perms };
ps_process_pattern($1, cockpit_session_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cockpit_ws_t:process ptrace;
allow $1 cockpit_session_t:process ptrace;
')
files_search_var_lib($1)
admin_pattern($1, cockpit_var_lib_t)
files_search_pids($1)
admin_pattern($1, cockpit_var_run_t)
cockpit_systemctl($1)
admin_pattern($1, cockpit_unit_file_t)
allow $1 cockpit_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cockpit_admin'($*)) dnl
')
## Statistics collection daemon for filling RRD files.
########################################
##
## Transition to collectd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`collectd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_domtrans'($*)) dnl
gen_require(`
type collectd_t, collectd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, collectd_exec_t, collectd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_domtrans'($*)) dnl
')
########################################
##
## Execute collectd server in the collectd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`collectd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_initrc_domtrans'($*)) dnl
gen_require(`
type collectd_initrc_exec_t;
')
init_labeled_script_domtrans($1, collectd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_initrc_domtrans'($*)) dnl
')
########################################
##
## Search collectd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`collectd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_search_lib'($*)) dnl
gen_require(`
type collectd_var_lib_t;
')
allow $1 collectd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_search_lib'($*)) dnl
')
########################################
##
## Read collectd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`collectd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_read_lib_files'($*)) dnl
gen_require(`
type collectd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_read_lib_files'($*)) dnl
')
########################################
##
## Manage collectd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`collectd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_manage_lib_files'($*)) dnl
gen_require(`
type collectd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_manage_lib_files'($*)) dnl
')
########################################
##
## Manage collectd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`collectd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_manage_lib_dirs'($*)) dnl
gen_require(`
type collectd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_manage_lib_dirs'($*)) dnl
')
########################################
##
## Manage collectd httpd rw content.
##
##
##
## Domain allowed access.
##
##
#
define(`collectd_manage_rw_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_manage_rw_content'($*)) dnl
gen_require(`
type collectd_rw_content_t;
')
manage_dirs_pattern($1, collectd_rw_content_t, collectd_rw_content_t)
manage_files_pattern($1, collectd_rw_content_t, collectd_rw_content_t)
manage_lnk_files_pattern($1, collectd_rw_content_t, collectd_rw_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_manage_rw_content'($*)) dnl
')
########################################
##
## Execute collectd server in the collectd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`collectd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_systemctl'($*)) dnl
gen_require(`
type collectd_t;
type collectd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 collectd_unit_file_t:file read_file_perms;
allow $1 collectd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, collectd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an collectd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`collectd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `collectd_admin'($*)) dnl
gen_require(`
type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
type collectd_var_lib_t, collectd_unit_file_t;
')
allow $1 collectd_t:process signal_perms;
ps_process_pattern($1, collectd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 collectd_t:process ptrace;
')
collectd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, collectd_var_run_t)
files_search_var_lib($1)
admin_pattern($1, collectd_var_lib_t)
collectd_systemctl($1)
admin_pattern($1, collectd_unit_file_t)
allow $1 collectd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `collectd_admin'($*)) dnl
')
## GNOME color manager
########################################
##
## Execute a domain transition to run colord.
##
##
##
## Domain allowed access.
##
##
#
define(`colord_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `colord_domtrans'($*)) dnl
gen_require(`
type colord_t, colord_exec_t;
')
domtrans_pattern($1, colord_exec_t, colord_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `colord_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## colord over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`colord_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `colord_dbus_chat'($*)) dnl
gen_require(`
type colord_t;
class dbus send_msg;
')
allow $1 colord_t:dbus send_msg;
allow colord_t $1:dbus send_msg;
ps_process_pattern(colord_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `colord_dbus_chat'($*)) dnl
')
######################################
##
## Read colord lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`colord_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `colord_read_lib_files'($*)) dnl
gen_require(`
type colord_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `colord_read_lib_files'($*)) dnl
')
########################################
##
## Execute colord server in the colord domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`colord_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `colord_systemctl'($*)) dnl
gen_require(`
type colord_t;
type colord_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 colord_unit_file_t:file read_file_perms;
allow $1 colord_unit_file_t:service manage_service_perms;
ps_process_pattern($1, colord_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `colord_systemctl'($*)) dnl
')
## Comsat, a biff server.
## policy for condor
#####################################
##
## Creates types and rules for a basic
## condor init daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`condor_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_domain_template'($*)) dnl
gen_require(`
type condor_master_t;
attribute condor_domain;
')
#############################
#
# Declarations
#
type condor_$1_t, condor_domain;
type condor_$1_exec_t;
init_daemon_domain(condor_$1_t, condor_$1_exec_t)
role system_r types condor_$1_t;
domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
allow condor_master_t condor_$1_exec_t:file ioctl;
kernel_read_system_state(condor_$1_t)
corenet_all_recvfrom_netlabel(condor_$1_t)
corenet_all_recvfrom_unlabeled(condor_$1_t)
auth_use_nsswitch(condor_$1_t)
logging_send_syslog_msg(condor_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_domain_template'($*)) dnl
')
########################################
##
## Transition to condor.
##
##
##
## Domain allowed to transition.
##
##
#
define(`condor_domtrans_master',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_domtrans_master'($*)) dnl
gen_require(`
type condor_master_t, condor_master_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, condor_master_exec_t, condor_master_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_domtrans_master'($*)) dnl
')
#######################################
##
## Allows to start userland processes
## by transitioning to the specified domain,
## with a range transition.
##
##
##
## The process type entered by condor_startd.
##
##
##
##
## The executable type for the entrypoint.
##
##
##
##
## Range for the domain.
##
##
#
define(`condor_startd_ranged_domtrans_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_startd_ranged_domtrans_to'($*)) dnl
gen_require(`
type sshd_t;
')
condor_startd_domtrans_to($1, $2)
ifdef(`enable_mcs',`
range_transition condor_startd_t $2:process $3;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_startd_ranged_domtrans_to'($*)) dnl
')
#######################################
##
## Allows to start userlandprocesses
## by transitioning to the specified domain.
##
##
##
## The process type entered by condor_startd.
##
##
##
##
## The executable type for the entrypoint.
##
##
#
define(`condor_startd_domtrans_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_startd_domtrans_to'($*)) dnl
gen_require(`
type condor_startd_t;
')
domtrans_pattern(condor_startd_t, $2, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_startd_domtrans_to'($*)) dnl
')
########################################
##
## Read condor's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`condor_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_read_log'($*)) dnl
gen_require(`
type condor_log_t;
')
logging_search_logs($1)
read_files_pattern($1, condor_log_t, condor_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_read_log'($*)) dnl
')
########################################
##
## Append to condor log files.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_append_log'($*)) dnl
gen_require(`
type condor_log_t;
')
logging_search_logs($1)
append_files_pattern($1, condor_log_t, condor_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_append_log'($*)) dnl
')
########################################
##
## Manage condor log files
##
##
##
## Domain allowed access.
##
##
#
define(`condor_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_manage_log'($*)) dnl
gen_require(`
type condor_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, condor_log_t, condor_log_t)
manage_files_pattern($1, condor_log_t, condor_log_t)
manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_manage_log'($*)) dnl
')
########################################
##
## Search condor lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_search_lib'($*)) dnl
gen_require(`
type condor_var_lib_t;
')
allow $1 condor_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_search_lib'($*)) dnl
')
########################################
##
## Read condor lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_read_lib_files'($*)) dnl
gen_require(`
type condor_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_read_lib_files'($*)) dnl
')
######################################
##
## Read and write condor lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_rw_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_rw_lib_files'($*)) dnl
gen_require(`
type condor_var_lib_t;
')
files_search_var_lib($1)
rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_rw_lib_files'($*)) dnl
')
########################################
##
## Manage condor lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_manage_lib_files'($*)) dnl
gen_require(`
type condor_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_manage_lib_files'($*)) dnl
')
########################################
##
## Manage condor lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_manage_lib_dirs'($*)) dnl
gen_require(`
type condor_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read condor PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_read_pid_files'($*)) dnl
gen_require(`
type condor_var_run_t;
')
files_search_pids($1)
allow $1 condor_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_read_pid_files'($*)) dnl
')
########################################
##
## Execute condor server in the condor domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`condor_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_systemctl'($*)) dnl
gen_require(`
attribute condor_domain;
type condor_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 condor_unit_file_t:file read_file_perms;
allow $1 condor_unit_file_t:service manage_service_perms;
ps_process_pattern($1, condor_domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_systemctl'($*)) dnl
')
#######################################
##
## Read and write condor_startd server TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_rw_tcp_sockets_startd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_rw_tcp_sockets_startd'($*)) dnl
gen_require(`
type condor_startd_t;
')
allow $1 condor_startd_t:tcp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_rw_tcp_sockets_startd'($*)) dnl
')
######################################
##
## Read and write condor_schedd server TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`condor_rw_tcp_sockets_schedd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_rw_tcp_sockets_schedd'($*)) dnl
gen_require(`
type condor_schedd_t;
')
allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_rw_tcp_sockets_schedd'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an condor environment
##
##
##
## Domain allowed access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`condor_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `condor_admin'($*)) dnl
gen_require(`
attribute condor_domain;
type condor_initrc_exec_t, condor_log_t, condor_conf_t;
type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
type condor_var_run_t, condor_startd_tmp_t;
type condor_unit_file_t;
')
allow $1 condor_domain:process { signal_perms };
ps_process_pattern($1, condor_domain)
init_labeled_script_domtrans($1, condor_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 condor_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, condor_conf_t)
logging_search_logs($1)
admin_pattern($1, condor_log_t)
files_search_locks($1)
admin_pattern($1, condor_var_lock_t)
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
files_search_pids($1)
admin_pattern($1, condor_var_run_t)
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
condor_systemctl($1)
admin_pattern($1, condor_unit_file_t)
allow $1 condor_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `condor_admin'($*)) dnl
')
## Conman is a program for connecting to remote consoles being managed by conmand
########################################
##
## Execute conman in the conman domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`conman_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conman_domtrans'($*)) dnl
gen_require(`
type conman_t, conman_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, conman_exec_t, conman_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conman_domtrans'($*)) dnl
')
########################################
##
## Read conman's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`conman_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conman_read_log'($*)) dnl
gen_require(`
type conman_log_t;
')
logging_search_logs($1)
read_files_pattern($1, conman_log_t, conman_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conman_read_log'($*)) dnl
')
########################################
##
## Append to conman log files.
##
##
##
## Domain allowed access.
##
##
#
define(`conman_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conman_append_log'($*)) dnl
gen_require(`
type conman_log_t;
')
logging_search_logs($1)
append_files_pattern($1, conman_log_t, conman_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conman_append_log'($*)) dnl
')
########################################
##
## Manage conman log files
##
##
##
## Domain allowed access.
##
##
#
define(`conman_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conman_manage_log'($*)) dnl
gen_require(`
type conman_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, conman_log_t, conman_log_t)
manage_files_pattern($1, conman_log_t, conman_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conman_manage_log'($*)) dnl
')
########################################
##
## Execute conman server in the conman domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`conman_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conman_systemctl'($*)) dnl
gen_require(`
type conman_t;
type conman_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 conman_unit_file_t:file read_file_perms;
allow $1 conman_unit_file_t:service manage_service_perms;
ps_process_pattern($1, conman_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conman_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an conman environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`conman_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conman_admin'($*)) dnl
gen_require(`
type conman_t;
type conman_log_t;
type conman_unit_file_t;
')
allow $1 conman_t:process { signal_perms };
ps_process_pattern($1, conman_t)
tunable_policy(`deny_ptrace',`',`
allow $1 conman_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, conman_log_t)
conman_systemctl($1)
admin_pattern($1, conman_unit_file_t)
allow $1 conman_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conman_admin'($*)) dnl
')
## Conntrackd connection tracking service
########################################
##
## Read the configuration files for conntrackd.
##
##
##
## Domain allowed access.
##
##
##
#
define(`conntrackd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conntrackd_read_config'($*)) dnl
gen_require(`
type conntrackd_conf_t;
')
files_search_etc($1)
allow $1 conntrackd_conf_t:dir list_dir_perms;
read_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t)
read_lnk_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conntrackd_read_config'($*)) dnl
')
########################################
##
## Connect to conntrackd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`conntrackd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conntrackd_stream_connect'($*)) dnl
gen_require(`
type conntrackd_t, conntrackd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, conntrackd_var_run_t, conntrackd_var_run_t, conntrackd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conntrackd_stream_connect'($*)) dnl
')
#######################################
##
## Execute conntrackd services in the conntrackd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`conntrackd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conntrackd_systemctl'($*)) dnl
gen_require(`
type conntrackd_t;
type conntrackd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 conntrackd_unit_file_t:file read_file_perms;
allow $1 conntrackd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, conntrackd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conntrackd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an conntrackd environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the conntrackd domain.
##
##
##
#
define(`conntrackd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `conntrackd_admin'($*)) dnl
gen_require(`
type conntrackd_t, conntrackd_tmp_t, conntrackd_log_t;
type conntrackd_conf_t, conntrackd_var_run_t, conntrackd_initrc_exec_t;
')
allow $1 conntrackd_t:process signal_perms;
ps_process_pattern($1, conntrackd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 conntrackd_t:process ptrace;
')
init_labeled_script_domtrans($1, conntrackd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 conntrackd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, conntrackd_conf_t)
logging_list_logs($1)
admin_pattern($1, conntrackd_log_t)
files_list_tmp($1)
admin_pattern($1, conntrackd_tmp_t)
files_list_pids($1)
admin_pattern($1, conntrackd_var_run_t)
conntrackd_systemctl($1)
admin_pattern($1, conntrackd_unit_file_t)
allow $1 conntrackd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `conntrackd_admin'($*)) dnl
')
## Framework for facilitating multiple user sessions on desktops.
########################################
##
## Execute a domain transition to run consolekit.
##
##
##
## Domain allowed to transition.
##
##
#
define(`consolekit_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_domtrans'($*)) dnl
gen_require(`
type consolekit_t, consolekit_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, consolekit_exec_t, consolekit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_domtrans'($*)) dnl
')
########################################
##
## dontaudit Send and receive messages from
## consolekit over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`consolekit_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type consolekit_t;
class dbus send_msg;
')
dontaudit $1 consolekit_t:dbus send_msg;
dontaudit consolekit_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## consolekit over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`consolekit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_dbus_chat'($*)) dnl
gen_require(`
type consolekit_t;
class dbus send_msg;
')
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_dbus_chat'($*)) dnl
')
########################################
##
## Dontaudit attempts to read consolekit log files.
##
##
##
## Domain to not audit.
##
##
#
define(`consolekit_dontaudit_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_dontaudit_read_log'($*)) dnl
gen_require(`
type consolekit_log_t;
')
dontaudit $1 consolekit_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_dontaudit_read_log'($*)) dnl
')
########################################
##
## Read consolekit log files.
##
##
##
## Domain allowed access.
##
##
#
define(`consolekit_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_read_log'($*)) dnl
gen_require(`
type consolekit_log_t;
')
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_read_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## consolekit log files.
##
##
##
## Domain allowed access.
##
##
#
define(`consolekit_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_manage_log'($*)) dnl
gen_require(`
type consolekit_log_t;
')
manage_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_manage_log'($*)) dnl
')
########################################
##
## Read consolekit PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`consolekit_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_read_pid_files'($*)) dnl
gen_require(`
type consolekit_var_run_t;
')
files_search_pids($1)
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_read_pid_files'($*)) dnl
')
########################################
##
## List consolekit PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`consolekit_list_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_list_pid_files'($*)) dnl
gen_require(`
type consolekit_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_list_pid_files'($*)) dnl
')
########################################
##
## Allow the domain to read consolekit state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`consolekit_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_read_state'($*)) dnl
gen_require(`
type consolekit_t;
')
kernel_search_proc($1)
ps_process_pattern($1, consolekit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_read_state'($*)) dnl
')
########################################
##
## Execute consolekit server in the consolekit domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`consolekit_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `consolekit_systemctl'($*)) dnl
gen_require(`
type consolekit_t;
type consolekit_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 consolekit_unit_file_t:file read_file_perms;
allow $1 consolekit_unit_file_t:service manage_service_perms;
ps_process_pattern($1, consolekit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `consolekit_systemctl'($*)) dnl
')
## The open-source application container engine.
########################################
##
## Execute container in the container domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`container_runtime_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_runtime_domtrans'($*)) dnl
gen_require(`
type container_runtime_t, container_runtime_exec_t;
type container_runtime_tmpfs_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, container_runtime_exec_t, container_runtime_t)
allow container_runtime_t $1:fifo_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_runtime_domtrans'($*)) dnl
')
########################################
##
## Execute container runtime in the container runtime domain
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`container_runtime_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_runtime_run'($*)) dnl
gen_require(`
type container_runtime_t;
')
container_runtime_domtrans($1)
role $2 types container_runtime_t;
allow $1 container_runtime_t:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_runtime_run'($*)) dnl
')
########################################
##
## Execute container in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`container_runtime_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_runtime_exec'($*)) dnl
gen_require(`
type container_runtime_exec_t;
')
corecmd_search_bin($1)
can_exec($1, container_runtime_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_runtime_exec'($*)) dnl
')
########################################
##
## Read the process state of container runtime
##
##
##
## Domain allowed access.
##
##
#
define(`container_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_read_state'($*)) dnl
gen_require(`
type container_runtime_t;
')
ps_process_pattern($1, container_runtime_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_read_state'($*)) dnl
')
########################################
##
## Search container lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`container_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_search_lib'($*)) dnl
gen_require(`
type container_var_lib_t;
')
allow $1 container_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_search_lib'($*)) dnl
')
########################################
##
## Execute container lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`container_exec_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_exec_lib'($*)) dnl
gen_require(`
type container_var_lib_t;
')
allow $1 container_var_lib_t:dir search_dir_perms;
can_exec($1, container_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_exec_lib'($*)) dnl
')
########################################
##
## Read container lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_read_lib_files'($*)) dnl
gen_require(`
type container_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, container_var_lib_t, container_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_read_lib_files'($*)) dnl
')
########################################
##
## Read container share files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_read_share_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_read_share_files'($*)) dnl
gen_require(`
type container_ro_file_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, container_ro_file_t, container_ro_file_t)
read_files_pattern($1, container_ro_file_t, container_ro_file_t)
read_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_read_share_files'($*)) dnl
')
########################################
##
## Read container runtime tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_runtime_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_runtime_read_tmpfs_files'($*)) dnl
gen_require(`
type container_runtime_tmpfs_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
read_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
read_lnk_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_runtime_read_tmpfs_files'($*)) dnl
')
########################################
##
## Manage container share files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_manage_share_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_manage_share_files'($*)) dnl
gen_require(`
type container_ro_file_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, container_ro_file_t, container_ro_file_t)
manage_files_pattern($1, container_ro_file_t, container_ro_file_t)
manage_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_manage_share_files'($*)) dnl
')
########################################
##
## Manage container share dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`container_manage_share_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_manage_share_dirs'($*)) dnl
gen_require(`
type container_ro_file_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, container_ro_file_t, container_ro_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_manage_share_dirs'($*)) dnl
')
######################################
##
## Allow the specified domain to execute container shared files
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`container_exec_share_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_exec_share_files'($*)) dnl
gen_require(`
type container_ro_file_t;
')
can_exec($1, container_ro_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_exec_share_files'($*)) dnl
')
########################################
##
## Manage container config files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_manage_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_manage_config_files'($*)) dnl
gen_require(`
type container_config_t;
type kubernetes_file_t;
')
files_search_var_lib($1)
manage_files_pattern($1, container_config_t, container_config_t)
manage_dirs_pattern($1, kubernetes_file_t, kubernetes_file_t)
manage_files_pattern($1, kubernetes_file_t, kubernetes_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_manage_config_files'($*)) dnl
')
########################################
##
## Manage container lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_manage_lib_files'($*)) dnl
gen_require(`
type container_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, container_var_lib_t, container_var_lib_t)
manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_manage_lib_files'($*)) dnl
')
########################################
##
## Manage container files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_manage_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_manage_files'($*)) dnl
gen_require(`
type container_files_t;
')
manage_files_pattern($1, container_files_t, container_files_t)
manage_lnk_files_pattern($1, container_files_t, container_files_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_manage_files'($*)) dnl
')
########################################
##
## Manage container directories.
##
##
##
## Domain allowed access.
##
##
#
define(`container_manage_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_manage_dirs'($*)) dnl
gen_require(`
type container_files_t;
')
manage_dirs_pattern($1, container_files_t, container_files_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_manage_dirs'($*)) dnl
')
########################################
##
## Manage container lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`container_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_manage_lib_dirs'($*)) dnl
gen_require(`
type container_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_manage_lib_dirs'($*)) dnl
')
########################################
##
## Create objects in a container var lib directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`container_lib_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_lib_filetrans'($*)) dnl
gen_require(`
type container_var_lib_t;
')
filetrans_pattern($1, container_var_lib_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_lib_filetrans'($*)) dnl
')
########################################
##
## Read container PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_read_pid_files'($*)) dnl
gen_require(`
type container_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, container_var_run_t, container_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_read_pid_files'($*)) dnl
')
########################################
##
## Execute container server in the container domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`container_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_systemctl'($*)) dnl
gen_require(`
type container_runtime_t;
type container_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 container_unit_file_t:file read_file_perms;
allow $1 container_unit_file_t:service manage_service_perms;
ps_process_pattern($1, container_runtime_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_systemctl'($*)) dnl
')
########################################
##
## Read and write container shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`container_rw_sem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_rw_sem'($*)) dnl
gen_require(`
type container_runtime_t;
')
allow $1 container_runtime_t:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_rw_sem'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## to container files.
##
##
##
## Domain allowed access.
##
##
#
define(`container_append_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_append_file'($*)) dnl
gen_require(`
type container_file_t;
')
append_files_pattern($1, container_file_t, container_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_append_file'($*)) dnl
')
#######################################
##
## Read and write the container pty type.
##
##
##
## Domain allowed access.
##
##
#
define(`container_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_use_ptys'($*)) dnl
gen_require(`
type container_devpts_t;
')
allow $1 container_devpts_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_use_ptys'($*)) dnl
')
#######################################
##
## Allow domain to create container content
##
##
##
## Domain allowed access.
##
##
#
define(`container_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_filetrans_named_content'($*)) dnl
gen_require(`
type container_var_lib_t;
type container_file_t;
type container_ro_file_t;
type container_log_t;
type container_var_run_t;
type container_home_t;
type kubernetes_file_t;
type container_runtime_tmpfs_t;
type container_kvm_var_run_t;
type data_home_t;
')
files_pid_filetrans($1, container_var_run_t, file, "container.pid")
files_pid_filetrans($1, container_var_run_t, file, "docker.pid")
files_pid_filetrans($1, container_var_run_t, sock_file, "container.sock")
files_pid_filetrans($1, container_var_run_t, dir, "container-client")
files_pid_filetrans($1, container_var_run_t, dir, "docker")
files_pid_filetrans($1, container_var_run_t, dir, "containerd")
files_pid_filetrans($1, container_var_run_t, dir, "ocid")
files_pid_filetrans($1, container_var_run_t, dir, "containers")
files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")
logging_log_filetrans($1, container_log_t, dir, "lxc")
files_var_lib_filetrans($1, container_var_lib_t, dir, "containers")
files_var_lib_filetrans($1, container_file_t, dir, "origin")
files_var_lib_filetrans($1, container_var_lib_t, dir, "ocid")
files_var_lib_filetrans($1, container_var_lib_t, dir, "docker")
files_var_lib_filetrans($1, container_var_lib_t, dir, "docker-latest")
files_var_filetrans($1, container_ro_file_t, dir, "kata-containers")
files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hosts")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hostname")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "resolv.conf")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "sandboxes")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "snapshots")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-images")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-layers")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic")
userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_filetrans_named_content'($*)) dnl
')
########################################
##
## Connect to container over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`container_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_stream_connect'($*)) dnl
gen_require(`
type container_runtime_t, container_var_run_t, container_runtime_tmpfs_t;
')
files_search_pids($1)
stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t)
stream_connect_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t, container_runtime_t)
allow $1 container_runtime_tmpfs_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_stream_connect'($*)) dnl
')
########################################
##
## Connect to SPC containers over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`container_spc_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_spc_stream_connect'($*)) dnl
gen_require(`
type spc_t, spc_var_run_t;
')
files_search_pids($1)
allow $1 spc_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_spc_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an container environment
##
##
##
## Domain allowed access.
##
##
#
define(`container_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_admin'($*)) dnl
gen_require(`
type container_runtime_t;
type container_var_lib_t, container_var_run_t;
type container_unit_file_t;
type container_lock_t;
type container_log_t;
type container_config_t;
type container_file_t;
')
allow $1 container_runtime_t:process { ptrace signal_perms };
ps_process_pattern($1, container_runtime_t)
admin_pattern($1, container_config_t)
files_search_var_lib($1)
admin_pattern($1, container_var_lib_t)
files_search_pids($1)
admin_pattern($1, container_var_run_t)
files_search_locks($1)
admin_pattern($1, container_lock_t)
logging_search_logs($1)
admin_pattern($1, container_log_t)
container_systemctl($1)
admin_pattern($1, container_unit_file_t)
allow $1 container_unit_file_t:service all_service_perms;
admin_pattern($1, container_file_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_admin'($*)) dnl
')
########################################
##
## Execute container_auth_exec_t in the container_auth domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`container_auth_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_auth_domtrans'($*)) dnl
gen_require(`
type container_auth_t, container_auth_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, container_auth_exec_t, container_auth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_auth_domtrans'($*)) dnl
')
######################################
##
## Execute container_auth in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`container_auth_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_auth_exec'($*)) dnl
gen_require(`
type container_auth_exec_t;
')
corecmd_search_bin($1)
can_exec($1, container_auth_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_auth_exec'($*)) dnl
')
########################################
##
## Connect to container_auth over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`container_auth_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_auth_stream_connect'($*)) dnl
gen_require(`
type container_auth_t, container_plugin_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_auth_stream_connect'($*)) dnl
')
########################################
##
## container domain typebounds calling domain.
##
##
##
## Domain to be typebound.
##
##
#
define(`container_runtime_typebounds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_runtime_typebounds'($*)) dnl
gen_require(`
type container_runtime_t;
')
allow container_runtime_t $1:process2 nnp_transition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_runtime_typebounds'($*)) dnl
')
########################################
##
## Allow any container_runtime_exec_t to be an entrypoint of this domain
##
##
##
## Domain allowed access.
##
##
##
#
define(`container_runtime_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_runtime_entrypoint'($*)) dnl
gen_require(`
type container_runtime_exec_t;
')
allow $1 container_runtime_exec_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_runtime_entrypoint'($*)) dnl
')
define(`docker_exec_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_exec_lib'($*)) dnl
container_exec_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_exec_lib'($*)) dnl
')
define(`docker_read_share_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_read_share_files'($*)) dnl
container_read_share_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_read_share_files'($*)) dnl
')
define(`docker_exec_share_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_exec_share_files'($*)) dnl
container_exec_share_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_exec_share_files'($*)) dnl
')
define(`docker_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_manage_lib_files'($*)) dnl
container_manage_lib_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_manage_lib_files'($*)) dnl
')
define(`docker_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_manage_lib_dirs'($*)) dnl
container_manage_lib_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_manage_lib_dirs'($*)) dnl
')
define(`docker_lib_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_lib_filetrans'($*)) dnl
container_lib_filetrans($1, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_lib_filetrans'($*)) dnl
')
define(`docker_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_read_pid_files'($*)) dnl
container_read_pid_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_read_pid_files'($*)) dnl
')
define(`docker_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_systemctl'($*)) dnl
container_systemctl($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_systemctl'($*)) dnl
')
define(`docker_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_use_ptys'($*)) dnl
container_use_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_use_ptys'($*)) dnl
')
define(`docker_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_stream_connect'($*)) dnl
container_stream_connect($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_stream_connect'($*)) dnl
')
define(`docker_spc_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `docker_spc_stream_connect'($*)) dnl
container_spc_stream_connect($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `docker_spc_stream_connect'($*)) dnl
')
########################################
##
## Read the process state of spc containers
##
##
##
## Domain allowed access.
##
##
#
define(`container_spc_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_spc_read_state'($*)) dnl
gen_require(`
type spc_t;
')
ps_process_pattern($1, spc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_spc_read_state'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## container runtime process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`container_runtime_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_runtime_domain_template'($*)) dnl
gen_require(`
attribute container_runtime_domain;
type container_runtime_t;
type container_var_lib_t;
type container_ro_file_t;
role system_r, sysadm_r;
')
type $1_t, container_runtime_domain;
role system_r types $1_t;
role sysadm_r types $1_t;
domain_type($1_t)
domain_subj_id_change_exemption($1_t)
domain_role_change_exemption($1_t)
kernel_read_system_state($1_t)
kernel_read_all_proc($1_t)
mls_file_read_to_clearance($1_t)
mls_file_write_to_clearance($1_t)
storage_raw_rw_fixed_disk($1_t)
auth_use_nsswitch($1_t)
logging_send_syslog_msg($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_runtime_domain_template'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## container process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`container_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_domain_template'($*)) dnl
gen_require(`
attribute container_domain;
type container_runtime_t;
type container_var_lib_t;
type container_ro_file_t;
')
type $1_t, container_domain;
domain_type($1_t)
domain_user_exemption_target($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
role system_r types $1_t;
kernel_read_all_proc($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_domain_template'($*)) dnl
')
########################################
##
## Read and write a spc_t unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`container_spc_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `container_spc_rw_pipes'($*)) dnl
gen_require(`
type spc_t;
')
allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `container_spc_rw_pipes'($*)) dnl
')
## Corosync Cluster Engine.
########################################
##
## Execute a domain transition to run corosync.
##
##
##
## Domain allowed to transition.
##
##
#
define(`corosync_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_domtrans'($*)) dnl
gen_require(`
type corosync_t, corosync_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, corosync_exec_t, corosync_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_domtrans'($*)) dnl
')
########################################
##
## Execute corosync init scripts in
## the init script domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`corosync_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_initrc_domtrans'($*)) dnl
gen_require(`
type corosync_initrc_exec_t;
')
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_initrc_domtrans'($*)) dnl
')
######################################
##
## Execute corosync in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`corosync_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_exec'($*)) dnl
gen_require(`
type corosync_exec_t;
')
corecmd_search_bin($1)
can_exec($1, corosync_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_exec'($*)) dnl
')
#######################################
##
## Read corosync log files.
##
##
##
## Domain allowed access.
##
##
#
define(`corosync_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_read_log'($*)) dnl
gen_require(`
type corosync_var_log_t;
')
logging_search_logs($1)
list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t)
read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_read_log'($*)) dnl
')
#######################################
##
## Setattr corosync log files.
##
##
##
## Domain allowed access.
##
##
#
define(`corosync_setattr_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_setattr_log'($*)) dnl
gen_require(`
type corosync_var_log_t;
')
setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_setattr_log'($*)) dnl
')
#####################################
##
## Connect to corosync over a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`corosync_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_stream_connect'($*)) dnl
gen_require(`
type corosync_t, corosync_var_run_t;
type corosync_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_stream_connect'($*)) dnl
')
######################################
##
## Allow the specified domain to read/write corosync's tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`corosync_rw_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_rw_tmpfs'($*)) dnl
gen_require(`
type corosync_tmpfs_t;
')
rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_rw_tmpfs'($*)) dnl
')
########################################
##
## Execute corosync server in the corosync domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`corosync_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_systemctl'($*)) dnl
gen_require(`
type corosync_t;
type corosync_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 corosync_unit_file_t:file read_file_perms;
allow $1 corosync_unit_file_t:service manage_service_perms;
ps_process_pattern($1, corosync_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_systemctl'($*)) dnl
')
######################################
##
## All of the rules required to
## administrate an corosync environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`corosyncd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosyncd_admin'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corosync_admin() instead.')
corosync_admin($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosyncd_admin'($*)) dnl
')
######################################
##
## All of the rules required to
## administrate an corosync environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`corosync_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corosync_admin'($*)) dnl
gen_require(`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
type corosync_unit_file_t;
')
allow $1 corosync_t:process signal_perms;
ps_process_pattern($1, corosync_t)
tunable_policy(`deny_ptrace',`',`
allow $1 corosync_t:process ptrace;
')
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, corosync_tmp_t)
admin_pattern($1, corosync_tmpfs_t)
files_list_var_lib($1)
admin_pattern($1, corosync_var_lib_t)
logging_list_logs($1)
admin_pattern($1, corosync_var_log_t)
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
corosync_systemctl($1)
admin_pattern($1, corosync_unit_file_t)
allow $1 corosync_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corosync_admin'($*)) dnl
')
## Document database server.
########################################
##
## Allow to read couchdb log files.
##
##
##
## Domain allowed access.
##
##
#
define(`couchdb_read_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_read_log_files'($*)) dnl
gen_require(`
type couchdb_log_t;
')
files_search_var_lib($1)
read_files_pattern($1, couchdb_log_t, couchdb_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_read_log_files'($*)) dnl
')
########################################
##
## Allow to read couchdb lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`couchdb_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_read_lib_files'($*)) dnl
gen_require(`
type couchdb_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_read_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an couchdb environment.
##
##
##
## Domain allowed access.
##
##
#
define(`couchdb_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_manage_lib_files'($*)) dnl
gen_require(`
type couchdb_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_manage_lib_files'($*)) dnl
')
########################################
##
## Manage couchdb lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`couchdb_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_manage_lib_dirs'($*)) dnl
gen_require(`
type couchdb_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_manage_lib_dirs'($*)) dnl
')
########################################
##
## Allow to read couchdb conf files.
##
##
##
## Domain allowed access.
##
##
#
define(`couchdb_read_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_read_conf_files'($*)) dnl
gen_require(`
type couchdb_conf_t;
')
files_search_var_lib($1)
read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_read_conf_files'($*)) dnl
')
########################################
##
## Read couchdb PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`couchdb_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_read_pid_files'($*)) dnl
gen_require(`
type couchdb_var_run_t;
')
files_search_pids($1)
allow $1 couchdb_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_read_pid_files'($*)) dnl
')
#######################################
##
## Search couchdb PID dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`couchdb_search_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_search_pid_dirs'($*)) dnl
gen_require(`
type couchdb_var_run_t;
')
files_search_pids($1)
allow $1 couchdb_var_run_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_search_pid_dirs'($*)) dnl
')
#######################################
##
## Allow domain to manage couchdb content.
##
##
##
## Domain allowed access.
##
##
#
define(`couchdb_manage_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_manage_files'($*)) dnl
gen_require(`
type couchdb_var_run_t;
type couchdb_log_t;
type couchdb_var_lib_t;
type couchdb_conf_t;
')
manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_manage_files'($*)) dnl
')
########################################
##
## Execute couchdb server in the couchdb domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`couchdb_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_systemctl'($*)) dnl
gen_require(`
type couchdb_t;
type couchdb_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 couchdb_unit_file_t:file read_file_perms;
allow $1 couchdb_unit_file_t:service manage_service_perms;
ps_process_pattern($1, couchdb_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an couchdb environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`couchdb_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `couchdb_admin'($*)) dnl
gen_require(`
type couchdb_unit_file_t;
type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
type couchdb_tmp_t;
')
allow $1 couchdb_t:process { signal_perms };
ps_process_pattern($1, couchdb_t)
tunable_policy(`deny_ptrace',`',`
allow $1 couchdb_t:process ptrace;
')
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, couchdb_conf_t)
logging_search_logs($1)
admin_pattern($1, couchdb_log_t)
files_search_tmp($1)
admin_pattern($1, couchdb_tmp_t)
files_search_var_lib($1)
admin_pattern($1, couchdb_var_lib_t)
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
admin_pattern($1, couchdb_unit_file_t)
couchdb_systemctl($1)
allow $1 couchdb_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `couchdb_admin'($*)) dnl
')
## Courier IMAP and POP3 email servers
########################################
##
## Template for creating courier server processes.
##
##
##
## Prefix name of the server process.
##
##
#
define(`courier_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_domain_template'($*)) dnl
gen_require(`
attribute courier_domain;
')
##############################
#
# Declarations
#
type courier_$1_t, courier_domain;
type courier_$1_exec_t;
init_daemon_domain(courier_$1_t, courier_$1_exec_t)
##############################
#
# Declarations
#
can_exec(courier_$1_t, courier_$1_exec_t)
kernel_read_system_state(courier_$1_t)
corenet_all_recvfrom_netlabel(courier_$1_t)
corenet_tcp_sendrecv_generic_if(courier_$1_t)
corenet_udp_sendrecv_generic_if(courier_$1_t)
corenet_tcp_sendrecv_generic_node(courier_$1_t)
corenet_udp_sendrecv_generic_node(courier_$1_t)
corenet_tcp_sendrecv_all_ports(courier_$1_t)
corenet_udp_sendrecv_all_ports(courier_$1_t)
logging_send_syslog_msg(courier_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_domain_template'($*)) dnl
')
########################################
##
## Execute the courier authentication daemon with
## a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`courier_domtrans_authdaemon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_domtrans_authdaemon'($*)) dnl
gen_require(`
type courier_authdaemon_t, courier_authdaemon_exec_t;
')
domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_domtrans_authdaemon'($*)) dnl
')
#######################################
##
## Connect to courier-authdaemon over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`courier_stream_connect_authdaemon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_stream_connect_authdaemon'($*)) dnl
gen_require(`
type courier_authdaemon_t, courier_spool_t;
')
files_search_spool($1)
stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_stream_connect_authdaemon'($*)) dnl
')
########################################
##
## Execute the courier POP3 and IMAP server with
## a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`courier_domtrans_pop',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_domtrans_pop'($*)) dnl
gen_require(`
type courier_pop_t, courier_pop_exec_t;
')
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_domtrans_pop'($*)) dnl
')
########################################
##
## Read courier config files
##
##
##
## Domain allowed access.
##
##
#
define(`courier_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_read_config'($*)) dnl
gen_require(`
type courier_etc_t;
')
files_search_etc($1)
read_files_pattern($1, courier_etc_t, courier_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_read_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete courier
## spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`courier_manage_spool_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_manage_spool_dirs'($*)) dnl
gen_require(`
type courier_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_manage_spool_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete courier
## spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`courier_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_manage_spool_files'($*)) dnl
gen_require(`
type courier_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, courier_spool_t, courier_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_manage_spool_files'($*)) dnl
')
########################################
##
## Manage named socket in a courier spool directory.
##
##
##
## Domain allowed access.
##
##
#
define(`courier_manage_spool_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_manage_spool_sockets'($*)) dnl
gen_require(`
type courier_spool_t;
')
files_search_spool($1)
manage_sock_files_pattern($1, courier_spool_t, courier_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_manage_spool_sockets'($*)) dnl
')
########################################
##
## Read courier spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`courier_read_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_read_spool'($*)) dnl
gen_require(`
type courier_spool_t;
')
files_search_spool($1)
read_files_pattern($1, courier_spool_t, courier_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_read_spool'($*)) dnl
')
########################################
##
## Read and write to courier spool pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`courier_rw_spool_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `courier_rw_spool_pipes'($*)) dnl
gen_require(`
type courier_spool_t;
')
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `courier_rw_spool_pipes'($*)) dnl
')
## Services for loading CPU microcode and CPU frequency scaling.
########################################
##
## CPUcontrol stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`cpucontrol_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cpucontrol_stub'($*)) dnl
gen_require(`
type cpucontrol_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cpucontrol_stub'($*)) dnl
')
## Command-line CPU frequency settings.
########################################
##
## Send and receive messages from
## cpufreq-selector over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`cpufreqselector_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cpufreqselector_dbus_chat'($*)) dnl
gen_require(`
type cpufreqselector_t;
class dbus send_msg;
')
allow $1 cpufreqselector_t:dbus send_msg;
allow cpufreqselector_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cpufreqselector_dbus_chat'($*)) dnl
')
## cpuplugd - Linux on System z CPU and memory hotplug daemon
########################################
##
## Execute cpuplug in the cpuplug domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cpuplug_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cpuplug_domtrans'($*)) dnl
gen_require(`
type cpuplug_t, cpuplug_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cpuplug_exec_t, cpuplug_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cpuplug_domtrans'($*)) dnl
')
## Periodic execution of scheduled commands.
#######################################
##
## The common rules for a crontab domain.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`cron_common_crontab_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_common_crontab_template'($*)) dnl
gen_require(`
type crontab_exec_t;
')
##############################
#
# Declarations
#
userdom_user_application_domain($1_t, crontab_exec_t)
##############################
#
# Local policy
#
kernel_read_system_state($1_t)
auth_domtrans_chk_passwd($1_t)
auth_use_nsswitch($1_t)
logging_send_syslog_msg($1_t)
userdom_home_reader($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_common_crontab_template'($*)) dnl
')
########################################
##
## Role access for cron
##
##
##
## Role allowed access
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`cron_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_role'($*)) dnl
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
type user_cron_spool_t, crond_t;
bool cron_userdomain_transition;
')
##############################
#
# Declarations
#
role $1 types { cronjob_t crontab_t };
##############################
#
# Local policy
#
# Transition from the user domain to the derived domain.
domtrans_pattern($2_t, crontab_exec_t, crontab_t)
dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
allow $2_t crond_t:process sigchld;
allow $2_t user_cron_spool_t:file { getattr read write ioctl };
# crontab shows up in user ps
allow $2_t crontab_t:process signal_perms;
ps_process_pattern($2_t, crontab_t)
cron_common_crontab_template($2)
tunable_policy(`deny_ptrace',`',`
allow $2_t crontab_t:process ptrace;
')
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
#corecmd_shell_domtrans(crontab_t, $2)
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
tunable_policy(`cron_userdomain_transition',`
allow crond_t $2_t:process transition;
allow crond_t $2_t:fd use;
allow crond_t $2_t:key manage_key_perms;
# needs to be authorized SELinux context for cron
allow $2_t user_cron_spool_t:file entrypoint;
allow $2_t crond_t:fifo_file rw_fifo_file_perms;
allow $2_t cronjob_t:process { signal_perms };
ps_process_pattern($2_t, cronjob_t)
',`
dontaudit crond_t $2_t:process transition;
dontaudit crond_t $2_t:fd use;
dontaudit crond_t $2_t:key manage_key_perms;
dontaudit $2_t user_cron_spool_t:file entrypoint;
dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
dontaudit $2_t cronjob_t:process { signal_perms };
')
optional_policy(`
gen_require(`
class dbus send_msg;
')
dbus_stub(cronjob_t)
allow cronjob_t $2_t:dbus send_msg;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_role'($*)) dnl
')
########################################
##
## Role access for unconfined cronjobs
##
##
##
## Role allowed access
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`cron_unconfined_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_unconfined_role'($*)) dnl
gen_require(`
attribute crontab_domain;
type unconfined_cronjob_t, crontab_t, crontab_exec_t;
type crond_t, user_cron_spool_t;
bool cron_userdomain_transition;
')
##############################
#
# Declarations
#
role $1 types unconfined_cronjob_t;
##############################
#
# Local policy
#
dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
allow $2_t crond_t:process sigchld;
allow $2_t user_cron_spool_t:file { getattr read write ioctl };
# cronjob shows up in user ps
ps_process_pattern($2_t, unconfined_cronjob_t)
allow $2_t unconfined_cronjob_t:process signal_perms;
cron_common_crontab_template($2)
typeattribute $2_t crontab_domain;
tunable_policy(`deny_ptrace',`',`
allow $2_t unconfined_cronjob_t:process ptrace;
')
tunable_policy(`cron_userdomain_transition',`
allow crond_t $2_t:process transition;
allow crond_t $2_t:fd use;
allow crond_t $2_t:key manage_key_perms;
allow $2_t user_cron_spool_t:file entrypoint;
allow $2_t crond_t:fifo_file rw_fifo_file_perms;
',`
dontaudit crond_t $2_t:process transition;
dontaudit crond_t $2_t:fd use;
dontaudit crond_t $2_t:key manage_key_perms;
dontaudit $2_t user_cron_spool_t:file entrypoint;
dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
')
optional_policy(`
gen_require(`
class dbus send_msg;
')
dbus_stub(unconfined_cronjob_t)
allow unconfined_cronjob_t $2_t:dbus send_msg;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_unconfined_role'($*)) dnl
')
########################################
##
## Role access for cron
##
##
##
## Role allowed access
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`cron_admin_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_admin_role'($*)) dnl
gen_require(`
attribute crontab_domain;
type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
type user_cron_spool_t, crond_t;
class passwd crontab;
bool cron_userdomain_transition;
')
##############################
#
# Declarations
#
role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
##############################
#
# Local policy
#
# Transition from the user domain to the derived domain.
domtrans_pattern($2_t, crontab_exec_t, admin_crontab_t)
dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh };
allow $2_t crond_t:process sigchld;
# crontab shows up in user ps
ps_process_pattern($2_t, admin_crontab_t)
allow $2_t admin_crontab_t:process signal_perms;
cron_common_crontab_template($2)
typeattribute $2_t crontab_domain;
tunable_policy(`deny_ptrace',`',`
allow $2_t admin_crontab_t:process ptrace;
')
# Manipulate other users crontab.
allow $2_t self:passwd crontab;
corecmd_exec_bin(admin_crontab_t)
corecmd_exec_shell(admin_crontab_t)
tunable_policy(`cron_userdomain_transition',`
allow crond_t $2_t:process transition;
allow crond_t $2_t:fd use;
allow crond_t $2_t:key manage_key_perms;
allow $2_t user_cron_spool_t:file entrypoint;
allow $2_t crond_t:fifo_file rw_fifo_file_perms;
allow $2_t cronjob_t:process { signal_perms };
ps_process_pattern($2_t, cronjob_t)
',`
dontaudit crond_t $2_t:process transition;
dontaudit crond_t $2_t:fd use;
dontaudit crond_t $2_t:key manage_key_perms;
dontaudit $2_t user_cron_spool_t:file entrypoint;
dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms;
dontaudit $2_t cronjob_t:process { signal_perms };
')
optional_policy(`
gen_require(`
class dbus send_msg;
')
dbus_stub(admin_cronjob_t)
allow cronjob_t $2_t:dbus send_msg;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_admin_role'($*)) dnl
')
########################################
##
## Make the specified program domain accessable
## from the system cron jobs.
##
##
##
## The type of the process to transition to.
##
##
##
##
## The type of the file used as an entrypoint to this domain.
##
##
#
define(`cron_system_entry',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_system_entry'($*)) dnl
gen_require(`
type crond_t, system_cronjob_t;
')
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
role system_r types $1;
allow $1 crond_t:fifo_file rw_fifo_file_perms;
allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_system_entry'($*)) dnl
')
########################################
##
## Execute cron in the cron system domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cron_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_domtrans'($*)) dnl
gen_require(`
type system_cronjob_t, crond_exec_t;
')
domtrans_pattern($1, crond_exec_t, system_cronjob_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_domtrans'($*)) dnl
')
########################################
##
## Execute crond_exec_t
##
##
##
## Domain allowed access.
##
##
#
define(`cron_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_exec'($*)) dnl
gen_require(`
type crond_exec_t;
')
can_exec($1, crond_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_exec'($*)) dnl
')
########################################
##
## Execute crond server in the crond domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cron_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_initrc_domtrans'($*)) dnl
gen_require(`
type crond_initrc_exec_t;
')
init_labeled_script_domtrans($1, crond_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute crond server in the crond domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cron_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_systemctl'($*)) dnl
gen_require(`
type crond_unit_file_t;
type crond_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 crond_unit_file_t:file read_file_perms;
allow $1 crond_unit_file_t:service manage_service_perms;
ps_process_pattern($1, crond_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_systemctl'($*)) dnl
')
########################################
##
## Inherit and use a file descriptor
## from the cron daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_use_fds'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_use_fds'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the cron daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_sigchld'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_sigchld'($*)) dnl
')
########################################
##
## Send a generic signal to cron daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_signal'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_signal'($*)) dnl
')
########################################
##
## Read a cron daemon unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_read_pipes'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_read_pipes'($*)) dnl
')
########################################
##
## Read crond state files.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_read_state_crond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_read_state_crond'($*)) dnl
gen_require(`
type crond_t;
')
kernel_search_proc($1)
ps_process_pattern($1, crond_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_read_state_crond'($*)) dnl
')
########################################
##
## Send and receive messages from
## crond over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_dbus_chat_crond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_dbus_chat_crond'($*)) dnl
gen_require(`
type crond_t;
class dbus send_msg;
')
allow $1 crond_t:dbus send_msg;
allow crond_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_dbus_chat_crond'($*)) dnl
')
########################################
##
## Send and receive messages from
## the cron system domain over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_dbus_chat_system_job',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_dbus_chat_system_job'($*)) dnl
gen_require(`
type system_cronjob_t;
class dbus send_msg;
')
allow $1 system_cronjob_t:dbus send_msg;
allow system_cronjob_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_dbus_chat_system_job'($*)) dnl
')
########################################
##
## Do not audit attempts to write cron daemon unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`cron_dontaudit_write_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_dontaudit_write_pipes'($*)) dnl
gen_require(`
type crond_t;
')
dontaudit $1 crond_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_dontaudit_write_pipes'($*)) dnl
')
########################################
##
## Read and write a cron daemon unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_pipes'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to setattr cron daemon unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`cron_dontaudit_setattr_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_dontaudit_setattr_pipes'($*)) dnl
gen_require(`
type crond_t;
')
dontaudit $1 crond_t:fifo_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_dontaudit_setattr_pipes'($*)) dnl
')
########################################
##
## Read and write inherited user spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_inherited_user_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_inherited_user_spool_files'($*)) dnl
gen_require(`
type user_cron_spool_t;
')
allow $1 user_cron_spool_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_inherited_user_spool_files'($*)) dnl
')
########################################
##
## Read and write inherited spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_inherited_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_inherited_spool_files'($*)) dnl
gen_require(`
type cron_spool_t;
')
allow $1 cron_spool_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_inherited_spool_files'($*)) dnl
')
########################################
##
## Read, and write cron daemon TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_tcp_sockets'($*)) dnl
gen_require(`
type crond_t;
')
allow $1 crond_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Dontaudit Read, and write cron daemon TCP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`cron_dontaudit_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type crond_t;
')
dontaudit $1 crond_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Search the directory containing user cron tables.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_search_spool'($*)) dnl
gen_require(`
type cron_spool_t;
')
files_search_spool($1)
allow $1 cron_spool_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_search_spool'($*)) dnl
')
########################################
##
## Search the directory containing user cron tables.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_manage_system_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_manage_system_spool'($*)) dnl
gen_require(`
type cron_system_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_manage_system_spool'($*)) dnl
')
########################################
##
## Manage pid files used by cron
##
##
##
## Domain allowed access.
##
##
#
define(`cron_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_manage_pid_files'($*)) dnl
gen_require(`
type crond_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_manage_pid_files'($*)) dnl
')
########################################
##
## Read pid files used by cron
##
##
##
## Domain allowed access.
##
##
#
define(`cron_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_read_pid_files'($*)) dnl
gen_require(`
type crond_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, crond_var_run_t, crond_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_read_pid_files'($*)) dnl
')
########################################
##
## Execute anacron in the cron system domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cron_anacron_domtrans_system_job',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_anacron_domtrans_system_job'($*)) dnl
gen_require(`
type system_cronjob_t, anacron_exec_t;
')
domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_anacron_domtrans_system_job'($*)) dnl
')
########################################
##
## Inherit and use a file descriptor
## from system cron jobs.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_use_system_job_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_use_system_job_fds'($*)) dnl
gen_require(`
type system_cronjob_t;
')
allow $1 system_cronjob_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_use_system_job_fds'($*)) dnl
')
########################################
##
## Write a system cron job unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_write_system_job_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_write_system_job_pipes'($*)) dnl
gen_require(`
type system_cronjob_t;
')
allow $1 system_cronjob_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_write_system_job_pipes'($*)) dnl
')
########################################
##
## Read and write a system cron job unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_system_job_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_system_job_pipes'($*)) dnl
gen_require(`
type system_cronjob_t;
')
allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_system_job_pipes'($*)) dnl
')
########################################
##
## Allow read/write unix stream sockets from the system cron jobs.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_rw_system_job_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_rw_system_job_stream_sockets'($*)) dnl
gen_require(`
type system_cronjob_t;
')
allow $1 system_cronjob_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_rw_system_job_stream_sockets'($*)) dnl
')
########################################
##
## Read temporary files from the system cron jobs.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_read_system_job_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_read_system_job_tmp_files'($*)) dnl
gen_require(`
type system_cronjob_tmp_t, cron_var_run_t;
')
files_search_tmp($1)
allow $1 system_cronjob_tmp_t:file read_file_perms;
files_search_pids($1)
allow $1 cron_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_read_system_job_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to append temporary
## files from the system cron jobs.
##
##
##
## Domain to not audit.
##
##
#
define(`cron_dontaudit_append_system_job_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_dontaudit_append_system_job_tmp_files'($*)) dnl
gen_require(`
type system_cronjob_tmp_t;
')
dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_dontaudit_append_system_job_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write temporary
## files from the system cron jobs.
##
##
##
## Domain to not audit.
##
##
#
define(`cron_dontaudit_write_system_job_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_dontaudit_write_system_job_tmp_files'($*)) dnl
gen_require(`
type system_cronjob_tmp_t;
type cron_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
dontaudit $1 cron_var_run_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_dontaudit_write_system_job_tmp_files'($*)) dnl
')
########################################
##
## Send to system_cronjob over a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_dgram_send'($*)) dnl
gen_require(`
type system_cronjob_t;
')
allow $1 system_cronjob_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_dgram_send'($*)) dnl
')
########################################
##
## Read temporary files from the system cron jobs.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_read_system_job_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_read_system_job_lib_files'($*)) dnl
gen_require(`
type system_cronjob_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_read_system_job_lib_files'($*)) dnl
')
########################################
##
## Manage files from the system cron jobs.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_manage_system_job_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_manage_system_job_lib_files'($*)) dnl
gen_require(`
type system_cronjob_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_manage_system_job_lib_files'($*)) dnl
')
#######################################
##
## Create, read, write and delete
## cron log files.
##
##
##
## Domain allowed access.
##
##
#
define(`cron_manage_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_manage_log_files'($*)) dnl
gen_require(`
type cron_log_t;
')
manage_files_pattern($1, cron_log_t, cron_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_manage_log_files'($*)) dnl
')
#######################################
##
## Create specified objects in generic
## log directories with the cron log file type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`cron_generic_log_filetrans_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_generic_log_filetrans_log'($*)) dnl
gen_require(`
type cron_log_t;
')
logging_log_filetrans($1, cron_log_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_generic_log_filetrans_log'($*)) dnl
')
#######################################
##
## Create specified objects in generic
## log directories with the cron log file type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`cron_generic_log_filetrans_log_insights',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_generic_log_filetrans_log_insights'($*)) dnl
gen_require(`
type var_log_t;
')
logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_generic_log_filetrans_log_insights'($*)) dnl
')
########################################
##
## Allow system_cron_spool_t to be an entrypoint of this domain
##
##
##
## Domain allowed access.
##
##
##
#
define(`cron_system_spool_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cron_system_spool_entrypoint'($*)) dnl
gen_require(`
attribute system_cron_spool_t;
')
allow $1 system_cron_spool_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cron_system_spool_entrypoint'($*)) dnl
')
## policy for ctdbd
########################################
##
## Transition to ctdbd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ctdbd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_domtrans'($*)) dnl
gen_require(`
type ctdbd_t, ctdbd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_domtrans'($*)) dnl
')
########################################
##
## Execute ctdbd server in the ctdbd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_initrc_domtrans'($*)) dnl
gen_require(`
type ctdbd_initrc_exec_t;
')
init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_initrc_domtrans'($*)) dnl
')
#######################################
##
## Allow domain to signal ctdbd.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_signal'($*)) dnl
gen_require(`
type ctdbd_t;
')
allow $1 ctdbd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_signal'($*)) dnl
')
#######################################
##
## Allow domain to sigchld ctdbd.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_sigchld'($*)) dnl
gen_require(`
type ctdbd_t;
')
allow $1 ctdbd_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_sigchld'($*)) dnl
')
########################################
##
## Read ctdbd's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ctdbd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_read_log'($*)) dnl
gen_require(`
type ctdbd_log_t;
')
logging_search_logs($1)
read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_read_log'($*)) dnl
')
########################################
##
## Append to ctdbd log files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ctdbd_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_append_log'($*)) dnl
gen_require(`
type ctdbd_log_t;
')
logging_search_logs($1)
append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_append_log'($*)) dnl
')
########################################
##
## Manage ctdbd log files
##
##
##
## Domain to not audit.
##
##
#
define(`ctdbd_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_manage_log'($*)) dnl
gen_require(`
type ctdbd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_manage_log'($*)) dnl
')
########################################
##
## Search ctdbd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_search_lib'($*)) dnl
gen_require(`
type ctdbd_var_lib_t;
')
allow $1 ctdbd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_search_lib'($*)) dnl
')
########################################
##
## Read ctdbd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_read_lib_files'($*)) dnl
gen_require(`
type ctdbd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_read_lib_files'($*)) dnl
')
########################################
##
## Manage ctdbd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_manage_lib_files'($*)) dnl
gen_require(`
type ctdbd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
allow $1 ctdbd_var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_manage_lib_files'($*)) dnl
')
########################################
##
## Manage ctdbd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_manage_lib_dirs'($*)) dnl
gen_require(`
type ctdbd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read ctdbd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_read_pid_files'($*)) dnl
gen_require(`
type ctdbd_var_run_t;
')
files_search_pids($1)
allow $1 ctdbd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_read_pid_files'($*)) dnl
')
#######################################
##
## Connect to ctdbd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ctdbd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_stream_connect'($*)) dnl
gen_require(`
type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
')
files_search_pids($1)
stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ctdbd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ctdbd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ctdbd_admin'($*)) dnl
gen_require(`
type ctdbd_t, ctdbd_initrc_exec_t;
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
allow $1 ctdbd_t:process signal_perms;
ps_process_pattern($1, ctdbd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ctdbd_t:process ptrace;
')
ctdbd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ctdbd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
files_search_var_lib($1)
admin_pattern($1, ctdbd_var_lib_t)
files_search_pids($1)
admin_pattern($1, ctdbd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ctdbd_admin'($*)) dnl
')
## Common UNIX printing system.
########################################
##
## Create a domain which can be
## started by cupsd.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`cups_backend',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_backend'($*)) dnl
gen_require(`
type cupsd_t;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(cupsd_t, $2, $1)
allow cupsd_t $1:process signal;
allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
cups_read_config($1)
cups_append_log($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_backend'($*)) dnl
')
########################################
##
## Execute cups in the cups domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cups_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_domtrans'($*)) dnl
gen_require(`
type cupsd_t, cupsd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cupsd_exec_t, cupsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_domtrans'($*)) dnl
')
########################################
##
## Connect to cupsd over an unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_stream_connect'($*)) dnl
gen_require(`
type cupsd_t, cupsd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_stream_connect'($*)) dnl
')
########################################
##
## Connect to cups over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`cups_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_tcp_connect'($*)) dnl
')
########################################
##
## Send and receive messages from
## cups over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_dbus_chat'($*)) dnl
gen_require(`
type cupsd_t;
class dbus send_msg;
')
allow $1 cupsd_t:dbus send_msg;
allow cupsd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_dbus_chat'($*)) dnl
')
########################################
##
## Read cups PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_read_pid_files'($*)) dnl
gen_require(`
type cupsd_var_run_t;
')
files_search_pids($1)
allow $1 cupsd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_read_pid_files'($*)) dnl
')
########################################
##
## Execute cups_config in the
## cups config domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cups_domtrans_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_domtrans_config'($*)) dnl
gen_require(`
type cupsd_config_t, cupsd_config_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_domtrans_config'($*)) dnl
')
########################################
##
## Send generic signals to the cups
## configuration daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_signal_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_signal_config'($*)) dnl
gen_require(`
type cupsd_config_t;
')
allow $1 cupsd_config_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_signal_config'($*)) dnl
')
########################################
##
## Send and receive messages from
## cupsd_config over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_dbus_chat_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_dbus_chat_config'($*)) dnl
gen_require(`
type cupsd_config_t;
class dbus send_msg;
')
allow $1 cupsd_config_t:dbus send_msg;
allow cupsd_config_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_dbus_chat_config'($*)) dnl
')
########################################
##
## Read cups configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`cups_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_read_config'($*)) dnl
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
type hplip_etc_t;
')
files_search_etc($1)
read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
read_files_pattern($1, hplip_etc_t, hplip_etc_t)
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_read_config'($*)) dnl
')
########################################
##
## Read cups-writable configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`cups_read_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_read_rw_config'($*)) dnl
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
')
files_search_etc($1)
read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_read_rw_config'($*)) dnl
')
########################################
##
## Read cups log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`cups_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_read_log'($*)) dnl
gen_require(`
type cupsd_log_t;
')
logging_search_logs($1)
allow $1 cupsd_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_read_log'($*)) dnl
')
########################################
##
## Append cups log files.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_append_log'($*)) dnl
gen_require(`
type cupsd_log_t;
')
logging_search_logs($1)
append_files_pattern($1, cupsd_log_t, cupsd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_append_log'($*)) dnl
')
########################################
##
## Write cups log files.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_write_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_write_log'($*)) dnl
gen_require(`
type cupsd_log_t;
')
logging_search_logs($1)
allow $1 cupsd_log_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_write_log'($*)) dnl
')
########################################
##
## Connect to ptal over an unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_stream_connect_ptal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_stream_connect_ptal'($*)) dnl
gen_require(`
type ptal_t, ptal_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_stream_connect_ptal'($*)) dnl
')
########################################
##
## Execute cupsd server in the cupsd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cupsd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cupsd_systemctl'($*)) dnl
gen_require(`
type cupsd_t;
type cupsd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 cupsd_unit_file_t:file read_file_perms;
allow $1 cupsd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, cupsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cupsd_systemctl'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of cupsd.
##
##
##
## Domain allowed access.
##
##
#
define(`cups_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_read_state'($*)) dnl
gen_require(`
type cupsd_t;
')
allow $1 cupsd_t:dir search_dir_perms;
allow $1 cupsd_t:file read_file_perms;
allow $1 cupsd_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_read_state'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an cups environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cups_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_admin'($*)) dnl
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
type ptal_t;
type cupsd_unit_file_t;
')
allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
ps_process_pattern($1, { cups_pdf_t ptal_t })
tunable_policy(`deny_ptrace',`',`
allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
')
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
files_list_tmp($1)
admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
cupsd_systemctl($1)
admin_pattern($1, cupsd_unit_file_t)
allow $1 cupsd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_admin'($*)) dnl
')
########################################
##
## Transition to cups named content
##
##
##
## Domain allowed access.
##
##
#
define(`cups_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cups_filetrans_named_content'($*)) dnl
gen_require(`
type cupsd_rw_etc_t;
type cupsd_etc_t;
')
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, dir, "ppd")
files_etc_filetrans($1, cupsd_rw_etc_t, file, "printcap")
files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppd")
files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
files_etc_filetrans($1, cupsd_rw_etc_t, dir, "ppd")
files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cups_filetrans_named_content'($*)) dnl
')
## Concurrent versions system.
######################################
##
## Dontaudit Attempts to list the CVS data and metadata.
##
##
##
## Domain to not audit.
##
##
#
define(`cvs_dontaudit_list_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cvs_dontaudit_list_data'($*)) dnl
gen_require(`
type cvs_data_t;
')
dontaudit $1 cvs_data_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cvs_dontaudit_list_data'($*)) dnl
')
########################################
##
## Read CVS data and metadata content.
##
##
##
## Domain allowed access.
##
##
#
define(`cvs_read_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cvs_read_data'($*)) dnl
gen_require(`
type cvs_data_t;
')
list_dirs_pattern($1, cvs_data_t, cvs_data_t)
read_files_pattern($1, cvs_data_t, cvs_data_t)
read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cvs_read_data'($*)) dnl
')
########################################
##
## Execute cvs in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`cvs_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cvs_exec'($*)) dnl
gen_require(`
type cvs_exec_t;
')
corecmd_search_bin($1)
can_exec($1, cvs_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cvs_exec'($*)) dnl
')
########################################
##
## Transition to cvs named content
##
##
##
## Domain allowed access.
##
##
#
define(`cvs_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cvs_filetrans_home_content'($*)) dnl
gen_require(`
type cvs_home_t;
')
userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cvs_filetrans_home_content'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an cvs environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cvs_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cvs_admin'($*)) dnl
gen_require(`
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
type cvs_home_t;
')
allow $1 cvs_t:process signal_perms;
ps_process_pattern($1, cvs_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cvs_t:process ptrace;
')
# Allow cvs_t to restart the apache service
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, cvs_keytab_t)
files_list_tmp($1)
admin_pattern($1, cvs_tmp_t)
files_search_usr($1)
admin_pattern($1, cvs_data_t)
files_list_pids($1)
admin_pattern($1, cvs_var_run_t)
userdom_search_user_home_dirs($1)
admin_pattern($1, cvs_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cvs_admin'($*)) dnl
')
## Cyphesis WorldForge game server.
########################################
##
## Execute a domain transition to run cyphesis.
##
##
##
## Domain allowed to transition.
##
##
#
define(`cyphesis_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cyphesis_domtrans'($*)) dnl
gen_require(`
type cyphesis_t, cyphesis_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cyphesis_exec_t, cyphesis_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cyphesis_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an cyphesis environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cyphesis_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cyphesis_admin'($*)) dnl
gen_require(`
type cyphesis_t, cyphesis_initrc_exec_t, cyphesis_log_t;
type cyphesis_var_run_t, cyphesis_tmp_t;
')
allow $1 cyphesis_t:process { ptrace signal_perms };
ps_process_pattern($1, cyphesis_t)
init_labeled_script_domtrans($1, cyphesis_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cyphesis_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, cyphesis_log_t)
files_search_pids($1)
admin_pattern($1, cyphesis_var_run_t)
files_search_tmp($1)
admin_pattern($1, cyphesis_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cyphesis_admin'($*)) dnl
')
## Cyrus is an IMAP service intended to be run on sealed servers.
########################################
##
## Create, read, write, and delete
## cyrus data files.
##
##
##
## Domain allowed access.
##
##
#
define(`cyrus_manage_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cyrus_manage_data'($*)) dnl
gen_require(`
type cyrus_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cyrus_manage_data'($*)) dnl
')
#######################################
##
## Allow write cyrus data files.
##
##
##
## Domain allowed access.
##
##
#
define(`cyrus_write_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cyrus_write_data'($*)) dnl
gen_require(`
type cyrus_var_lib_t;
')
files_search_var_lib($1)
write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cyrus_write_data'($*)) dnl
')
########################################
##
## Connect to Cyrus using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`cyrus_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cyrus_stream_connect'($*)) dnl
gen_require(`
type cyrus_t, cyrus_var_lib_t;
')
files_search_var_lib($1)
stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cyrus_stream_connect'($*)) dnl
')
########################################
##
## Connect to Cyrus using a unix
## domain stream socket in the runtime filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`cyrus_runtime_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cyrus_runtime_stream_connect'($*)) dnl
gen_require(`
type cyrus_t, cyrus_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, cyrus_var_run_t, cyrus_var_run_t, cyrus_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cyrus_runtime_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an cyrus environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`cyrus_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cyrus_admin'($*)) dnl
gen_require(`
type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
type cyrus_var_run_t, cyrus_initrc_exec_t;
type cyrus_keytab_t;
')
allow $1 cyrus_t:process signal_perms;
ps_process_pattern($1, cyrus_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cyrus_t:process ptrace;
')
init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, cyrus_keytab_t)
files_list_tmp($1)
admin_pattern($1, cyrus_tmp_t)
files_list_var_lib($1)
admin_pattern($1, cyrus_var_lib_t)
files_list_pids($1)
admin_pattern($1, cyrus_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cyrus_admin'($*)) dnl
')
## Collection of tools for managing UNIX services.
########################################
##
## An ipc channel between the
## supervised domain and svc_start_t.
##
##
##
## Domain allowed access.
##
##
#
define(`daemontools_ipc_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_ipc_domain'($*)) dnl
gen_require(`
type svc_start_t;
')
allow $1 svc_start_t:process sigchld;
allow $1 svc_start_t:fd use;
allow $1 svc_start_t:fifo_file rw_fifo_file_perms;
allow svc_start_t $1:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_ipc_domain'($*)) dnl
')
########################################
##
## Create a domain which can be
## started by daemontools.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`daemontools_service_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_service_domain'($*)) dnl
gen_require(`
type svc_run_t;
')
domain_auto_trans(svc_run_t, $2, $1)
daemontools_ipc_domain($1)
allow svc_run_t $1:process signal;
allow $1 svc_run_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_service_domain'($*)) dnl
')
########################################
##
## Execute svc start in the svc
## start domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`daemontools_domtrans_start',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_start'($*)) dnl
gen_require(`
type svc_start_t, svc_start_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, svc_start_exec_t, svc_start_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_domtrans_start'($*)) dnl
')
######################################
##
## Execute svc start in the svc
## start domain, and allow the
## specified role the svc start domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`daemonstools_run_start',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemonstools_run_start'($*)) dnl
gen_require(`
attribute_role svc_start_roles;
')
daemontools_domtrans_start($1)
roleattribute $2 svc_start_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemonstools_run_start'($*)) dnl
')
########################################
##
## Execute avc run in the svc run domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`daemontools_domtrans_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_run'($*)) dnl
gen_require(`
type svc_run_t, svc_run_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, svc_run_exec_t, svc_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_domtrans_run'($*)) dnl
')
######################################
##
## Send child terminated signals
## to svc run.
##
##
##
## Domain allowed access.
##
##
#
define(`daemontools_sigchld_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_sigchld_run'($*)) dnl
gen_require(`
type svc_run_t;
')
allow $1 svc_run_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_sigchld_run'($*)) dnl
')
########################################
##
## Execute avc multilog in the svc
## multilog domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`daemontools_domtrans_multilog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_multilog'($*)) dnl
gen_require(`
type svc_multilog_t, svc_multilog_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_domtrans_multilog'($*)) dnl
')
######################################
##
## Search svc svc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`daemontools_search_svc_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_search_svc_dir'($*)) dnl
gen_require(`
type svc_svc_t;
')
files_search_var($1)
allow $1 svc_svc_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_search_svc_dir'($*)) dnl
')
########################################
##
## Read svc avc files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`daemontools_read_svc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_read_svc'($*)) dnl
gen_require(`
type svc_svc_t;
')
files_search_var($1)
allow $1 svc_svc_t:dir list_dir_perms;
allow $1 svc_svc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_read_svc'($*)) dnl
')
########################################
##
## Create, read, write and delete
## svc svc content.
##
##
##
## Domain allowed access.
##
##
##
#
define(`daemontools_manage_svc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `daemontools_manage_svc'($*)) dnl
gen_require(`
type svc_svc_t;
')
files_search_var($1)
allow $1 svc_svc_t:dir manage_dir_perms;
allow $1 svc_svc_t:fifo_file manage_fifo_file_perms;
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `daemontools_manage_svc'($*)) dnl
')
## Dante msproxy and socks4/5 proxy server.
########################################
##
## All of the rules required to
## administrate an dante environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dante_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dante_admin'($*)) dnl
gen_require(`
type dante_t, dante_conf_t, dante_var_run_t;
type dante_initrc_exec_t;
')
allow $1 dante_t:process { ptrace signal_perms };
ps_process_pattern($1, dante_t)
init_labeled_script_domtrans($1, dante_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dante_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dante_conf_t)
files_search_pids($1)
admin_pattern($1, dante_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dante_admin'($*)) dnl
')
## Database administrator role.
########################################
##
## Change to the database administrator role.
##
##
##
## Role allowed access.
##
##
##
#
define(`dbadm_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbadm_role_change'($*)) dnl
gen_require(`
role dbadm_r;
')
allow $1 dbadm_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbadm_role_change'($*)) dnl
')
########################################
##
## Change from the database administrator role.
##
##
##
## Change from the database administrator role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dbadm_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbadm_role_change_to'($*)) dnl
gen_require(`
role dbadm_r;
')
allow dbadm_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbadm_role_change_to'($*)) dnl
')
## Dictionary server for the SKK Japanese input method system.
## Desktop messaging bus
########################################
##
## DBUS stub interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`dbus_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_stub'($*)) dnl
gen_require(`
type system_dbusd_t;
class dbus all_dbus_perms;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_stub'($*)) dnl
')
########################################
##
## Execute dbus-daemon in the caller domain.
##
##
##
## Domain allowed access
##
##
#
define(`dbus_exec_dbusd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_exec_dbusd'($*)) dnl
gen_require(`
type dbusd_exec_t;
')
can_exec($1, dbusd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_exec_dbusd'($*)) dnl
')
########################################
##
## Role access for dbus
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`dbus_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_role_template'($*)) dnl
gen_require(`
class dbus { send_msg acquire_svc };
attribute dbusd_unconfined, session_bus_type;
type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
type $1_t;
')
##############################
#
# Delcarations
#
type $1_dbusd_t, session_bus_type;
application_domain($1_dbusd_t, dbusd_exec_t)
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
kernel_read_system_state($1_dbusd_t)
selinux_get_fs_mount($1_dbusd_t)
userdom_home_manager($1_dbusd_t)
##############################
#
# Local policy
#
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket { accept connectto listen rw_socket_perms create };
allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write };
allow $1_dbusd_t $3:unix_dgram_socket sendto;
# SE-DBus specific permissions
allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
# Permissions for dbus-broker running with systemd user sessions
allow $3 $1_dbusd_t:process { noatsecure rlimitinh siginh };
allow $1_dbusd_t $3:dbus send_msg;
allow $3 $1_dbusd_t:dbus send_msg;
allow $1_dbusd_t $3:system { start reload };
allow $1_dbusd_t session_dbusd_tmp_t:service { start stop };
allow $3 session_dbusd_tmp_t:dir manage_dir_perms;
allow $3 session_dbusd_tmp_t:file manage_file_perms;
can_exec($1_dbusd_t, dbusd_exec_t)
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
ps_process_pattern($3, $1_dbusd_t)
allow $3 $1_dbusd_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $3 $1_dbusd_t:process ptrace;
')
# cjp: this seems very broken
corecmd_bin_domtrans($1_dbusd_t, $1_t)
corecmd_shell_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
auth_use_nsswitch($1_dbusd_t)
files_config_all_files($1_dbusd_t)
logging_send_syslog_msg($1_dbusd_t)
dontaudit $1_dbusd_t self:capability net_admin;
optional_policy(`
mozilla_domtrans_spec($1_dbusd_t, $1_t)
')
optional_policy(`
systemd_start_systemd_services($1_dbusd_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_role_template'($*)) dnl
')
#######################################
##
## Template for creating connections to
## the system DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_system_bus_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_system_bus_client'($*)) dnl
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
attribute dbusd_unconfined;
')
# SE-DBus specific permissions
allow $1 { system_dbusd_t self }:dbus send_msg;
allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
dev_read_urand($1)
# For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
optional_policy(`
unconfined_server_dbus_chat($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_system_bus_client'($*)) dnl
')
#######################################
##
## Creating connections to specified
## DBUS sessions.
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_session_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_session_client'($*)) dnl
gen_require(`
class dbus send_msg;
type $1_dbusd_t;
')
allow $2 $1_dbusd_t:fd use;
allow $2 { $1_dbusd_t self }:dbus send_msg;
allow $2 $1_dbusd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_session_client'($*)) dnl
')
#######################################
##
## Template for creating connections to
## a user DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_session_bus_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_session_bus_client'($*)) dnl
gen_require(`
attribute session_bus_type;
class dbus send_msg;
')
# SE-DBus specific permissions
allow $1 { session_bus_type self }:dbus send_msg;
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
allow session_bus_type $1:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_session_bus_client'($*)) dnl
')
########################################
##
## Send a message the session DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_send_session_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_send_session_bus'($*)) dnl
gen_require(`
attribute session_bus_type;
class dbus send_msg;
')
allow $1 session_bus_type:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_send_session_bus'($*)) dnl
')
########################################
##
## Read dbus configuration.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_read_config'($*)) dnl
gen_require(`
type dbusd_etc_t;
')
allow $1 dbusd_etc_t:dir list_dir_perms;
allow $1 dbusd_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_read_config'($*)) dnl
')
########################################
##
## Watch dbus configuration.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_watch_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_watch_config'($*)) dnl
gen_require(`
type dbusd_etc_t;
')
allow $1 dbusd_etc_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_watch_config'($*)) dnl
')
########################################
##
## Read system dbus lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_read_lib_files'($*)) dnl
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## system dbus lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_manage_lib_files'($*)) dnl
gen_require(`
type system_dbusd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_manage_lib_files'($*)) dnl
')
########################################
##
## Connect to the system DBUS
## for service (acquire_svc).
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_connect_session_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_connect_session_bus'($*)) dnl
gen_require(`
attribute session_bus_type;
class dbus acquire_svc;
')
allow $1 session_bus_type:dbus acquire_svc;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_connect_session_bus'($*)) dnl
')
########################################
##
## Allow a application domain to be started
## by the session dbus.
##
##
##
## User domain prefix to be used.
##
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an
## entry point to this domain.
##
##
#
define(`dbus_session_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_session_domain'($*)) dnl
gen_require(`
type $1_dbusd_t;
')
domtrans_pattern($1_dbusd_t, $2, $3)
dbus_session_bus_client($3)
dbus_connect_session_bus($3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_session_domain'($*)) dnl
')
########################################
##
## Connect to the system DBUS
## for service (acquire_svc).
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_connect_system_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_connect_system_bus'($*)) dnl
gen_require(`
type system_dbusd_t;
class dbus acquire_svc;
')
allow $1 system_dbusd_t:dbus acquire_svc;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_connect_system_bus'($*)) dnl
')
########################################
##
## Send a message on the system DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_send_system_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_send_system_bus'($*)) dnl
gen_require(`
type system_dbusd_t;
class dbus send_msg;
')
allow $1 system_dbusd_t:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_send_system_bus'($*)) dnl
')
########################################
##
## Allow unconfined access to the system DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_system_bus_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_system_bus_unconfined'($*)) dnl
gen_require(`
type system_dbusd_t;
class dbus all_dbus_perms;
')
allow $1 system_dbusd_t:dbus *;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_system_bus_unconfined'($*)) dnl
')
########################################
##
## Create a domain for processes
## which can be started by the system dbus
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`dbus_system_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_system_domain'($*)) dnl
gen_require(`
attribute system_bus_type;
type system_dbusd_t;
role system_r;
')
typeattribute $1 system_bus_type;
domain_type($1)
domain_entry_file($1, $2)
domtrans_pattern(system_dbusd_t, $2, $1)
init_system_domain($1, $2)
ps_process_pattern($1, system_dbusd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_system_domain'($*)) dnl
')
########################################
##
## Use and inherit system DBUS file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_use_system_bus_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_use_system_bus_fds'($*)) dnl
gen_require(`
type system_dbusd_t;
')
allow $1 system_dbusd_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_use_system_bus_fds'($*)) dnl
')
########################################
##
## Allow unconfined access to the system DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_unconfined'($*)) dnl
gen_require(`
attribute dbusd_unconfined;
')
typeattribute $1 dbusd_unconfined;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_unconfined'($*)) dnl
')
########################################
##
## Delete all dbus pid files
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_delete_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_delete_pid_files'($*)) dnl
gen_require(`
type system_dbusd_var_run_t;
')
files_search_pids($1)
delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_delete_pid_files'($*)) dnl
')
########################################
##
## Read all dbus pid files
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_read_pid_files'($*)) dnl
gen_require(`
type system_dbusd_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_read_pid_files'($*)) dnl
')
########################################
##
## Read all dbus pid files
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_read_pid_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_read_pid_sock_files'($*)) dnl
gen_require(`
type system_dbusd_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
read_sock_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_read_pid_sock_files'($*)) dnl
')
########################################
##
## Watch system dbus pid socket files
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_watch_pid_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_watch_pid_sock_files'($*)) dnl
gen_require(`
type system_dbusd_var_run_t;
')
files_search_pids($1)
allow $1 system_dbusd_var_run_t:sock_file watch_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_watch_pid_sock_files'($*)) dnl
')
########################################
##
## Watch system dbus pid directory
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_watch_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_watch_pid_dirs'($*)) dnl
gen_require(`
type system_dbusd_var_run_t;
')
files_search_pids($1)
allow $1 system_dbusd_var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_watch_pid_dirs'($*)) dnl
')
########################################
##
## Read and write system dbus tmp socket files.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_rw_tmp_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_rw_tmp_sock_files'($*)) dnl
gen_require(`
type system_dbusd_tmp_t;
')
rw_sock_files_pattern($1, system_dbusd_tmp_t, system_dbusd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_rw_tmp_sock_files'($*)) dnl
')
########################################
##
## Do not audit attempts to connect to
## session bus types with a unix
## stream socket.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_dontaudit_stream_connect_session_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_stream_connect_session_bus'($*)) dnl
gen_require(`
attribute session_bus_type;
')
dontaudit $1 session_bus_type:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_dontaudit_stream_connect_session_bus'($*)) dnl
')
########################################
##
## Allow attempts to connect to
## session bus types with a unix
## stream socket.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_stream_connect_session_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_stream_connect_session_bus'($*)) dnl
gen_require(`
attribute session_bus_type;
')
allow $1 session_bus_type:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_stream_connect_session_bus'($*)) dnl
')
########################################
##
## Do not audit attempts to send dbus
## messages to session bus types.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_chat_session_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_chat_session_bus'($*)) dnl
gen_require(`
attribute session_bus_type;
class dbus send_msg;
')
allow $1 session_bus_type:dbus send_msg;
allow session_bus_type $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_chat_session_bus'($*)) dnl
')
########################################
##
## Do not audit attempts to send dbus
## messages to session bus types.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_dontaudit_chat_session_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_chat_session_bus'($*)) dnl
gen_require(`
attribute session_bus_type;
class dbus send_msg;
')
dontaudit $1 session_bus_type:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_dontaudit_chat_session_bus'($*)) dnl
')
########################################
##
## Do not audit attempts to send dbus
## messages to system bus types.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_dontaudit_chat_system_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_chat_system_bus'($*)) dnl
gen_require(`
attribute system_bus_type;
class dbus send_msg;
')
dontaudit $1 system_bus_type:dbus send_msg;
dontaudit system_bus_type $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_dontaudit_chat_system_bus'($*)) dnl
')
########################################
##
## Allow attempts to connect to
## session bus types with a unix
## stream socket.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_stream_connect_system_dbusd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_stream_connect_system_dbusd'($*)) dnl
gen_require(`
type system_dbusd_t;
')
allow $1 system_dbusd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_stream_connect_system_dbusd'($*)) dnl
')
########################################
##
## Do not audit attempts to connect to
## session bus types with a unix
## stream socket.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_dontaudit_stream_connect_system_dbusd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_stream_connect_system_dbusd'($*)) dnl
gen_require(`
type system_dbusd_t;
type system_dbusd_var_run_t;
')
dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
dontaudit $1 system_dbusd_t:sock_file write;
dontaudit $1 system_dbusd_var_run_t:sock_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_dontaudit_stream_connect_system_dbusd'($*)) dnl
')
########################################
##
## Allow attempts to send dbus
## messages to system bus types.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_chat_system_bus',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_chat_system_bus'($*)) dnl
gen_require(`
attribute system_bus_type;
class dbus send_msg;
')
allow $1 system_bus_type:dbus send_msg;
allow system_bus_type $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_chat_system_bus'($*)) dnl
')
#######################################
##
## Transition to dbus named content
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_filetrans_named_content_system',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_filetrans_named_content_system'($*)) dnl
gen_require(`
type system_dbusd_var_lib_t;
')
files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_filetrans_named_content_system'($*)) dnl
')
########################################
##
## Allow attempts to send dbus
## messages to system dbusd type.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_acquire_svc_system_dbusd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_acquire_svc_system_dbusd'($*)) dnl
gen_require(`
type system_dbusd_t;
class dbus acquire_svc;
')
allow $1 system_dbusd_t:dbus acquire_svc;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_acquire_svc_system_dbusd'($*)) dnl
')
########################################
##
## Allow signal the system dbusd type.
##
##
##
## Domain to not audit.
##
##
#
define(`dbus_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_signal'($*)) dnl
gen_require(`
type system_dbusd_t;
')
allow $1 system_dbusd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_signal'($*)) dnl
')
########################################
##
## Manage session_dbusd tmp dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`dbus_manage_session_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_manage_session_tmp_dirs'($*)) dnl
gen_require(`
type session_dbusd_tmp_t;
')
manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_manage_session_tmp_dirs'($*)) dnl
')
########################################
##
## Allow systemctl dbus services
##
##
##
## Domain allowed to transition.
##
##
#
define(`dbus_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dbus_systemctl'($*)) dnl
gen_require(`
type dbusd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 dbusd_unit_file_t:file read_file_perms;
allow $1 dbusd_unit_file_t:service manage_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dbus_systemctl'($*)) dnl
')
## Distributed checksum clearinghouse spam filtering.
########################################
##
## Execute cdcc in the cdcc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dcc_domtrans_cdcc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dcc_domtrans_cdcc'($*)) dnl
gen_require(`
type cdcc_t, cdcc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cdcc_exec_t, cdcc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dcc_domtrans_cdcc'($*)) dnl
')
########################################
##
## Execute cdcc in the cdcc domain, and
## allow the specified role the
## cdcc domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dcc_run_cdcc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dcc_run_cdcc'($*)) dnl
gen_require(`
attribute_role cdcc_roles;
')
dcc_domtrans_cdcc($1)
roleattribute $2 cdcc_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dcc_run_cdcc'($*)) dnl
')
########################################
##
## Execute dcc client in the dcc
## client domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dcc_domtrans_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dcc_domtrans_client'($*)) dnl
gen_require(`
type dcc_client_t, dcc_client_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dcc_client_exec_t, dcc_client_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dcc_domtrans_client'($*)) dnl
')
########################################
##
## Send generic signals to dcc client.
##
##
##
## Domain allowed access.
##
##
#
define(`dcc_signal_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dcc_signal_client'($*)) dnl
gen_require(`
type dcc_client_t;
')
allow $1 dcc_client_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dcc_signal_client'($*)) dnl
')
########################################
##
## Execute dcc client in the dcc
## client domain, and allow the
## specified role the dcc client domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dcc_run_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dcc_run_client'($*)) dnl
gen_require(`
attribute_role dcc_client_roles;
')
dcc_domtrans_client($1)
roleattribute $2 dcc_client_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dcc_run_client'($*)) dnl
')
########################################
##
## Execute dbclean in the dcc dbclean domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dcc_domtrans_dbclean',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dcc_domtrans_dbclean'($*)) dnl
gen_require(`
type dcc_dbclean_t, dcc_dbclean_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dcc_domtrans_dbclean'($*)) dnl
')
########################################
##
## Execute dbclean in the dcc dbclean
## domain, and allow the specified
## role the dcc dbclean domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dcc_run_dbclean',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dcc_run_dbclean'($*)) dnl
gen_require(`
attribute_role dcc_dbclean_roles;
')
dcc_domtrans_dbclean($1)
roleattribute $2 dcc_dbclean_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dcc_run_dbclean'($*)) dnl
')
########################################
##
## Connect to dccifd over a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`dcc_stream_connect_dccifd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dcc_stream_connect_dccifd'($*)) dnl
gen_require(`
type dcc_var_t, dccifd_var_run_t, dccifd_t;
')
files_search_pids($1)
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dcc_stream_connect_dccifd'($*)) dnl
')
## Update dynamic IP address at DynDNS.org.
#######################################
##
## Execute ddclient in the ddclient domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ddclient_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ddclient_domtrans'($*)) dnl
gen_require(`
type ddclient_t, ddclient_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ddclient_exec_t, ddclient_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ddclient_domtrans'($*)) dnl
')
########################################
##
## Execute ddclient in the ddclient
## domain, and allow the specified
## role the ddclient domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ddclient_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ddclient_run'($*)) dnl
gen_require(`
attribute_role ddclient_roles;
')
ddclient_domtrans($1)
roleattribute $2 ddclient_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ddclient_run'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an ddclient environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ddclient_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ddclient_admin'($*)) dnl
gen_require(`
type ddclient_t, ddclient_etc_t, ddclient_log_t;
type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t;
type ddclient_var_run_t, ddclient_initrc_exec_t;
')
allow $1 ddclient_t:process signal_perms;
ps_process_pattern($1, ddclient_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ddclient_t:process ptrace;
')
init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ddclient_etc_t)
logging_list_logs($1)
admin_pattern($1, ddclient_log_t)
files_list_var($1)
admin_pattern($1, ddclient_var_t)
files_list_var_lib($1)
admin_pattern($1, ddclient_var_lib_t)
files_list_pids($1)
admin_pattern($1, ddclient_var_run_t)
files_list_tmp($1)
admin_pattern($1, ddclient_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ddclient_admin'($*)) dnl
')
## ddcprobe retrieves monitor and graphics card information.
########################################
##
## Execute ddcprobe in the ddcprobe domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ddcprobe_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ddcprobe_domtrans'($*)) dnl
gen_require(`
type ddcprobe_t, ddcprobe_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ddcprobe_domtrans'($*)) dnl
')
########################################
##
## Execute ddcprobe in the ddcprobe
## domain, and allow the specified
## role the ddcprobe domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ddcprobe_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ddcprobe_run'($*)) dnl
gen_require(`
attribute_role ddcprobe_roles;
')
ddcprobe_domtrans($1)
roleattribute $2 ddcprobe_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ddcprobe_run'($*)) dnl
')
## SSH dictionary attack mitigation.
########################################
##
## Execute a domain transition to run denyhosts.
##
##
##
## Domain allowed to transition.
##
##
#
define(`denyhosts_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `denyhosts_domtrans'($*)) dnl
gen_require(`
type denyhosts_t, denyhosts_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `denyhosts_domtrans'($*)) dnl
')
########################################
##
## Execute denyhost server in the
## denyhost domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`denyhosts_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `denyhosts_initrc_domtrans'($*)) dnl
gen_require(`
type denyhosts_initrc_exec_t;
')
init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `denyhosts_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an denyhosts environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`denyhosts_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `denyhosts_admin'($*)) dnl
gen_require(`
type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
')
allow $1 denyhosts_t:process signal_perms;
ps_process_pattern($1, denyhosts_t)
tunable_policy(`deny_ptrace',`',`
allow $1 denyhosts_t:process ptrace;
')
denyhosts_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 denyhosts_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, denyhosts_var_lib_t)
logging_list_logs($1)
admin_pattern($1, denyhosts_var_log_t)
files_list_locks($1)
admin_pattern($1, denyhosts_var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `denyhosts_admin'($*)) dnl
')
## Devicekit modular hardware abstraction layer
########################################
##
## Execute a domain transition to run devicekit.
##
##
##
## Domain allowed to transition.
##
##
#
define(`devicekit_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_domtrans'($*)) dnl
gen_require(`
type devicekit_t, devicekit_exec_t;
')
domtrans_pattern($1, devicekit_exec_t, devicekit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run devicekit_disk.
##
##
##
## Domain allowed to transition.
##
##
#
define(`devicekit_domtrans_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_domtrans_disk'($*)) dnl
gen_require(`
type devicekit_disk_t, devicekit_disk_exec_t;
')
domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_domtrans_disk'($*)) dnl
')
########################################
##
## Send to devicekit over a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_dgram_send'($*)) dnl
gen_require(`
type devicekit_t;
')
allow $1 devicekit_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_dgram_send'($*)) dnl
')
########################################
##
## Send and receive messages from
## devicekit over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat'($*)) dnl
gen_require(`
type devicekit_t;
class dbus send_msg;
')
allow $1 devicekit_t:dbus send_msg;
allow devicekit_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## devicekit disk over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_dbus_chat_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat_disk'($*)) dnl
gen_require(`
type devicekit_disk_t;
class dbus send_msg;
')
allow $1 devicekit_disk_t:dbus send_msg;
allow devicekit_disk_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat_disk'($*)) dnl
')
########################################
##
## Use file descriptors for devicekit_disk.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_use_fds_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_use_fds_disk'($*)) dnl
gen_require(`
type devicekit_disk_t;
')
allow $1 devicekit_disk_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_use_fds_disk'($*)) dnl
')
########################################
##
## Dontaudit Send and receive messages from
## devicekit disk over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`devicekit_dontaudit_dbus_chat_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_dontaudit_dbus_chat_disk'($*)) dnl
gen_require(`
type devicekit_disk_t;
class dbus send_msg;
')
dontaudit $1 devicekit_disk_t:dbus send_msg;
dontaudit devicekit_disk_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_dontaudit_dbus_chat_disk'($*)) dnl
')
########################################
##
## Send signal devicekit power
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_signal_power',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_signal_power'($*)) dnl
gen_require(`
type devicekit_power_t;
')
allow $1 devicekit_power_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_signal_power'($*)) dnl
')
########################################
##
## Send and receive messages from
## devicekit power over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_dbus_chat_power',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat_power'($*)) dnl
gen_require(`
type devicekit_power_t;
class dbus send_msg;
')
allow $1 devicekit_power_t:dbus send_msg;
allow devicekit_power_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat_power'($*)) dnl
')
#######################################
##
## Use and inherit devicekit power
## file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_use_fds_power',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_use_fds_power'($*)) dnl
gen_require(`
type devicekit_power_t;
')
allow $1 devicekit_power_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_use_fds_power'($*)) dnl
')
#######################################
##
## Append inherited devicekit log files.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_append_inherited_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_append_inherited_log_files'($*)) dnl
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
allow $1 devicekit_var_log_t:file append_inherited_file_perms;
devicekit_use_fds_power($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_append_inherited_log_files'($*)) dnl
')
#######################################
##
## Allow read devicekit log files.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_read_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_read_log_files'($*)) dnl
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
allow $1 devicekit_var_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_read_log_files'($*)) dnl
')
#######################################
##
## Do not audit attempts to write the devicekit
## log files.
##
##
##
## Domain to not audit.
##
##
#
define(`devicekit_dontaudit_rw_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_dontaudit_rw_log'($*)) dnl
gen_require(`
type devicekit_var_log_t;
')
dontaudit $1 devicekit_var_log_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_dontaudit_rw_log'($*)) dnl
')
########################################
##
## Allow the domain to read devicekit_power state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_read_state_power',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_read_state_power'($*)) dnl
gen_require(`
type devicekit_power_t;
')
kernel_search_proc($1)
ps_process_pattern($1, devicekit_power_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_read_state_power'($*)) dnl
')
########################################
##
## Read devicekit PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_read_pid_files'($*)) dnl
gen_require(`
type devicekit_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_read_pid_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## devicekit PID files.
##
##
##
## Domain to not audit.
##
##
#
define(`devicekit_dontaudit_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_dontaudit_read_pid_files'($*)) dnl
gen_require(`
type devicekit_var_run_t;
')
dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_dontaudit_read_pid_files'($*)) dnl
')
########################################
##
## Manage devicekit PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_manage_pid_files'($*)) dnl
gen_require(`
type devicekit_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_manage_pid_files'($*)) dnl
')
#######################################
##
## Relabel devicekit LOG files.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_relabel_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_relabel_log_files'($*)) dnl
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_relabel_log_files'($*)) dnl
')
########################################
##
## Manage devicekit LOG files.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_manage_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_manage_log_files'($*)) dnl
gen_require(`
type devicekit_var_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_manage_log_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an devicekit environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`devicekit_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_admin'($*)) dnl
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
allow $1 devicekit_t:process signal_perms;
ps_process_pattern($1, devicekit_t)
tunable_policy(`deny_ptrace',`',`
allow $1 devicekit_t:process ptrace;
allow $1 devicekit_disk_t:process ptrace;
allow $1 devicekit_power_t:process ptrace;
')
allow $1 devicekit_disk_t:process signal_perms;
ps_process_pattern($1, devicekit_disk_t)
allow $1 devicekit_power_t:process signal_perms;
ps_process_pattern($1, devicekit_power_t)
admin_pattern($1, devicekit_tmp_t)
files_list_tmp($1)
admin_pattern($1, devicekit_var_lib_t)
files_list_var_lib($1)
admin_pattern($1, devicekit_var_run_t)
files_list_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_admin'($*)) dnl
')
########################################
##
## Transition to devicekit named content
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_filetrans_named_content'($*)) dnl
gen_require(`
type devicekit_var_run_t, devicekit_var_log_t;
')
files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_filetrans_named_content'($*)) dnl
')
########################################
##
## Mounton devicekit lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`devicekit_mounton_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `devicekit_mounton_var_lib'($*)) dnl
gen_require(`
type devicekit_var_lib_t;
')
allow $1 devicekit_var_lib_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `devicekit_mounton_var_lib'($*)) dnl
')
## Dynamic host configuration protocol server.
########################################
##
## Execute a domain transition to run dhcpd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dhcpd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dhcpd_domtrans'($*)) dnl
gen_require(`
type dhcpd_t, dhcpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dhcpd_domtrans'($*)) dnl
')
########################################
##
## Set attributes of dhcpd server
## state files.
##
##
##
## Domain allowed access.
##
##
#
define(`dhcpd_setattr_state_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dhcpd_setattr_state_files'($*)) dnl
gen_require(`
type dhcpd_state_t;
')
sysnet_search_dhcp_state($1)
allow $1 dhcpd_state_t:file setattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dhcpd_setattr_state_files'($*)) dnl
')
########################################
##
## Execute dhcp server in the dhcp domain.
##
##
##
## Domain allowed to transition.
##
##
#
#
define(`dhcpd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dhcpd_initrc_domtrans'($*)) dnl
gen_require(`
type dhcpd_initrc_exec_t;
')
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dhcpd_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute dhcpd server in the dhcpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dhcpd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dhcpd_systemctl'($*)) dnl
gen_require(`
type dhcpd_unit_file_t;
type dhcpd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_search_unit_dirs($1)
allow $1 dhcpd_unit_file_t:file read_file_perms;
allow $1 dhcpd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, dhcpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dhcpd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an dhcpd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dhcpd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dhcpd_admin'($*)) dnl
gen_require(`
type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
type dhcpd_unit_file_t;
')
allow $1 dhcpd_t:process signal_perms;
ps_process_pattern($1, dhcpd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 dhcpd_t:process ptrace;
')
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dhcpd_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, dhcpd_tmp_t)
files_list_var_lib($1)
admin_pattern($1, dhcpd_state_t)
files_list_pids($1)
admin_pattern($1, dhcpd_var_run_t)
dhcpd_systemctl($1)
admin_pattern($1, dhcpd_unit_file_t)
allow $1 dhcpd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dhcpd_admin'($*)) dnl
')
## Dictionary daemon.
########################################
##
## Use dictionary services by connecting
## over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`dictd_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dictd_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dictd_tcp_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an dictd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dictd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dictd_admin'($*)) dnl
gen_require(`
type dictd_t, dictd_etc_t, dictd_var_lib_t;
type dictd_var_run_t, dictd_initrc_exec_t;
')
allow $1 dictd_t:process signal_perms;
ps_process_pattern($1, dictd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 dictd_t:process ptrace;
')
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dictd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, dictd_etc_t)
files_list_var_lib($1)
admin_pattern($1, dictd_var_lib_t)
files_list_pids($1)
admin_pattern($1, dictd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dictd_admin'($*)) dnl
')
## Server for managing and downloading certificate revocation lists.
########################################
##
## All of the rules required to
## administrate an dirmngr environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dirmngr_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirmngr_admin'($*)) dnl
gen_require(`
type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_var_run_t;
type dirmngr_conf_t, dirmngr_var_lib_t, dirmngr_log_t;
')
allow $1 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($1, dirmngr_t)
init_labeled_script_domtrans($1, dirmngr_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dirmngr_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dirmngr_conf_t)
logging_search_logs($1)
admin_pattern($1, dirmngr_log_t)
files_search_pids($1)
admin_pattern($1, dirmngr_var_run_t)
files_search_var_lib($1)
admin_pattern($1, dirmngr_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirmngr_admin'($*)) dnl
')
## Administration Server for Directory Server, dirsrv-admin.
########################################
##
## Exec dirsrv-admin programs.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrvadmin_run_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrvadmin_run_exec'($*)) dnl
gen_require(`
type dirsrvadmin_exec_t;
')
allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
can_exec($1, dirsrvadmin_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrvadmin_run_exec'($*)) dnl
')
########################################
##
## Exec cgi programs.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrvadmin_run_script_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrvadmin_run_script_exec'($*)) dnl
gen_require(`
type dirsrvadmin_script_exec_t;
')
allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms;
can_exec($1, dirsrvadmin_script_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrvadmin_run_script_exec'($*)) dnl
')
########################################
##
## Manage dirsrv-adminserver configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrvadmin_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrvadmin_read_config'($*)) dnl
gen_require(`
type dirsrvadmin_config_t;
')
read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrvadmin_read_config'($*)) dnl
')
########################################
##
## Manage dirsrv-adminserver configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrvadmin_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrvadmin_manage_config'($*)) dnl
gen_require(`
type dirsrvadmin_config_t;
')
allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
allow $1 dirsrvadmin_config_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrvadmin_manage_config'($*)) dnl
')
#######################################
##
## Read dirsrv-adminserver tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrvadmin_read_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrvadmin_read_tmp'($*)) dnl
gen_require(`
type dirsrvadmin_tmp_t;
')
read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrvadmin_read_tmp'($*)) dnl
')
########################################
##
## Manage dirsrv-adminserver tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrvadmin_manage_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrvadmin_manage_tmp'($*)) dnl
gen_require(`
type dirsrvadmin_tmp_t;
')
manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrvadmin_manage_tmp'($*)) dnl
')
########################################
##
## Execute dirsrv-admin server in the dirsrv-admin domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dirsrvadmin_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrvadmin_systemctl'($*)) dnl
gen_require(`
type dirsrvadmin_t;
type dirsrvadmin_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 dirsrvadmin_unit_file_t:file read_file_perms;
allow $1 dirsrvadmin_unit_file_t:service manage_service_perms;
ps_process_pattern($1, dirsrvadmin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrvadmin_systemctl'($*)) dnl
')
#######################################
##
## Execute admin cgi programs in caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrvadmin_domtrans_unconfined_script_t',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrvadmin_domtrans_unconfined_script_t'($*)) dnl
gen_require(`
type dirsrvadmin_unconfined_script_t;
type dirsrvadmin_unconfined_script_exec_t;
')
domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrvadmin_domtrans_unconfined_script_t'($*)) dnl
')
## policy for dirsrv
########################################
##
## Execute a domain transition to run dirsrv.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dirsrv_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_domtrans'($*)) dnl
gen_require(`
type dirsrv_t, dirsrv_exec_t;
')
domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_domtrans'($*)) dnl
')
########################################
##
## Execute dirsrv in the dirsrv domain, and
## allow the specified role the dirsrv domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`dirsrv_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_run'($*)) dnl
gen_require(`
type dirsrv_t;
')
dirsrv_domtrans($1)
role $2 types dirsrv_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_run'($*)) dnl
')
########################################
##
## Allow caller to signal dirsrv.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_signal'($*)) dnl
gen_require(`
type dirsrv_t;
')
allow $1 dirsrv_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_signal'($*)) dnl
')
########################################
##
## Send a null signal to dirsrv.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_signull'($*)) dnl
gen_require(`
type dirsrv_t;
')
allow $1 dirsrv_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_signull'($*)) dnl
')
########################################
##
## Execute dirsrv server in the dirsrv domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dirsrv_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_systemctl'($*)) dnl
gen_require(`
type dirsrv_unit_file_t;
type dirsrv_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 dirsrv_unit_file_t:file read_file_perms;
allow $1 dirsrv_unit_file_t:service manage_service_perms;
ps_process_pattern($1, dirsrv_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_systemctl'($*)) dnl
')
#######################################
##
## Allow a domain to manage dirsrv logs.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_manage_log'($*)) dnl
gen_require(`
type dirsrv_var_log_t;
')
allow $1 dirsrv_var_log_t:dir manage_dir_perms;
allow $1 dirsrv_var_log_t:file manage_file_perms;
allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_manage_log'($*)) dnl
')
#######################################
##
## Allow a domain to manage dirsrv /var/lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_manage_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_manage_var_lib'($*)) dnl
gen_require(`
type dirsrv_var_lib_t;
')
allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
allow $1 dirsrv_var_lib_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_manage_var_lib'($*)) dnl
')
########################################
##
## Connect to dirsrv over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_stream_connect'($*)) dnl
gen_require(`
type dirsrv_t, dirsrv_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_stream_connect'($*)) dnl
')
#######################################
##
## Allow a domain to manage dirsrv /var/run files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_manage_var_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_manage_var_run'($*)) dnl
gen_require(`
type dirsrv_var_run_t;
')
allow $1 dirsrv_var_run_t:dir manage_dir_perms;
allow $1 dirsrv_var_run_t:file manage_file_perms;
allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_manage_var_run'($*)) dnl
')
######################################
##
## Allow a domain to create dirsrv pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_pid_filetrans'($*)) dnl
gen_require(`
type dirsrv_var_run_t;
')
# Allow creating a dir in /var/run with this type
files_pid_filetrans($1, dirsrv_var_run_t, dir)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_pid_filetrans'($*)) dnl
')
#######################################
##
## Allow a domain to read dirsrv /var/run files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_read_var_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_read_var_run'($*)) dnl
gen_require(`
type dirsrv_var_run_t;
')
allow $1 dirsrv_var_run_t:dir list_dir_perms;
allow $1 dirsrv_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_read_var_run'($*)) dnl
')
########################################
##
## Manage dirsrv configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_manage_config'($*)) dnl
gen_require(`
type dirsrv_config_t;
')
allow $1 dirsrv_config_t:dir manage_dir_perms;
allow $1 dirsrv_config_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_manage_config'($*)) dnl
')
########################################
##
## Read dirsrv share files.
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_read_share',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_read_share'($*)) dnl
gen_require(`
type dirsrv_share_t;
')
allow $1 dirsrv_share_t:dir list_dir_perms;
allow $1 dirsrv_share_t:file { map read_file_perms };
allow $1 dirsrv_share_t:lnk_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_read_share'($*)) dnl
')
########################################
##
## Allow dirsrv noatsecure
##
##
##
## Domain allowed access.
##
##
#
define(`dirsrv_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dirsrv_noatsecure'($*)) dnl
gen_require(`
type dirsrv_t;
')
allow $1 dirsrv_t:process { noatsecure };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dirsrv_noatsecure'($*)) dnl
')
## Distributed compiler daemon.
########################################
##
## All of the rules required to
## administrate an distcc environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`distcc_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `distcc_admin'($*)) dnl
gen_require(`
type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
')
allow $1 distccd_t:process { ptrace signal_perms };
ps_process_pattern($1, distccd_t)
init_labeled_script_domtrans($1, distccd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 distccd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, distccd_log_t)
files_search_tmp($1)
admin_pattern($1, distccd_tmp_t)
files_search_pids($1)
admin_pattern($1, distccd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `distcc_admin'($*)) dnl
')
## Small and secure DNS daemon.
#######################################
##
## The template to define a djbdns domain.
##
##
##
## Domain prefix to be used.
##
##
#
define(`djbdns_daemontools_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `djbdns_daemontools_domain_template'($*)) dnl
gen_require(`
attribute djbdns_domain;
')
########################################
#
# Declarations
#
type djbdns_$1_t, djbdns_domain;
type djbdns_$1_exec_t;
domain_type(djbdns_$1_t)
domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t)
role system_r types djbdns_$1_t;
type djbdns_$1_conf_t;
files_config_file(djbdns_$1_conf_t)
########################################
#
# Local policy
#
daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
daemontools_read_svc(djbdns_$1_t)
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
corenet_all_recvfrom_netlabel(djbdns_$1_t)
corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
corenet_udp_sendrecv_generic_if(djbdns_$1_t)
corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
corenet_udp_sendrecv_generic_node(djbdns_$1_t)
corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
corenet_udp_sendrecv_all_ports(djbdns_$1_t)
corenet_tcp_bind_generic_node(djbdns_$1_t)
corenet_udp_bind_generic_node(djbdns_$1_t)
corenet_tcp_bind_dns_port(djbdns_$1_t)
corenet_udp_bind_dns_port(djbdns_$1_t)
corenet_udp_bind_generic_port(djbdns_$1_t)
corenet_sendrecv_dns_server_packets(djbdns_$1_t)
corenet_sendrecv_generic_server_packets(djbdns_$1_t)
files_search_var(djbdns_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `djbdns_daemontools_domain_template'($*)) dnl
')
#####################################
##
## Search djbdns-tinydns key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`djbdns_search_tinydns_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `djbdns_search_tinydns_keys'($*)) dnl
gen_require(`
type djbdns_tinydns_t;
')
allow $1 djbdns_tinydns_t:key search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `djbdns_search_tinydns_keys'($*)) dnl
')
#####################################
##
## Link djbdns-tinydns key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`djbdns_link_tinydns_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `djbdns_link_tinydns_keys'($*)) dnl
gen_require(`
type djbdns_tinydn_t;
')
allow $1 djbdns_tinydn_t:key link;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `djbdns_link_tinydns_keys'($*)) dnl
')
## DomainKeys Identified Mail milter.
########################################
##
## All of the rules required to
## administrate an dkim environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dkim_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dkim_admin'($*)) dnl
gen_require(`
type dkim_milter_t, dkim_milter_initrc_exec_t, dkim_milter_private_key_t;
type dkim_milter_data_t;
')
allow $1 dkim_milter_t:process { ptrace signal_perms };
ps_process_pattern($1, dkim_milter_t)
init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dkim_milter_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, dkim_milter_private_key_t)
files_search_pids($1)
admin_pattern($1, dkim_milter_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dkim_admin'($*)) dnl
')
## Decode DMI data for x86/ia64 bioses.
########################################
##
## Execute dmidecode in the dmidecode domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dmidecode_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dmidecode_domtrans'($*)) dnl
gen_require(`
type dmidecode_t, dmidecode_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dmidecode_domtrans'($*)) dnl
')
######################################
##
## Execute dmidecode in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dmidecode_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dmidecode_exec'($*)) dnl
gen_require(`
type dmidecode_exec_t;
')
corecmd_search_bin($1)
can_exec($1, dmidecode_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dmidecode_exec'($*)) dnl
')
########################################
##
## Execute dmidecode in the dmidecode
## domain, and allow the specified
## role the dmidecode domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dmidecode_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dmidecode_run'($*)) dnl
gen_require(`
attribute_role dmidecode_roles;
')
dmidecode_domtrans($1)
roleattribute $2 dmidecode_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dmidecode_run'($*)) dnl
')
## DNS forwarder and DHCP server.
########################################
##
## Execute dnsmasq server in the dnsmasq domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dnsmasq_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_domtrans'($*)) dnl
gen_require(`
type dnsmasq_exec_t, dnsmasq_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_domtrans'($*)) dnl
')
#######################################
##
## Execute dnsmasq server in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dnsmasq_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_exec'($*)) dnl
gen_require(`
type dnsmasq_exec_t;
')
can_exec($1, dnsmasq_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_exec'($*)) dnl
')
########################################
##
## Allow read/write dnsmasq pipes
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_rw_inherited_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_rw_inherited_pipes'($*)) dnl
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_rw_inherited_pipes'($*)) dnl
')
########################################
##
## Execute the dnsmasq init script in
## the init script domain.
##
##
##
## Domain allowed to transition.
##
##
#
#
define(`dnsmasq_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_initrc_domtrans'($*)) dnl
gen_require(`
type dnsmasq_initrc_exec_t;
')
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute dnsmasq server in the dnsmasq domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dnsmasq_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_systemctl'($*)) dnl
gen_require(`
type dnsmasq_unit_file_t;
type dnsmasq_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 dnsmasq_unit_file_t:file read_file_perms;
allow $1 dnsmasq_unit_file_t:service manage_service_perms;
ps_process_pattern($1, dnsmasq_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_systemctl'($*)) dnl
')
########################################
##
## Send sigchld to dnsmasq.
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnsmasq_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_sigchld'($*)) dnl
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_sigchld'($*)) dnl
')
########################################
##
## Send generic signals to dnsmasq.
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnsmasq_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_signal'($*)) dnl
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_signal'($*)) dnl
')
########################################
##
## Send null signals to dnsmasq.
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnsmasq_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_signull'($*)) dnl
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_signull'($*)) dnl
')
########################################
##
## Send kill signals to dnsmasq.
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnsmasq_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_kill'($*)) dnl
gen_require(`
type dnsmasq_t;
')
allow $1 dnsmasq_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_kill'($*)) dnl
')
########################################
##
## Read dnsmasq config files.
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_read_config'($*)) dnl
gen_require(`
type dnsmasq_etc_t;
')
read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_read_config'($*)) dnl
')
########################################
##
## Write dnsmasq config files.
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_write_config'($*)) dnl
gen_require(`
type dnsmasq_etc_t;
')
write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_write_config'($*)) dnl
')
########################################
##
## Delete dnsmasq pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_delete_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_delete_pid_files'($*)) dnl
gen_require(`
type dnsmasq_var_run_t;
')
files_search_pids($1)
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_delete_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## dnsmasq pid files
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_manage_pid_files'($*)) dnl
gen_require(`
type dnsmasq_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_manage_pid_files'($*)) dnl
')
########################################
##
## Read dnsmasq pid files
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_read_pid_files'($*)) dnl
gen_require(`
type dnsmasq_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_read_pid_files'($*)) dnl
')
########################################
##
## Create dnsmasq pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_create_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_create_pid_dirs'($*)) dnl
gen_require(`
type dnsmasq_var_run_t;
')
files_search_pids($1)
allow $1 dnsmasq_var_run_t:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_create_pid_dirs'($*)) dnl
')
########################################
##
## Create dnsmasq pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_read_state'($*)) dnl
gen_require(`
type dnsmasq_t;
')
ps_process_pattern($1, dnsmasq_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_read_state'($*)) dnl
')
########################################
##
## Transition to dnsmasq named content
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the directory for the object to be created.
##
##
#
define(`dnsmasq_filetrans_named_content_fromdir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_filetrans_named_content_fromdir'($*)) dnl
gen_require(`
type dnsmasq_var_run_t;
')
filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_filetrans_named_content_fromdir'($*)) dnl
')
#######################################
##
## Transition to dnsmasq named content
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_filetrans_named_content'($*)) dnl
gen_require(`
type dnsmasq_etc_t;
type dnsmasq_var_run_t;
')
files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_filetrans_named_content'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an dnsmasq environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dnsmasq_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_admin'($*)) dnl
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
type dnsmasq_var_log_t;
type dnsmasq_initrc_exec_t;
type dnsmasq_unit_file_t;
')
allow $1 dnsmasq_t:process signal_perms;
ps_process_pattern($1, dnsmasq_t)
tunable_policy(`deny_ptrace',`',`
allow $1 dnsmasq_t:process ptrace;
')
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
logging_search_logs($1)
admin_pattern($1, dnsmasq_var_log_t)
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
dnsmasq_systemctl($1)
admin_pattern($1, dnsmasq_unit_file_t)
allow $1 dnsmasq_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_admin'($*)) dnl
')
########################################
##
## Send and receive messages from
## dnsmasq over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`dnsmasq_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnsmasq_dbus_chat'($*)) dnl
gen_require(`
type dnsmasq_t;
class dbus send_msg;
')
allow $1 dnsmasq_t:dbus send_msg;
allow dnsmasq_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnsmasq_dbus_chat'($*)) dnl
')
## policy for dnssec_trigger
########################################
##
## Transition to dnssec_trigger.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dnssec_trigger_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnssec_trigger_domtrans'($*)) dnl
gen_require(`
type dnssec_trigger_t, dnssec_trigger_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnssec_trigger_domtrans'($*)) dnl
')
########################################
##
## Read dnssec_trigger PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`dnssec_trigger_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnssec_trigger_read_pid_files'($*)) dnl
gen_require(`
type dnssec_trigger_var_run_t;
')
files_search_pids($1)
allow $1 dnssec_trigger_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnssec_trigger_read_pid_files'($*)) dnl
')
########################################
##
## Manage dnssec_trigger PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`dnssec_trigger_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnssec_trigger_manage_pid_files'($*)) dnl
gen_require(`
type dnssec_trigger_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnssec_trigger_manage_pid_files'($*)) dnl
')
########################################
##
## Send signull to dnssec_trigger.
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnssec_trigger_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnssec_trigger_signull'($*)) dnl
gen_require(`
type dnssec_trigger_t;
')
allow $1 dnssec_trigger_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnssec_trigger_signull'($*)) dnl
')
########################################
##
## Send sigkill to dnssec_trigger.
##
##
##
## Domain allowed access.
##
##
#
#
define(`dnssec_trigger_sigkill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnssec_trigger_sigkill'($*)) dnl
gen_require(`
type dnssec_trigger_t;
')
allow $1 dnssec_trigger_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnssec_trigger_sigkill'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an dnssec_trigger environment
##
##
##
## Domain allowed access.
##
##
#
define(`dnssec_trigger_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dnssec_trigger_admin'($*)) dnl
gen_require(`
type dnssec_trigger_t;
type dnssec_trigger_var_run_t;
')
allow $1 dnssec_trigger_t:process { ptrace signal_perms };
ps_process_pattern($1, dnssec_trigger_t)
files_search_pids($1)
admin_pattern($1, dnssec_trigger_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dnssec_trigger_admin'($*)) dnl
')
## Dovecot POP and IMAP mail server
######################################
##
## Creates types and rules for a basic
## dovecot daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`dovecot_basic_types_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_basic_types_template'($*)) dnl
gen_require(`
attribute dovecot_domain;
')
type $1_t, dovecot_domain;
type $1_exec_t;
kernel_read_system_state($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_basic_types_template'($*)) dnl
')
#######################################
##
## Connect to dovecot unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`dovecot_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_stream_connect'($*)) dnl
gen_require(`
type dovecot_t, dovecot_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_stream_connect'($*)) dnl
')
########################################
##
## Connect to dovecot auth unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dovecot_stream_connect_auth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_stream_connect_auth'($*)) dnl
gen_require(`
type dovecot_auth_t, dovecot_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_stream_connect_auth'($*)) dnl
')
########################################
##
## Execute dovecot_deliver in the dovecot_deliver domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dovecot_domtrans_deliver',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_domtrans_deliver'($*)) dnl
gen_require(`
type dovecot_deliver_t, dovecot_deliver_exec_t;
')
domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_domtrans_deliver'($*)) dnl
')
########################################
##
## Create, read, write, and delete the dovecot spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`dovecot_manage_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_manage_spool'($*)) dnl
gen_require(`
type dovecot_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_manage_spool'($*)) dnl
')
########################################
##
## Do not audit attempts to delete dovecot lib files.
##
##
##
## Domain to not audit.
##
##
#
define(`dovecot_dontaudit_unlink_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_dontaudit_unlink_lib_files'($*)) dnl
gen_require(`
type dovecot_var_lib_t;
')
dontaudit $1 dovecot_var_lib_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_dontaudit_unlink_lib_files'($*)) dnl
')
######################################
##
## Allow attempts to write inherited
## dovecot tmp files.
##
##
##
## Domain to not audit.
##
##
#
define(`dovecot_write_inherited_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_write_inherited_tmp_files'($*)) dnl
gen_require(`
type dovecot_tmp_t;
')
allow $1 dovecot_tmp_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_write_inherited_tmp_files'($*)) dnl
')
####################################
##
## Read dovecot configuration file.
##
##
##
## Domain allowed access.
##
##
#
define(`dovecot_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_read_config'($*)) dnl
gen_require(`
type dovecot_etc_t;
')
files_search_etc($1)
list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_read_config'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an dovecot environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the dovecot domain.
##
##
##
#
define(`dovecot_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dovecot_admin'($*)) dnl
gen_require(`
type dovecot_t, dovecot_etc_t, dovecot_var_log_t;
type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
type dovecot_keytab_t;
')
allow $1 dovecot_t:process signal_perms;
ps_process_pattern($1, dovecot_t)
tunable_policy(`deny_ptrace',`',`
allow $1 dovecot_t:process ptrace;
')
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dovecot_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
files_list_tmp($1)
admin_pattern($1, dovecot_auth_tmp_t)
admin_pattern($1, dovecot_tmp_t)
admin_pattern($1, dovecot_keytab_t)
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
logging_search_logs($1)
admin_pattern($1, dovecot_var_log_t)
files_list_pids($1)
admin_pattern($1, dovecot_var_run_t)
admin_pattern($1, dovecot_cert_t)
admin_pattern($1, dovecot_passwd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dovecot_admin'($*)) dnl
')
## Debian package manager.
########################################
##
## Execute dpkg programs in the dpkg domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dpkg_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_domtrans'($*)) dnl
gen_require(`
type dpkg_t, dpkg_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dpkg_exec_t, dpkg_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_domtrans'($*)) dnl
')
########################################
##
## Execute the dkpg in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_exec'($*)) dnl
gen_require(`
type dpkg_exec_t;
')
corecmd_search_bin($1)
can_exec($1, dpkg_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_exec'($*)) dnl
')
########################################
##
## Execute dpkg_script programs in
## the dpkg_script domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dpkg_domtrans_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_domtrans_script'($*)) dnl
gen_require(`
type dpkg_script_t;
')
corecmd_shell_domtrans($1, dpkg_script_t)
allow dpkg_script_t $1:fd use;
allow dpkg_script_t $1:fifo_file rw_file_perms;
allow dpkg_script_t $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_domtrans_script'($*)) dnl
')
########################################
##
## Execute dpkg programs in the dpkg domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dpkg_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_run'($*)) dnl
gen_require(`
attribute_role dpkg_roles;
')
dpkg_domtrans($1)
roleattribute $2 dpkg_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_run'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from dpkg.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_use_fds'($*)) dnl
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_use_fds'($*)) dnl
')
########################################
##
## Read from unnamed dpkg pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_read_pipes'($*)) dnl
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_read_pipes'($*)) dnl
')
########################################
##
## Read and write unnamed dpkg pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_rw_pipes'($*)) dnl
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_rw_pipes'($*)) dnl
')
########################################
##
## Inherit and use file descriptors
## from dpkg scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_use_script_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_use_script_fds'($*)) dnl
gen_require(`
type dpkg_script_t;
')
allow $1 dpkg_script_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_use_script_fds'($*)) dnl
')
########################################
##
## Read dpkg package database content.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_read_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_read_db'($*)) dnl
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_read_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## dpkg package database content.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_manage_db'($*)) dnl
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_manage_db'($*)) dnl
')
########################################
##
## Do not audit attempts to create,
## read, write, and delete dpkg
## package database content.
##
##
##
## Domain to not audit.
##
##
#
define(`dpkg_dontaudit_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_dontaudit_manage_db'($*)) dnl
gen_require(`
type dpkg_var_lib_t;
')
dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_dontaudit_manage_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## dpkg lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`dpkg_lock_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dpkg_lock_db'($*)) dnl
gen_require(`
type dpkg_lock_t, dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dpkg_lock_db'($*)) dnl
')
## Mirrors a block device over the network to another machine.
########################################
##
## Execute a domain transition to run drbd.
##
##
##
## Domain allowed access.
##
##
#
define(`drbd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `drbd_domtrans'($*)) dnl
gen_require(`
type drbd_t, drbd_exec_t;
')
domtrans_pattern($1, drbd_exec_t, drbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `drbd_domtrans'($*)) dnl
')
########################################
##
## Search drbd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`drbd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `drbd_search_lib'($*)) dnl
gen_require(`
type drbd_var_lib_t;
')
allow $1 drbd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `drbd_search_lib'($*)) dnl
')
########################################
##
## Read drbd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`drbd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `drbd_read_lib_files'($*)) dnl
gen_require(`
type drbd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `drbd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## drbd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`drbd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `drbd_manage_lib_files'($*)) dnl
gen_require(`
type drbd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `drbd_manage_lib_files'($*)) dnl
')
########################################
##
## Manage drbd lib dirs files.
##
##
##
## Domain allowed access.
##
##
#
define(`drbd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `drbd_manage_lib_dirs'($*)) dnl
gen_require(`
type drbd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `drbd_manage_lib_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an drbd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
#
define(`drbd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `drbd_admin'($*)) dnl
gen_require(`
type drbd_t, drbd_initrc_exec_t, drbd_lock_t;
type drbd_var_lib_t;
')
allow $1 drbd_t:process signal_perms;
ps_process_pattern($1, drbd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 drbd_t:process ptrace;
')
init_labeled_script_domtrans($1, drbd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 drbd_initrc_exec_t system_r;
allow $2 system_r;
files_search_locks($1)
admin_pattern($1, drbd_lock_t)
files_search_var_lib($1)
admin_pattern($1, drbd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `drbd_admin'($*)) dnl
')
## policy for dspam
########################################
##
## Execute a domain transition to run dspam.
##
##
##
## Domain allowed access.
##
##
#
define(`dspam_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_domtrans'($*)) dnl
gen_require(`
type dspam_t, dspam_exec_t;
')
domtrans_pattern($1, dspam_exec_t, dspam_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_domtrans'($*)) dnl
')
########################################
##
## Execute dspam server in the dspam domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`dspam_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_initrc_domtrans'($*)) dnl
gen_require(`
type dspam_initrc_exec_t;
')
init_labeled_script_domtrans($1, dspam_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_initrc_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to read dspam's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dspam_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_read_log'($*)) dnl
gen_require(`
type dspam_log_t;
')
logging_search_logs($1)
read_files_pattern($1, dspam_log_t, dspam_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## dspam log files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dspam_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_append_log'($*)) dnl
gen_require(`
type dspam_log_t;
')
logging_search_logs($1)
append_files_pattern($1, dspam_log_t, dspam_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_append_log'($*)) dnl
')
########################################
##
## Allow domain to manage dspam log files
##
##
##
## Domain to not audit.
##
##
#
define(`dspam_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_manage_log'($*)) dnl
gen_require(`
type dspam_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
manage_files_pattern($1, dspam_log_t, dspam_log_t)
manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_manage_log'($*)) dnl
')
########################################
##
## Search dspam lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dspam_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_search_lib'($*)) dnl
gen_require(`
type dspam_var_lib_t;
')
allow $1 dspam_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_search_lib'($*)) dnl
')
########################################
##
## Read dspam lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`dspam_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_read_lib_files'($*)) dnl
gen_require(`
type dspam_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## dspam lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`dspam_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_manage_lib_files'($*)) dnl
gen_require(`
type dspam_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_manage_lib_files'($*)) dnl
')
########################################
##
## Manage dspam lib dirs files.
##
##
##
## Domain allowed access.
##
##
#
define(`dspam_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_manage_lib_dirs'($*)) dnl
gen_require(`
type dspam_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read dspam PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`dspam_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_read_pid_files'($*)) dnl
gen_require(`
type dspam_var_run_t;
')
files_search_pids($1)
allow $1 dspam_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_read_pid_files'($*)) dnl
')
#######################################
##
## Connect to DSPAM using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`dspam_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_stream_connect'($*)) dnl
gen_require(`
type dspam_t, dspam_var_run_t, dspam_tmp_t;
')
files_search_pids($1)
files_search_tmp($1)
stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an dspam environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`dspam_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dspam_admin'($*)) dnl
gen_require(`
type dspam_t;
type dspam_initrc_exec_t;
type dspam_log_t;
type dspam_var_lib_t;
type dspam_var_run_t;
')
allow $1 dspam_t:process signal_perms;
ps_process_pattern($1, dspam_t)
tunable_policy(`deny_ptrace',`',`
allow $1 dspam_t:process ptrace;
')
dspam_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 dspam_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, dspam_log_t)
files_search_var_lib($1)
admin_pattern($1, dspam_var_lib_t)
files_search_pids($1)
admin_pattern($1, dspam_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dspam_admin'($*)) dnl
')
## Generate entropy from audio input.
########################################
##
## All of the rules required to
## administrate an entropyd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`entropyd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `entropyd_admin'($*)) dnl
gen_require(`
type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t;
')
allow $1 entropyd_t:process { ptrace signal_perms };
ps_process_pattern($1, entropyd_t)
init_labeled_script_domtrans($1, entropyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 entropyd_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, entropyd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `entropyd_admin'($*)) dnl
')
## Evolution email client.
########################################
##
## Role access for evolution.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`evolution_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `evolution_role'($*)) dnl
gen_require(`
attribute_role evolution_roles;
type evolution_t, evolution_exec_t, evolution_home_t;
type evolution_alarm_t, evolution_alarm_exec_t, evolution_alarm_orbit_tmp_t;
type evolution_exchange_t, evolution_exchange_exec_t, evolution_exchange_tmp_t;
type evolution_exchange_orbit_tmp_t, evolution_orbit_tmp_t, evolution_server_orbit_tmp_t;
type evolution_server_t, evolution_server_exec_t, evolution_webcal_t;
type evolution_webcal_exec_t, evolution_alarm_tmpfs_t, evolution_exchange_tmpfs_t;
type evolution_tmpfs_t, evolution_webcal_tmpfs_t;
')
roleattribute $1 evolution_roles;
domtrans_pattern($2, evolution_exec_t, evolution_t)
domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
allow $2 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms };
ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t })
ps_process_pattern($2, { evolution_server_t evolution_webcal_t })
allow evolution_t $2:dir search_dir_perms;
allow evolution_t $2:file read_file_perms;
allow evolution_t $2:lnk_file read_lnk_file_perms;
allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms };
allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms };
allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms };
userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".camel_certs")
userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".evolution")
allow $2 evolution_exchange_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 { evolution_alarm_orbit_tmp_t evolution_exchange_orbit_tmp_t evolution_orbit_tmp_t evolution_server_orbit_tmp_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto;
stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
optional_policy(`
evolution_dbus_chat($2)
evolution_alarm_dbus_chat($2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `evolution_role'($*)) dnl
')
########################################
##
## Create objects in the evolution home
## directories with a private type.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`evolution_home_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `evolution_home_filetrans'($*)) dnl
gen_require(`
type evolution_home_t;
')
userdom_search_user_home_dirs($1)
filetrans_pattern($1, evolution_home_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `evolution_home_filetrans'($*)) dnl
')
########################################
##
## Connect to evolution using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`evolution_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `evolution_stream_connect'($*)) dnl
gen_require(`
type evolution_t, evolution_orbit_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `evolution_stream_connect'($*)) dnl
')
########################################
##
## Send and receive messages from
## evolution over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`evolution_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `evolution_dbus_chat'($*)) dnl
gen_require(`
type evolution_t;
class dbus send_msg;
')
allow $1 evolution_t:dbus send_msg;
allow evolution_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `evolution_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## evolution_alarm over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`evolution_alarm_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `evolution_alarm_dbus_chat'($*)) dnl
gen_require(`
type evolution_alarm_t;
class dbus send_msg;
')
allow $1 evolution_alarm_t:dbus send_msg;
allow evolution_alarm_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `evolution_alarm_dbus_chat'($*)) dnl
')
## Mail transfer agent.
########################################
##
## Execute a domain transition to run exim.
##
##
##
## Domain allowed to transition.
##
##
#
define(`exim_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_domtrans'($*)) dnl
gen_require(`
type exim_t, exim_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, exim_exec_t, exim_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_domtrans'($*)) dnl
')
########################################
##
## Execute the mailman program in the mailman domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the mailman domain.
##
##
##
#
define(`exim_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_run'($*)) dnl
gen_require(`
type exim_t;
')
exim_domtrans($1)
role $2 types exim_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_run'($*)) dnl
')
########################################
##
## Execute exim in the exim domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`exim_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_initrc_domtrans'($*)) dnl
gen_require(`
type exim_initrc_exec_t;
')
init_labeled_script_domtrans($1, exim_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_initrc_domtrans'($*)) dnl
')
########################################
##
## Do not audit attempts to read,
## exim tmp files
##
##
##
## Domain to not audit.
##
##
#
define(`exim_dontaudit_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_dontaudit_read_tmp_files'($*)) dnl
gen_require(`
type exim_tmp_t;
')
dontaudit $1 exim_tmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_dontaudit_read_tmp_files'($*)) dnl
')
########################################
##
## Allow domain to read, exim tmp files
##
##
##
## Domain allowed access.
##
##
#
define(`exim_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_read_tmp_files'($*)) dnl
gen_require(`
type exim_tmp_t;
')
allow $1 exim_tmp_t:file read_file_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_read_tmp_files'($*)) dnl
')
########################################
##
## Read exim PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`exim_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_read_pid_files'($*)) dnl
gen_require(`
type exim_var_run_t;
')
allow $1 exim_var_run_t:file read_file_perms;
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_read_pid_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read exim's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`exim_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_read_log'($*)) dnl
gen_require(`
type exim_log_t;
')
read_files_pattern($1, exim_log_t, exim_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## exim log files.
##
##
##
## Domain allowed access.
##
##
#
define(`exim_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_append_log'($*)) dnl
gen_require(`
type exim_log_t;
')
append_files_pattern($1, exim_log_t, exim_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_append_log'($*)) dnl
')
########################################
##
## Allow the specified domain to manage exim's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`exim_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_manage_log'($*)) dnl
gen_require(`
type exim_log_t;
')
manage_files_pattern($1, exim_log_t, exim_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_manage_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## exim spool dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`exim_manage_spool_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_manage_spool_dirs'($*)) dnl
gen_require(`
type exim_spool_t;
')
manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_manage_spool_dirs'($*)) dnl
')
########################################
##
## Read exim spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`exim_read_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_read_spool_files'($*)) dnl
gen_require(`
type exim_spool_t;
')
allow $1 exim_spool_t:file read_file_perms;
allow $1 exim_spool_t:dir list_dir_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_read_spool_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## exim spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`exim_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_manage_spool_files'($*)) dnl
gen_require(`
type exim_spool_t;
')
manage_files_pattern($1, exim_spool_t, exim_spool_t)
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_manage_spool_files'($*)) dnl
')
########################################
##
## Read exim var lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`exim_read_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_read_var_lib_files'($*)) dnl
gen_require(`
type exim_var_lib_t;
')
read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_read_var_lib_files'($*)) dnl
')
########################################
##
## Create, read, and write exim var lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`exim_manage_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_manage_var_lib_files'($*)) dnl
gen_require(`
type exim_var_lib_t;
')
manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_manage_var_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an exim environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
#
define(`exim_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `exim_admin'($*)) dnl
gen_require(`
type exim_t, exim_spool_t, exim_log_t;
type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
type exim_keytab_t;
')
allow $1 exim_t:process signal_perms;
ps_process_pattern($1, exim_t)
tunable_policy(`deny_ptrace',`',`
allow $1 exim_t:process ptrace;
')
exim_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, exim_keytab_t)
files_search_spool($1)
admin_pattern($1, exim_spool_t)
logging_search_logs($1)
admin_pattern($1, exim_log_t)
files_search_pids($1)
admin_pattern($1, exim_var_run_t)
files_search_tmp($1)
admin_pattern($1, exim_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `exim_admin'($*)) dnl
')
## Update firewall filtering to ban IP addresses with too many password failures.
########################################
##
## Execute a domain transition to run fail2ban.
##
##
##
## Domain allowed to transition.
##
##
#
define(`fail2ban_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_domtrans'($*)) dnl
gen_require(`
type fail2ban_t, fail2ban_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_domtrans'($*)) dnl
')
#######################################
##
## Execute the fail2ban client in
## the fail2ban client domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`fail2ban_domtrans_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_domtrans_client'($*)) dnl
gen_require(`
type fail2ban_client_t, fail2ban_client_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_domtrans_client'($*)) dnl
')
#######################################
##
## Execute fail2ban client in the
## fail2ban client domain, and allow
## the specified role the fail2ban
## client domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`fail2ban_run_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_run_client'($*)) dnl
gen_require(`
attribute_role fail2ban_client_roles;
')
fail2ban_domtrans_client($1)
roleattribute $2 fail2ban_client_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_run_client'($*)) dnl
')
#####################################
##
## Connect to fail2ban over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`fail2ban_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_stream_connect'($*)) dnl
gen_require(`
type fail2ban_t, fail2ban_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_stream_connect'($*)) dnl
')
########################################
##
## Read and write inherited temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`fail2ban_rw_inherited_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_rw_inherited_tmp_files'($*)) dnl
gen_require(`
type fail2ban_tmp_t;
')
files_search_tmp($1)
allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_rw_inherited_tmp_files'($*)) dnl
')
########################################
##
## Read and write to an fail2ba unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`fail2ban_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_rw_stream_sockets'($*)) dnl
gen_require(`
type fail2ban_t;
')
allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_rw_stream_sockets'($*)) dnl
')
#######################################
##
## Do not audit attempts to use
## fail2ban file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`fail2ban_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_dontaudit_use_fds'($*)) dnl
gen_require(`
type fail2ban_t;
')
dontaudit $1 fail2ban_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_dontaudit_use_fds'($*)) dnl
')
#######################################
##
## Do not audit attempts to read and
## write fail2ban unix stream sockets
##
##
##
## Domain to not audit.
##
##
#
define(`fail2ban_dontaudit_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_dontaudit_rw_stream_sockets'($*)) dnl
gen_require(`
type fail2ban_t;
')
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_dontaudit_rw_stream_sockets'($*)) dnl
')
########################################
##
## Read fail2ban lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`fail2ban_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_read_lib_files'($*)) dnl
gen_require(`
type fail2ban_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_read_lib_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read fail2ban's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fail2ban_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_read_log'($*)) dnl
gen_require(`
type fail2ban_log_t;
')
logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## fail2ban log files.
##
##
##
## Domain allowed access.
##
##
#
define(`fail2ban_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_append_log'($*)) dnl
gen_require(`
type fail2ban_log_t;
')
logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_append_log'($*)) dnl
')
########################################
##
## Read fail2ban PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`fail2ban_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_read_pid_files'($*)) dnl
gen_require(`
type fail2ban_var_run_t;
')
files_search_pids($1)
allow $1 fail2ban_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_read_pid_files'($*)) dnl
')
########################################
##
## dontaudit read and write an leaked file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`fail2ban_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_dontaudit_leaks'($*)) dnl
gen_require(`
type fail2ban_t;
')
dontaudit $1 fail2ban_t:tcp_socket { read write };
dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_dontaudit_leaks'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an fail2ban environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the fail2ban domain.
##
##
##
#
define(`fail2ban_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fail2ban_admin'($*)) dnl
gen_require(`
type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
type fail2ban_client_t;
')
allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
tunable_policy(`deny_ptrace',`',`
allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
')
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
files_list_var_lib($1)
admin_pattern($1, fail2ban_var_lib_t)
files_list_tmp($1)
admin_pattern($1, fail2ban_tmp_t)
fail2ban_run_client($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fail2ban_admin'($*)) dnl
')
## Fibre Channel over Ethernet utilities.
#######################################
##
## Send to fcoemon with a unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`fcoe_dgram_send_fcoemon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fcoe_dgram_send_fcoemon'($*)) dnl
gen_require(`
type fcoemon_t, fcoemon_var_run_t;
')
files_search_pids($1)
dgram_send_pattern($1, fcoemon_var_run_t, fcoemon_var_run_t, fcoemon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fcoe_dgram_send_fcoemon'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an fcoemon environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`fcoe_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fcoe_admin'($*)) dnl
gen_require(`
type fcoemon_t, fcoemon_initrc_exec_t, fcoemon_var_run_t;
')
allow $1 fcoemon_t:process { ptrace signal_perms };
ps_process_pattern($1, fcoemon_t)
init_labeled_script_domtrans($1, fcoemon_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fcoemon_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, fcoemon_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fcoe_admin'($*)) dnl
')
## Remote-mail retrieval and forwarding utility.
########################################
##
## All of the rules required to
## administrate an fetchmail environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`fetchmail_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fetchmail_admin'($*)) dnl
gen_require(`
type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
')
ps_process_pattern($1, fetchmail_t)
tunable_policy(`deny_ptrace',`',`
allow $1 fetchmail_t:process ptrace;
')
init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fetchmail_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, fetchmail_etc_t)
files_search_var_lib($1)
admin_pattern($1, fetchmail_uidl_cache_t)
files_list_pids($1)
admin_pattern($1, fetchmail_var_run_t)
logging_search_logs($1)
admin_pattern($1, fetchmail_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fetchmail_admin'($*)) dnl
')
## Finger user information service.
########################################
##
## Execute fingerd in the fingerd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`finger_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `finger_domtrans'($*)) dnl
gen_require(`
type fingerd_t, fingerd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fingerd_exec_t, fingerd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `finger_domtrans'($*)) dnl
')
########################################
##
## Connect to fingerd with a tcp socket. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`finger_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `finger_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `finger_tcp_connect'($*)) dnl
')
## Service daemon with a D-BUS interface that provides a dynamic managed firewall.
########################################
##
## Read firewalld config
##
##
##
## Domain allowed access.
##
##
#
define(`firewalld_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewalld_read_config'($*)) dnl
gen_require(`
type firewalld_etc_rw_t;
')
files_search_etc($1)
read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewalld_read_config'($*)) dnl
')
########################################
##
## Execute firewalld server in the firewalld domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`firewalld_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewalld_initrc_domtrans'($*)) dnl
gen_require(`
type firewalld_initrc_exec_t;
')
init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewalld_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute firewalld server in the firewalld domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`firewalld_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewalld_systemctl'($*)) dnl
gen_require(`
type firewalld_t;
type firewalld_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 firewalld_unit_file_t:file read_file_perms;
allow $1 firewalld_unit_file_t:service manage_service_perms;
ps_process_pattern($1, firewalld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewalld_systemctl'($*)) dnl
')
########################################
##
## Send and receive messages from
## firewalld over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`firewalld_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewalld_dbus_chat'($*)) dnl
gen_require(`
type firewalld_t;
class dbus send_msg;
')
allow $1 firewalld_t:dbus send_msg;
allow firewalld_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewalld_dbus_chat'($*)) dnl
')
########################################
##
## Dontaudit attempts to write
## firewalld tmp files.
##
##
##
## Domain to not audit.
##
##
#
define(`firewalld_dontaudit_write_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewalld_dontaudit_write_tmp_files'($*)) dnl
gen_require(`
type firewalld_tmp_t;
')
dontaudit $1 firewalld_tmp_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewalld_dontaudit_write_tmp_files'($*)) dnl
')
########################################
##
## Read firewalld PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`firewalld_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewalld_read_pid_files'($*)) dnl
gen_require(`
type firewalld_var_run_t;
')
files_search_pids($1)
allow $1 firewalld_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewalld_read_pid_files'($*)) dnl
')
########################################
##
## Dontaudit read and write leaked firewalld file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`firewalld_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewalld_dontaudit_leaks'($*)) dnl
gen_require(`
type firewalld_tmpfs_t;
')
dontaudit $1 firewalld_tmpfs_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewalld_dontaudit_leaks'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an firewalld environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`firewalld_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewalld_admin'($*)) dnl
gen_require(`
type firewalld_t, firewalld_initrc_exec_t;
type firewalld_etc_rw_t, firewalld_var_run_t;
type firewalld_var_log_t;
')
allow $1 firewalld_t:process signal_perms;
ps_process_pattern($1, firewalld_t)
tunable_policy(`deny_ptrace',`',`
allow $1 firewalld_t:process ptrace;
')
firewalld_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, firewalld_var_run_t)
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
admin_pattern($1, firewalld_etc_rw_t)
admin_pattern($1, firewalld_unit_file_t)
firewalld_systemctl($1)
allow $1 firewalld_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewalld_admin'($*)) dnl
')
## system-config-firewall dbus system service.
########################################
##
## Send and receive messages from
## firewallgui over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`firewallgui_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewallgui_dbus_chat'($*)) dnl
gen_require(`
type firewallgui_t;
class dbus send_msg;
')
allow $1 firewallgui_t:dbus send_msg;
allow firewallgui_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewallgui_dbus_chat'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write firewallgui unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`firewallgui_dontaudit_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firewallgui_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type firewallgui_t;
')
dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firewallgui_dontaudit_rw_pipes'($*)) dnl
')
##
## Final system configuration run during the first boot
## after installation of Red Hat/Fedora systems.
##
########################################
##
## Execute firstboot in the firstboot domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`firstboot_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_domtrans'($*)) dnl
gen_require(`
type firstboot_t, firstboot_exec_t;
')
domtrans_pattern($1, firstboot_exec_t, firstboot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_domtrans'($*)) dnl
')
########################################
##
## Execute firstboot in the firstboot domain, and
## allow the specified role the firstboot domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`firstboot_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_run'($*)) dnl
gen_require(`
type firstboot_t;
')
firstboot_domtrans($1)
role $2 types firstboot_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_run'($*)) dnl
')
########################################
##
## Inherit and use a file descriptor from firstboot.
##
##
##
## Domain allowed access.
##
##
#
define(`firstboot_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_use_fds'($*)) dnl
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit a
## file descriptor from firstboot.
##
##
##
## Domain to not audit.
##
##
#
define(`firstboot_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_use_fds'($*)) dnl
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_use_fds'($*)) dnl
')
########################################
##
## dontaudit read and write an leaked file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`firstboot_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_leaks'($*)) dnl
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:socket_class_set { read write };
dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_leaks'($*)) dnl
')
########################################
##
## Write to a firstboot unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`firstboot_write_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_write_pipes'($*)) dnl
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fd use;
allow $1 firstboot_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_write_pipes'($*)) dnl
')
########################################
##
## Read and Write to a firstboot unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`firstboot_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_rw_pipes'($*)) dnl
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fifo_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_rw_pipes'($*)) dnl
')
########################################
##
## Do not audit attemps to read and write to a firstboot unnamed pipe.
##
##
##
## Domain to not audit.
##
##
#
define(`firstboot_dontaudit_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fifo_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_rw_pipes'($*)) dnl
')
########################################
##
## Do not audit attemps to read and write to a firstboot
## unix domain stream socket.
##
##
##
## Domain to not audit.
##
##
#
define(`firstboot_dontaudit_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_rw_stream_sockets'($*)) dnl
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_rw_stream_sockets'($*)) dnl
')
##
## DBus fingerprint reader service.
########################################
##
## Execute a domain transition to run fprintd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`fprintd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fprintd_domtrans'($*)) dnl
gen_require(`
type fprintd_t, fprintd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fprintd_exec_t, fprintd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fprintd_domtrans'($*)) dnl
')
######################################
##
## Execute fprintd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`fprintd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fprintd_exec'($*)) dnl
gen_require(`
type fprintd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, fprintd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fprintd_exec'($*)) dnl
')
########################################
##
## Send and receive messages from
## fprintd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`fprintd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fprintd_dbus_chat'($*)) dnl
gen_require(`
type fprintd_t;
class dbus send_msg;
')
allow $1 fprintd_t:dbus send_msg;
allow fprintd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fprintd_dbus_chat'($*)) dnl
')
########################################
##
## Mounton fprintd lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`fprintd_mounton_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fprintd_mounton_var_lib'($*)) dnl
gen_require(`
type fprintd_var_lib_t;
')
allow $1 fprintd_var_lib_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fprintd_mounton_var_lib'($*)) dnl
')
########################################
##
## Read fprintd lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`fprintd_read_var_lib_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fprintd_read_var_lib_dir'($*)) dnl
gen_require(`
type fprintd_var_lib_t;
')
allow $1 fprintd_var_lib_t:dir { list_dir_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fprintd_read_var_lib_dir'($*)) dnl
')
########################################
##
## Setattr fprintd lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`fprintd_setattr_var_lib_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fprintd_setattr_var_lib_dir'($*)) dnl
gen_require(`
type fprintd_var_lib_t;
')
allow $1 fprintd_var_lib_t:dir { setattr_dir_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fprintd_setattr_var_lib_dir'($*)) dnl
')
## Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification
#####################################
##
## Creates types and rules for a basic
## freeipmi init daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`freeipmi_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `freeipmi_domain_template'($*)) dnl
gen_require(`
attribute freeipmi_domain, freeipmi_pid;
')
#############################
#
# Declarations
#
type freeipmi_$1_t, freeipmi_domain;
type freeipmi_$1_exec_t;
init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
role system_r types freeipmi_$1_t;
type freeipmi_$1_unit_file_t;
systemd_unit_file(freeipmi_$1_unit_file_t)
type freeipmi_$1_var_run_t, freeipmi_pid;
files_pid_file(freeipmi_$1_var_run_t)
#############################
#
# Local policy
#
manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
kernel_read_system_state(freeipmi_$1_t)
corenet_all_recvfrom_netlabel(freeipmi_$1_t)
corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
auth_use_nsswitch(freeipmi_$1_t)
logging_send_syslog_msg(freeipmi_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `freeipmi_domain_template'($*)) dnl
')
####################################
##
## Connect to cluster domains over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`freeipmi_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `freeipmi_stream_connect'($*)) dnl
gen_require(`
attribute freeipmi_domain, freeipmi_pid;
')
files_search_pids($1)
stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `freeipmi_stream_connect'($*)) dnl
')
## policy for freqset
########################################
##
## Execute TEMPLATE in the freqset domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`freqset_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `freqset_domtrans'($*)) dnl
gen_require(`
type freqset_t, freqset_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, freqset_exec_t, freqset_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `freqset_domtrans'($*)) dnl
')
########################################
##
## Execute freqset in the freqset domain, and
## allow the specified role the freqset domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the freqset domain.
##
##
#
define(`freqset_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `freqset_run'($*)) dnl
gen_require(`
type freqset_t;
attribute_role freqset_roles;
')
freqset_domtrans($1)
roleattribute $2 freqset_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `freqset_run'($*)) dnl
')
########################################
##
## Role access for freqset
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`freqset_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `freqset_role'($*)) dnl
gen_require(`
type freqset_t;
attribute_role freqset_roles;
')
roleattribute $1 freqset_roles;
freqset_domtrans($2)
ps_process_pattern($2, freqset_t)
allow $2 freqset_t:process { signull signal sigkill };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `freqset_role'($*)) dnl
')
## File transfer protocol service.
######################################
##
## Execute a domain transition to run ftpd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ftp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_domtrans'($*)) dnl
gen_require(`
type ftpd_t, ftpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,ftpd_exec_t, ftpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_domtrans'($*)) dnl
')
#######################################
##
## Execute ftpd server in the ftpd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`ftp_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_initrc_domtrans'($*)) dnl
gen_require(`
type ftpd_initrc_exec_t;
')
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute ftpd server in the ftpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ftp_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_systemctl'($*)) dnl
gen_require(`
type ftpd_unit_file_t;
type ftpd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 ftpd_unit_file_t:file read_file_perms;
allow $1 ftpd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ftpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_systemctl'($*)) dnl
')
#######################################
##
## Execute a dyntransition to run anon sftpd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ftp_dyntrans_anon_sftpd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_dyntrans_anon_sftpd'($*)) dnl
gen_require(`
type anon_sftpd_t;
')
dyntrans_pattern($1, anon_sftpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_dyntrans_anon_sftpd'($*)) dnl
')
########################################
##
## Connect to over ftpd over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_tcp_connect'($*)) dnl
')
########################################
##
## Read ftpd configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_read_config'($*)) dnl
gen_require(`
type ftpd_etc_t;
')
files_search_etc($1)
allow $1 ftpd_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_read_config'($*)) dnl
')
########################################
##
## Execute FTP daemon entry point programs.
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_check_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_check_exec'($*)) dnl
gen_require(`
type ftpd_exec_t;
')
corecmd_search_bin($1)
allow $1 ftpd_exec_t:file mmap_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_check_exec'($*)) dnl
')
########################################
##
## Read ftpd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`ftp_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_read_log'($*)) dnl
gen_require(`
type xferlog_t;
')
logging_search_logs($1)
allow $1 xferlog_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_read_log'($*)) dnl
')
########################################
##
## Execute the ftpdctl in the ftpdctl domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ftp_domtrans_ftpdctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_domtrans_ftpdctl'($*)) dnl
gen_require(`
type ftpdctl_t, ftpdctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_domtrans_ftpdctl'($*)) dnl
')
########################################
##
## Execute the ftpdctl in the ftpdctl
## domain, and allow the specified
## role the ftpctl domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ftp_run_ftpdctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_run_ftpdctl'($*)) dnl
gen_require(`
attribute_role ftpdctl_roles;
')
ftp_domtrans_ftpdctl($1)
roleattribute $2 ftpdctl_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_run_ftpdctl'($*)) dnl
')
#######################################
##
## Execute a dyntransition to run sftpd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ftp_dyntrans_sftpd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_dyntrans_sftpd'($*)) dnl
gen_require(`
type sftpd_t;
')
dyntrans_pattern($1, sftpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_dyntrans_sftpd'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an ftp environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ftp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ftp_admin'($*)) dnl
gen_require(`
type ftpd_t, ftpdctl_t, ftpd_tmp_t;
type ftpd_etc_t, ftpd_lock_t, sftpd_t;
type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
type ftpd_initrc_exec_t, ftpdctl_tmp_t;
type ftpd_keytab_t;
')
allow $1 ftpd_t:process signal_perms;
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
tunable_policy(`deny_ptrace',`',`
allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
')
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ftpd_initrc_exec_t system_r;
allow $2 system_r;
miscfiles_manage_public_files($1)
files_list_tmp($1)
admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
files_list_etc($1)
admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
files_list_var($1)
admin_pattern($1, ftpd_lock_t)
files_list_pids($1)
admin_pattern($1, ftpd_var_run_t)
logging_list_logs($1)
admin_pattern($1, xferlog_t)
ftp_systemctl($1)
admin_pattern($1, ftpd_unit_file_t)
allow $1 ftpd_unit_file_t:service all_service_perms;
ftp_run_ftpdctl($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ftp_admin'($*)) dnl
')
## fwupd is a daemon to allow session software to update device firmware
########################################
##
## Execute fwupd_exec_t in the fwupd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`fwupd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_domtrans'($*)) dnl
gen_require(`
type fwupd_t, fwupd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fwupd_exec_t, fwupd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_domtrans'($*)) dnl
')
######################################
##
## Execute fwupd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_exec'($*)) dnl
gen_require(`
type fwupd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, fwupd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_exec'($*)) dnl
')
########################################
##
## Read fwupd process state files.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_read_state'($*)) dnl
gen_require(`
type fwupd_t;
')
ps_process_pattern($1, fwupd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_read_state'($*)) dnl
')
########################################
##
## Search fwupd cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_search_cache'($*)) dnl
gen_require(`
type fwupd_cache_t;
')
allow $1 fwupd_cache_t:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_search_cache'($*)) dnl
')
########################################
##
## Allow the specified domain to delete
## fwupd cache.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_delete_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_delete_cache_files'($*)) dnl
gen_require(`
type fwupd_cache_t;
')
allow $1 fwupd_cache_t:dir rmdir;
delete_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_delete_cache_files'($*)) dnl
')
########################################
##
## Read fwupd cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_read_cache_files'($*)) dnl
gen_require(`
type fwupd_cache_t;
')
files_search_var($1)
read_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_read_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## fwupd cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_manage_cache_files'($*)) dnl
gen_require(`
type fwupd_cache_t;
')
files_search_var($1)
manage_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_manage_cache_files'($*)) dnl
')
########################################
##
## Manage fwupd cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_manage_cache_dirs'($*)) dnl
gen_require(`
type fwupd_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, fwupd_cache_t, fwupd_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_manage_cache_dirs'($*)) dnl
')
########################################
##
## Search fwupd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_search_lib'($*)) dnl
gen_require(`
type fwupd_var_lib_t;
')
allow $1 fwupd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_search_lib'($*)) dnl
')
########################################
##
## Read fwupd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_read_lib_files'($*)) dnl
gen_require(`
type fwupd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_read_lib_files'($*)) dnl
')
########################################
##
## Manage fwupd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_manage_lib_files'($*)) dnl
gen_require(`
type fwupd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_manage_lib_files'($*)) dnl
')
########################################
##
## Manage fwupd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_manage_lib_dirs'($*)) dnl
gen_require(`
type fwupd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_manage_lib_dirs'($*)) dnl
')
########################################
##
## Execute fwupd server in the fwupd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`fwupd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_systemctl'($*)) dnl
gen_require(`
type fwupd_t;
type fwupd_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 fwupd_unit_file_t:file read_file_perms;
allow $1 fwupd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, fwupd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an fwupd environment
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_admin'($*)) dnl
gen_require(`
type fwupd_t;
type fwupd_cache_t;
type fwupd_var_lib_t;
type fwupd_unit_file_t;
')
allow $1 fwupd_t:process { signal_perms };
ps_process_pattern($1, fwupd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 fwupd_t:process ptrace;
')
files_search_var($1)
admin_pattern($1, fwupd_cache_t)
files_search_var_lib($1)
admin_pattern($1, fwupd_var_lib_t)
fwupd_systemctl($1)
admin_pattern($1, fwupd_unit_file_t)
allow $1 fwupd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_admin'($*)) dnl
')
########################################
##
## Send and receive messages from
## fwupd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`fwupd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fwupd_dbus_chat'($*)) dnl
gen_require(`
type fwupd_t;
class dbus send_msg;
')
allow $1 fwupd_t:dbus send_msg;
allow fwupd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fwupd_dbus_chat'($*)) dnl
')
## Various games.
########################################
##
## Role access for games.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`games_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `games_role'($*)) dnl
gen_require(`
attribute_role games_roles;
type games_t, games_exec_t, games_tmp_t;
type games_tmpfs_t;
')
roleattribute $1 games_roles;
domtrans_pattern($2, games_exec_t, games_t)
allow $2 games_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 { games_tmp_t games_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 games_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $2 games_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $2 games_t:process { ptrace signal_perms };
ps_process_pattern($2, games_t)
stream_connect_pattern($2, games_tmpfs_t, games_tmpfs_t, games_t)
allow games_t $2:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `games_role'($*)) dnl
')
########################################
##
## Read and write games data files.
## games data.
##
##
##
## Domain allowed access.
##
##
#
define(`games_rw_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `games_rw_data'($*)) dnl
gen_require(`
type games_data_t;
')
files_search_var_lib($1)
rw_files_pattern($1, games_data_t, games_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `games_rw_data'($*)) dnl
')
########################################
##
## Manage games data files.
## games data.
##
##
##
## Domain allowed access.
##
##
#
define(`games_manage_data_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `games_manage_data_files'($*)) dnl
gen_require(`
type games_data_t;
')
files_search_var_lib($1)
manage_files_pattern($1, games_data_t, games_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `games_manage_data_files'($*)) dnl
')
## OpenH.323 Voice-Over-IP Gatekeeper.
########################################
##
## All of the rules required to
## administrate an gatekeeper environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`gatekeeper_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gatekeeper_admin'($*)) dnl
gen_require(`
type gatekeeper_t, gatekeeper_etc_t, gatekeeper_log_t;
type gatekeeper_var_run_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t;
')
allow $1 gatekeeper_t:process { ptrace signal_perms };
ps_process_pattern($1, gatekeeper_t)
init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 gatekeeper_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gatekeeper_etc_t)
logging_search_logs($1)
admin_pattern($1, gatekeeper_log_t)
files_search_tmp($1)
admin_pattern($1, gatekeeper_tmp_t)
files_search_var_lib($1)
admin_pattern($1, gatekeeper_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gatekeeper_admin'($*)) dnl
')
## GNUstep distributed object mapper.
########################################
##
## Read gdomap configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`gdomap_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gdomap_read_config'($*)) dnl
gen_require(`
type gdomap_conf_t;
')
files_search_etc($1)
allow $1 gdomap_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gdomap_read_config'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an gdomap environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`gdomap_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gdomap_admin'($*)) dnl
gen_require(`
type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t;
type gdomap_var_run_t;
')
allow $1 gdomap_t:process { ptrace signal_perms };
ps_process_pattern($1, gdomap_t)
init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 gdomap_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gdomap_conf_t)
files_search_pids($1)
admin_pattern($1, gdomap_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gdomap_admin'($*)) dnl
')
## Geoclue is a D-Bus service that provides location information
########################################
##
## Execute geoclue in the geoclue domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`geoclue_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `geoclue_domtrans'($*)) dnl
gen_require(`
type geoclue_t, geoclue_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, geoclue_exec_t, geoclue_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `geoclue_domtrans'($*)) dnl
')
########################################
##
## Search geoclue lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`geoclue_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `geoclue_search_lib'($*)) dnl
gen_require(`
type geoclue_var_lib_t;
')
allow $1 geoclue_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `geoclue_search_lib'($*)) dnl
')
########################################
##
## Read geoclue lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`geoclue_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `geoclue_read_lib_files'($*)) dnl
gen_require(`
type geoclue_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `geoclue_read_lib_files'($*)) dnl
')
########################################
##
## Manage geoclue lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`geoclue_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `geoclue_manage_lib_files'($*)) dnl
gen_require(`
type geoclue_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `geoclue_manage_lib_files'($*)) dnl
')
########################################
##
## Manage geoclue lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`geoclue_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `geoclue_manage_lib_dirs'($*)) dnl
gen_require(`
type geoclue_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `geoclue_manage_lib_dirs'($*)) dnl
')
########################################
##
## Send and receive messages from
## geoclue over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`geoclue_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `geoclue_dbus_chat'($*)) dnl
gen_require(`
type geoclue_t;
class dbus send_msg;
')
allow $1 geoclue_t:dbus send_msg;
allow geoclue_t $1:dbus send_msg;
ps_process_pattern(geoclue_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `geoclue_dbus_chat'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an geoclue environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`geoclue_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `geoclue_admin'($*)) dnl
gen_require(`
type geoclue_t;
type geoclue_var_lib_t;
')
allow $1 geoclue_t:process { signal_perms };
ps_process_pattern($1, geoclue_t)
tunable_policy(`deny_ptrace',`',`
allow $1 geoclue_t:process ptrace;
')
files_search_var_lib($1)
admin_pattern($1, geoclue_var_lib_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `geoclue_admin'($*)) dnl
')
## GIT revision control system.
########################################
##
## Role access for Git session.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`git_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `git_role'($*)) dnl
gen_require(`
attribute_role git_session_roles;
type git_session_t, gitd_exec_t, git_user_content_t;
')
########################################
#
# Declarations
#
roleattribute $1 git_session_roles;
########################################
#
# Policy
#
allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
allow $2 git_session_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 git_session_t:process ptrace;
')
ps_process_pattern($2, git_session_t)
tunable_policy(`git_session_users',`
domtrans_pattern($2, gitd_exec_t, git_session_t)
',`
can_exec($2, gitd_exec_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `git_role'($*)) dnl
')
########################################
##
## Read generic system content files.
##
##
##
## Domain allowed access.
##
##
#
define(`git_read_generic_sys_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `git_read_generic_sys_content_files'($*)) dnl
gen_require(`
type git_sys_content_t;
')
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
allow $1 git_sys_content_t:file map;
files_search_var_lib($1)
tunable_policy(`git_system_use_cifs',`
fs_getattr_cifs($1)
fs_list_cifs($1)
fs_read_cifs_files($1)
')
tunable_policy(`git_system_use_nfs',`
fs_getattr_nfs($1)
fs_list_nfs($1)
fs_read_nfs_files($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `git_read_generic_sys_content_files'($*)) dnl
')
#######################################
##
## Create Git user content with a
## named file transition.
##
##
##
## Domain allowed access.
##
##
#
define(`git_filetrans_user_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `git_filetrans_user_content'($*)) dnl
gen_require(`
type git_user_content_t;
')
userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `git_filetrans_user_content'($*)) dnl
')
## Tools for managing and hosting git repositories.
#######################################
##
## Execute a domain transition to run gitosis.
##
##
##
## Domain allowed to transition.
##
##
#
define(`gitosis_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gitosis_domtrans'($*)) dnl
gen_require(`
type gitosis_t, gitosis_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, gitosis_exec_t, gitosis_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gitosis_domtrans'($*)) dnl
')
#######################################
##
## Execute gitosis-serve in the
## gitosis domain, and allow the
## specified role the gitosis domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`gitosis_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gitosis_run'($*)) dnl
gen_require(`
attribute_role gitosis_roles;
')
gitosis_domtrans($1)
roleattribute $2 gitosis_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gitosis_run'($*)) dnl
')
#######################################
##
## Read gitosis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`gitosis_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gitosis_read_lib_files'($*)) dnl
gen_require(`
type gitosis_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gitosis_read_lib_files'($*)) dnl
')
#######################################
##
## Mmap gitosis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`gitosis_mmap_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gitosis_mmap_lib_files'($*)) dnl
gen_require(`
type gitosis_var_lib_t;
')
allow $1 gitosis_var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gitosis_mmap_lib_files'($*)) dnl
')
######################################
##
## Create, read, write, and delete
## gitosis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`gitosis_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gitosis_manage_lib_files'($*)) dnl
gen_require(`
type gitosis_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gitosis_manage_lib_files'($*)) dnl
')
## OpenStack image registry and delivery service.
#######################################
##
## Creates types and rules for a basic
## glance daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`glance_basic_types_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_basic_types_template'($*)) dnl
gen_require(`
attribute glance_domain;
')
type $1_t, glance_domain;
type $1_exec_t;
type $1_unit_file_t;
systemd_unit_file($1_unit_file_t)
kernel_read_system_state($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
logging_send_syslog_msg($1_t)
auth_use_nsswitch($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_basic_types_template'($*)) dnl
')
########################################
##
## Execute a domain transition to
## run glance registry.
##
##
##
## Domain allowed to transition.
##
##
#
define(`glance_domtrans_registry',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_domtrans_registry'($*)) dnl
gen_require(`
type glance_registry_t, glance_registry_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, glance_registry_exec_t, glance_registry_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_domtrans_registry'($*)) dnl
')
########################################
##
## Execute a domain transition to
## run glance api.
##
##
##
## Domain allowed to transition.
##
##
#
define(`glance_domtrans_api',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_domtrans_api'($*)) dnl
gen_require(`
type glance_api_t, glance_api_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, glance_api_exec_t, glance_api_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_domtrans_api'($*)) dnl
')
########################################
##
## Read glance log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`glance_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_read_log'($*)) dnl
gen_require(`
type glance_log_t;
')
logging_search_logs($1)
read_files_pattern($1, glance_log_t, glance_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_read_log'($*)) dnl
')
########################################
##
## Append glance log files.
##
##
##
## Domain allowed access.
##
##
#
define(`glance_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_append_log'($*)) dnl
gen_require(`
type glance_log_t;
')
logging_search_logs($1)
append_files_pattern($1, glance_log_t, glance_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_append_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## glance log files.
##
##
##
## Domain allowed access.
##
##
#
define(`glance_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_manage_log'($*)) dnl
gen_require(`
type glance_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, glance_log_t, glance_log_t)
manage_files_pattern($1, glance_log_t, glance_log_t)
manage_lnk_files_pattern($1, glance_log_t, glance_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_manage_log'($*)) dnl
')
########################################
##
## Search glance lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`glance_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_search_lib'($*)) dnl
gen_require(`
type glance_var_lib_t;
')
allow $1 glance_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_search_lib'($*)) dnl
')
########################################
##
## Read glance lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`glance_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_read_lib_files'($*)) dnl
gen_require(`
type glance_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## glance lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`glance_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_manage_lib_files'($*)) dnl
gen_require(`
type glance_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_manage_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## glance lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`glance_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_manage_lib_dirs'($*)) dnl
gen_require(`
type glance_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read glance pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`glance_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_read_pid_files'($*)) dnl
gen_require(`
type glance_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, glance_var_run_t, glance_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_read_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## glance pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`glance_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_manage_pid_files'($*)) dnl
gen_require(`
type glance_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, glance_var_run_t, glance_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_manage_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an glance environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`glance_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glance_admin'($*)) dnl
gen_require(`
type glance_registry_t, glance_api_t, glance_log_t;
type glance_var_lib_t, glance_var_run_t;
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
')
allow $1 glance_registry_t:process signal_perms;
ps_process_pattern($1, glance_registry_t)
tunable_policy(`deny_ptrace',`',`
allow $1 glance_registry_t:process ptrace;
allow $1 glance_api_t:process ptrace;
')
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, glance_log_t)
files_search_var_lib($1)
admin_pattern($1, glance_var_lib_t)
files_search_pids($1)
admin_pattern($1, glance_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glance_admin'($*)) dnl
')
## policy for glusterd
########################################
##
## Transition to glusterd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`glusterd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_domtrans'($*)) dnl
gen_require(`
type glusterd_t, glusterd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, glusterd_exec_t, glusterd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_domtrans'($*)) dnl
')
########################################
##
## Execute glusterd server in the glusterd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_initrc_domtrans'($*)) dnl
gen_require(`
type glusterd_initrc_exec_t;
')
init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_initrc_domtrans'($*)) dnl
')
#######################################
##
## Connect to glusterd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_stream_connect'($*)) dnl
gen_require(`
type glusterd_t;
')
allow $1 glusterd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_stream_connect'($*)) dnl
')
########################################
##
## Read glusterd's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`glusterd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_read_log'($*)) dnl
gen_require(`
type glusterd_log_t;
')
logging_search_logs($1)
read_files_pattern($1, glusterd_log_t, glusterd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_read_log'($*)) dnl
')
########################################
##
## Append to glusterd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_append_log'($*)) dnl
gen_require(`
type glusterd_log_t;
')
logging_search_logs($1)
append_files_pattern($1, glusterd_log_t, glusterd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_append_log'($*)) dnl
')
#######################################
##
## Transition content labels to glusterd named content
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_filetrans_named_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_filetrans_named_pid'($*)) dnl
gen_require(`
type glusterd_var_run_t;
')
files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_filetrans_named_pid'($*)) dnl
')
########################################
##
## Manage glusterd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_manage_pid'($*)) dnl
gen_require(`
type glusterd_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
manage_files_pattern($1, glusterd_var_run_t, glusterd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_manage_pid'($*)) dnl
')
########################################
##
## Manage glusterd log files
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_manage_log'($*)) dnl
gen_require(`
type glusterd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_manage_log'($*)) dnl
')
######################################
##
## Allow the specified domain to execute gluster's lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`gluster_execute_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gluster_execute_lib'($*)) dnl
gen_require(`
type glusterd_var_lib_t;
')
files_list_var_lib($1)
allow $1 glusterd_var_lib_t:dir search_dir_perms;
can_exec($1, glusterd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gluster_execute_lib'($*)) dnl
')
######################################
##
## Read glusterd's config files.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_read_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_read_conf'($*)) dnl
gen_require(`
type glusterd_conf_t;
')
files_search_etc($1)
read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_read_conf'($*)) dnl
')
######################################
##
## Dontaudit Read /var/lib/glusterd files.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_dontaudit_read_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_dontaudit_read_lib_dirs'($*)) dnl
gen_require(`
type glusterd_var_lib_t;
')
dontaudit $1 glusterd_var_lib_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_dontaudit_read_lib_dirs'($*)) dnl
')
######################################
##
## Read and write /var/lib/glusterd files.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_rw_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_rw_lib'($*)) dnl
gen_require(`
type glusterd_var_lib_t;
')
files_search_var_lib($1)
rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_rw_lib'($*)) dnl
')
######################################
##
## Read /var/lib/glusterd files.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_read_lib_files'($*)) dnl
gen_require(`
type glusterd_var_lib_t;
')
files_search_var_lib($1)
allow $1 glusterd_var_lib_t:dir search_dir_perms;
read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_read_lib_files'($*)) dnl
')
######################################
##
## Read and write /var/lib/glusterd files.
##
##
##
## Domain allowed access.
##
##
#
define(`glusterd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_manage_lib_files'($*)) dnl
gen_require(`
type glusterd_var_lib_t;
')
files_search_var_lib($1)
allow $1 glusterd_var_lib_t:dir search_dir_perms;
manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_manage_lib_files'($*)) dnl
')
######################################
##
## All of the rules required to administrate
## an glusterd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`glusterd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `glusterd_admin'($*)) dnl
gen_require(`
type glusterd_t;
type glusterd_initrc_exec_t;
type glusterd_log_t;
type glusterd_tmp_t;
type glusterd_conf_t;
')
allow $1 glusterd_t:process { signal_perms };
ps_process_pattern($1, glusterd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 glusterd_t:process ptrace;
')
glusterd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 glusterd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, glusterd_log_t)
admin_pattern($1, glusterd_tmp_t)
admin_pattern($1, glusterd_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `glusterd_admin'($*)) dnl
')
## GNU network object model environment (GNOME)
#######################################
##
## Role access for gnome. (Deprecated)
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`gnome_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_role'($*)) dnl
refpolicywarn(`$0($*) has been deprecated')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_role'($*)) dnl
')
######################################
##
## The role template for the gnome-keyring-daemon.
##
##
##
## The user prefix.
##
##
##
##
## The user role.
##
##
##
##
## The user domain associated with the role.
##
##
#
define(`gnome_role_gkeyringd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_role_gkeyringd'($*)) dnl
refpolicywarn(`$0($*) has been deprecated')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_role_gkeyringd'($*)) dnl
')
######################################
##
## The role template for gnome.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`gnome_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_role_template'($*)) dnl
gen_require(`
attribute gnomedomain, gkeyringd_domain, gnome_home_type;
attribute_role gconfd_roles;
type gkeyringd_exec_t, gkeyringd_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
class dbus send_msg;
')
########################################
#
# Gconf declarations
#
roleattribute $2 gconfd_roles;
########################################
#
# Gkeyringd declarations
#
type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
domain_user_exemption_target($1_gkeyringd_t)
role $2 types $1_gkeyringd_t;
########################################
#
# Gconf policy
#
domtrans_pattern($3, gconfd_exec_t, gconfd_t)
allow $3 gconfd_t:process { signal_perms };
allow $3 gconfd_t:unix_stream_socket connectto;
ps_process_pattern($3, gconfd_t)
########################################
#
# Gkeyringd policy
#
allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms };
allow $1_gkeyringd_t self:process setsched;
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms };
userdom_home_manager($1_gkeyringd_t)
allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
ps_process_pattern($3, $1_gkeyringd_t)
allow $3 $1_gkeyringd_t:process signal_perms;
dontaudit $3 gkeyringd_exec_t:file entrypoint;
allow $1_gkeyringd_t $3:process sigkill;
allow $3 $1_gkeyringd_t:fd use;
allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
allow $3 $1_gkeyringd_t:dbus { acquire_svc };
stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
kernel_read_system_state($1_gkeyringd_t)
corecmd_bin_domtrans($1_gkeyringd_t, $3)
corecmd_shell_domtrans($1_gkeyringd_t, $3)
gnome_stream_connect_gkeyringd($3)
ps_process_pattern($1_gkeyringd_t, $3)
auth_use_nsswitch($1_gkeyringd_t)
logging_send_syslog_msg($1_gkeyringd_t)
userdom_rw_user_tmp_sock_files($1_gkeyringd_t)
allow $1_gkeyringd_t $3:dbus { acquire_svc send_msg };
allow $3 $1_gkeyringd_t:dbus send_msg;
optional_policy(`
dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
dbus_stream_connect_system_dbusd($1_gkeyringd_t)
dbus_send_system_bus($1_gkeyringd_t)
gnome_manage_generic_home_dirs($1_gkeyringd_t)
gnome_read_generic_data_home_files($1_gkeyringd_t)
gnome_read_generic_data_home_dirs($1_gkeyringd_t)
optional_policy(`
telepathy_mission_control_read_state($1_gkeyringd_t)
telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
')
optional_policy(`
systemd_dbus_chat_logind($1_gkeyringd_t)
')
')
optional_policy(`
ssh_agent_exec($1_gkeyringd_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_role_template'($*)) dnl
')
#######################################
##
## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
##
##
##
## The user prefix.
##
##
##
##
## The user role.
##
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_run_gkeyringd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_run_gkeyringd'($*)) dnl
gen_require(`
type $1_gkeyringd_t;
type gkeyringd_exec_t;
')
role $2 types $1_gkeyringd_t;
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_run_gkeyringd'($*)) dnl
')
########################################
##
## gconf connection template.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_stream_connect_gconf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_stream_connect_gconf'($*)) dnl
gen_require(`
type gconfd_t, gconf_tmp_t;
')
read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
allow $1 gconfd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_stream_connect_gconf'($*)) dnl
')
########################################
##
## Connect to gkeyringd with a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_stream_connect_gkeyringd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_stream_connect_gkeyringd'($*)) dnl
gen_require(`
attribute gkeyringd_domain;
type gkeyringd_tmp_t;
type gconf_tmp_t;
type cache_home_t;
')
allow $1 gconf_tmp_t:dir search_dir_perms;
userdom_search_user_tmp_dirs($1)
stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_stream_connect_gkeyringd'($*)) dnl
')
########################################
##
## Run gconfd in gconfd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_domtrans_gconfd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_domtrans_gconfd'($*)) dnl
gen_require(`
type gconfd_t, gconfd_exec_t;
')
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_domtrans_gconfd'($*)) dnl
')
########################################
##
## Dontaudit read gnome homedir content (.config)
##
##
##
## Domain to not audit.
##
##
#
define(`gnome_dontaudit_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_read_config'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
dontaudit $1 gnome_home_type:dir list_dir_perms;
dontaudit $1 gnome_home_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dontaudit_read_config'($*)) dnl
')
########################################
##
## Dontaudit search gnome homedir content (.config)
##
##
##
## Domain to not audit.
##
##
#
define(`gnome_dontaudit_search_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_search_config'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
dontaudit $1 gnome_home_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dontaudit_search_config'($*)) dnl
')
########################################
##
## Dontaudit write gnome homedir content (.config)
##
##
##
## Domain to not audit.
##
##
#
define(`gnome_dontaudit_append_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_append_config_files'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
dontaudit $1 gnome_home_type:file append;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dontaudit_append_config_files'($*)) dnl
')
########################################
##
## Dontaudit write gnome homedir content (.config)
##
##
##
## Domain to not audit.
##
##
#
define(`gnome_dontaudit_write_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_write_config_files'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
dontaudit $1 gnome_home_type:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dontaudit_write_config_files'($*)) dnl
')
########################################
##
## manage gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_config'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
allow $1 gnome_home_type:dir manage_dir_perms;
allow $1 gnome_home_type:file { manage_file_perms map };
allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
allow $1 gnome_home_type:sock_file manage_sock_file_perms;
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_config'($*)) dnl
')
########################################
##
## Send general signals to all gconf domains.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_signal_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_signal_all'($*)) dnl
gen_require(`
attribute gnomedomain;
')
allow $1 gnomedomain:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_signal_all'($*)) dnl
')
########################################
##
## Create objects in a Gnome cache home directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`gnome_cache_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_cache_filetrans'($*)) dnl
gen_require(`
type cache_home_t;
')
filetrans_pattern($1, cache_home_t, $2, $3, $4)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_cache_filetrans'($*)) dnl
')
########################################
##
## Create objects in a Gnome cache home directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`gnome_config_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_config_filetrans'($*)) dnl
gen_require(`
type config_home_t;
')
filetrans_pattern($1, config_home_t, $2, $3, $4)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_config_filetrans'($*)) dnl
')
########################################
##
## Read generic cache home files (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_generic_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_generic_cache_files'($*)) dnl
gen_require(`
type cache_home_t;
')
read_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_generic_cache_files'($*)) dnl
')
########################################
##
## Create generic cache home dir (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_create_generic_cache_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_create_generic_cache_dir'($*)) dnl
gen_require(`
type cache_home_t;
')
allow $1 cache_home_t:dir create_dir_perms;
userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_create_generic_cache_dir'($*)) dnl
')
########################################
##
## Set attributes of cache home dir (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_setattr_cache_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_setattr_cache_home_dir'($*)) dnl
gen_require(`
type cache_home_t;
')
setattr_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_setattr_cache_home_dir'($*)) dnl
')
########################################
##
## Manage cache home dir (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_cache_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_cache_home_dir'($*)) dnl
gen_require(`
type cache_home_t;
')
manage_dirs_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_cache_home_dir'($*)) dnl
')
########################################
##
## Dontaudit Manage cache home dir (.cache)
##
##
##
## Domain to not audit.
##
##
#
define(`gnome_dontaudit_manage_cache_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_manage_cache_home_dir'($*)) dnl
gen_require(`
type cache_home_t;
')
dontaudit $1 cache_home_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dontaudit_manage_cache_home_dir'($*)) dnl
')
########################################
##
## append to generic cache home files (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_append_generic_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_append_generic_cache_files'($*)) dnl
gen_require(`
type cache_home_t;
')
append_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_append_generic_cache_files'($*)) dnl
')
########################################
##
## write to generic cache home files (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_write_generic_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_write_generic_cache_files'($*)) dnl
gen_require(`
type cache_home_t;
')
write_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_write_generic_cache_files'($*)) dnl
')
########################################
##
## write to generic cache home files (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_generic_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_cache_files'($*)) dnl
gen_require(`
type cache_home_t;
')
manage_files_pattern($1, cache_home_t, cache_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_generic_cache_files'($*)) dnl
')
########################################
##
## Delete to generic cache home files (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_delete_generic_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_delete_generic_cache_files'($*)) dnl
gen_require(`
type cache_home_t;
')
files_search_tmp($1)
allow $1 cache_home_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_delete_generic_cache_files'($*)) dnl
')
########################################
##
## Manage a sock_file in the generic cache home files (.cache)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_generic_cache_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_cache_sockets'($*)) dnl
gen_require(`
type cache_home_t;
')
userdom_search_user_home_dirs($1)
manage_sock_files_pattern($1, cache_home_t, cache_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_generic_cache_sockets'($*)) dnl
')
########################################
##
## Dontaudit read/write to generic cache home files (.cache)
##
##
##
## Domain to not audit.
##
##
#
define(`gnome_dontaudit_rw_generic_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_rw_generic_cache_files'($*)) dnl
gen_require(`
type cache_home_t;
')
dontaudit $1 cache_home_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dontaudit_rw_generic_cache_files'($*)) dnl
')
########################################
##
## read gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_config'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
list_dirs_pattern($1, gnome_home_type, gnome_home_type)
read_files_pattern($1, gnome_home_type, gnome_home_type)
read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
gnome_read_usr_config($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_config'($*)) dnl
')
########################################
##
## Create objects in a Gnome gconf home directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`gnome_data_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_data_filetrans'($*)) dnl
gen_require(`
type data_home_t;
')
filetrans_pattern($1, data_home_t, $2, $3, $4)
gnome_search_gconf($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_data_filetrans'($*)) dnl
')
#######################################
##
## Read generic data home files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_generic_data_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_generic_data_home_files'($*)) dnl
gen_require(`
type data_home_t, gconf_home_t;
')
read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_generic_data_home_files'($*)) dnl
')
########################################
##
## Read generic data home files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_map_generic_data_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_map_generic_data_home_files'($*)) dnl
gen_require(`
type data_home_t, gconf_home_t;
')
allow $1 data_home_t:file map;
allow $1 gconf_home_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_map_generic_data_home_files'($*)) dnl
')
######################################
##
## Read generic data home dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_generic_data_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_generic_data_home_dirs'($*)) dnl
gen_require(`
type data_home_t, gconf_home_t;
')
list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_generic_data_home_dirs'($*)) dnl
')
######################################
##
## Watch generic data home dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_watch_generic_data_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_watch_generic_data_home_dirs'($*)) dnl
gen_require(`
type data_home_t;
')
watch_dirs_pattern($1, data_home_t, data_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_watch_generic_data_home_dirs'($*)) dnl
')
#######################################
##
## Manage gconf data home files
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_data'($*)) dnl
gen_require(`
type data_home_t;
type gconf_home_t;
')
allow $1 gconf_home_t:dir search_dir_perms;
manage_dirs_pattern($1, data_home_t, data_home_t)
manage_files_pattern($1, data_home_t, data_home_t)
manage_lnk_files_pattern($1, data_home_t, data_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_data'($*)) dnl
')
########################################
##
## Read icc data home content.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_home_icc_data_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_home_icc_data_content'($*)) dnl
gen_require(`
type icc_data_home_t, gconf_home_t, data_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
allow $1 icc_data_home_t:file map;
list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
read_files_pattern($1, icc_data_home_t, icc_data_home_t)
read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_home_icc_data_content'($*)) dnl
')
########################################
##
## Read inherited icc data home files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_inherited_home_icc_data_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_inherited_home_icc_data_files'($*)) dnl
gen_require(`
type icc_data_home_t;
')
allow $1 icc_data_home_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_inherited_home_icc_data_files'($*)) dnl
')
########################################
##
## Create gconf_home_t objects in the /root directory
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`gnome_admin_home_gconf_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_admin_home_gconf_filetrans'($*)) dnl
gen_require(`
type gconf_home_t;
')
userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_admin_home_gconf_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## inherited gconf config files.
##
##
##
## Domain to not audit.
##
##
#
define(`gnome_dontaudit_read_inherited_gconf_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_read_inherited_gconf_config_files'($*)) dnl
gen_require(`
type gconf_etc_t;
')
dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dontaudit_read_inherited_gconf_config_files'($*)) dnl
')
########################################
##
## read gconf config files
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_gconf_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_gconf_config'($*)) dnl
gen_require(`
type gconf_etc_t;
')
allow $1 gconf_etc_t:dir list_dir_perms;
read_files_pattern($1, gconf_etc_t, gconf_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_gconf_config'($*)) dnl
')
#######################################
##
## Manage gconf config files
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_gconf_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_gconf_config'($*)) dnl
gen_require(`
type gconf_etc_t;
')
allow $1 gconf_etc_t:dir list_dir_perms;
manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_gconf_config'($*)) dnl
')
########################################
##
## Execute gconf programs in
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_exec_gconf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_exec_gconf'($*)) dnl
gen_require(`
type gconfd_exec_t;
')
can_exec($1, gconfd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_exec_gconf'($*)) dnl
')
########################################
##
## Execute gnome keyringd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_exec_keyringd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_exec_keyringd'($*)) dnl
gen_require(`
type gkeyringd_exec_t;
')
can_exec($1, gkeyringd_exec_t)
corecmd_search_bin($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_exec_keyringd'($*)) dnl
')
########################################
##
## Search gconf home data dirs
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_search_gconf_data_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_search_gconf_data_dir'($*)) dnl
gen_require(`
type gconf_home_t;
type data_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gconf_home_t:dir list_dir_perms;
allow $1 data_home_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_search_gconf_data_dir'($*)) dnl
')
########################################
##
## Read gconf home files
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_gconf_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_gconf_home_files'($*)) dnl
gen_require(`
type gconf_home_t;
type data_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gconf_home_t:dir list_dir_perms;
allow $1 data_home_t:dir list_dir_perms;
read_files_pattern($1, gconf_home_t, gconf_home_t)
read_files_pattern($1, data_home_t, data_home_t)
read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
read_lnk_files_pattern($1, data_home_t, data_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_gconf_home_files'($*)) dnl
')
########################################
##
## Search gkeyringd temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_search_gkeyringd_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_search_gkeyringd_tmp_dirs'($*)) dnl
gen_require(`
type gkeyringd_tmp_t;
')
files_search_tmp($1)
allow $1 gkeyringd_tmp_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_search_gkeyringd_tmp_dirs'($*)) dnl
')
########################################
##
## List gkeyringd temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_list_gkeyringd_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_list_gkeyringd_tmp_dirs'($*)) dnl
gen_require(`
type gkeyringd_tmp_t;
')
files_search_tmp($1)
allow $1 gkeyringd_tmp_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_list_gkeyringd_tmp_dirs'($*)) dnl
')
#######################################
##
## Delete gkeyringd temporary
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_delete_gkeyringd_tmp_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_delete_gkeyringd_tmp_content'($*)) dnl
gen_require(`
type gkeyringd_tmp_t;
')
files_search_tmp($1)
delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_delete_gkeyringd_tmp_content'($*)) dnl
')
#######################################
##
## Manage gkeyringd temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_gkeyringd_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_gkeyringd_tmp_dirs'($*)) dnl
gen_require(`
type gkeyringd_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_gkeyringd_tmp_dirs'($*)) dnl
')
########################################
##
## search gconf homedir (.local)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_search_gconf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_search_gconf'($*)) dnl
gen_require(`
type gconf_home_t;
')
allow $1 gconf_home_t:dir search_dir_perms;
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_search_gconf'($*)) dnl
')
########################################
##
## Set attributes of Gnome config dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_setattr_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_setattr_config_dirs'($*)) dnl
gen_require(`
type gnome_home_t;
')
setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_setattr_config_dirs'($*)) dnl
')
########################################
##
## Manage generic gnome home files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_generic_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_home_files'($*)) dnl
gen_require(`
type gnome_home_t;
')
userdom_search_user_home_dirs($1)
manage_files_pattern($1, gnome_home_t, gnome_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_generic_home_files'($*)) dnl
')
########################################
##
## Manage generic gnome home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_generic_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_home_dirs'($*)) dnl
gen_require(`
type gnome_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 gnome_home_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_generic_home_dirs'($*)) dnl
')
########################################
##
## Append gconf home files
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_append_gconf_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_append_gconf_home_files'($*)) dnl
gen_require(`
type gconf_home_t;
')
append_files_pattern($1, gconf_home_t, gconf_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_append_gconf_home_files'($*)) dnl
')
########################################
##
## manage gconf home files
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_gconf_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_gconf_home_files'($*)) dnl
gen_require(`
type gconf_home_t;
')
allow $1 gconf_home_t:dir list_dir_perms;
manage_files_pattern($1, gconf_home_t, gconf_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_gconf_home_files'($*)) dnl
')
########################################
##
## Connect to gnome over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the user domain.
##
##
#
define(`gnome_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_stream_connect'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
# Connect to pulseaudit server
stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_stream_connect'($*)) dnl
')
########################################
##
## list gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_list_home_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_list_home_config'($*)) dnl
gen_require(`
type config_home_t;
')
allow $1 config_home_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_list_home_config'($*)) dnl
')
########################################
##
## Set attributes of gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_setattr_home_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_setattr_home_config'($*)) dnl
gen_require(`
type config_home_t;
')
setattr_dirs_pattern($1, config_home_t, config_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_setattr_home_config'($*)) dnl
')
########################################
##
## read gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_home_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_home_config'($*)) dnl
gen_require(`
type config_home_t;
')
list_dirs_pattern($1, config_home_t, config_home_t)
read_files_pattern($1, config_home_t, config_home_t)
read_lnk_files_pattern($1, config_home_t, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_home_config'($*)) dnl
')
#######################################
##
## append gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_append_home_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_append_home_config'($*)) dnl
gen_require(`
type config_home_t;
')
append_files_pattern($1, config_home_t, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_append_home_config'($*)) dnl
')
#######################################
##
## delete gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_delete_home_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_delete_home_config'($*)) dnl
gen_require(`
type config_home_t;
')
delete_files_pattern($1, config_home_t, config_home_t)
delete_lnk_files_pattern($1, config_home_t, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_delete_home_config'($*)) dnl
')
########################################
##
## Create gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_create_home_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_create_home_config_dirs'($*)) dnl
gen_require(`
type config_home_t;
')
allow $1 config_home_t:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_create_home_config_dirs'($*)) dnl
')
#######################################
##
## setattr gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_setattr_home_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_setattr_home_config_dirs'($*)) dnl
gen_require(`
type config_home_t;
')
setattr_dirs_pattern($1, config_home_t, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_setattr_home_config_dirs'($*)) dnl
')
########################################
##
## manage gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_home_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_home_config'($*)) dnl
gen_require(`
type config_home_t;
')
manage_files_pattern($1, config_home_t, config_home_t)
allow $1 config_home_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_home_config'($*)) dnl
')
#######################################
##
## delete gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_delete_home_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_delete_home_config_dirs'($*)) dnl
gen_require(`
type config_home_t;
')
delete_dirs_pattern($1, config_home_t, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_delete_home_config_dirs'($*)) dnl
')
########################################
##
## manage gnome homedir content (.config)
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_home_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_home_config_dirs'($*)) dnl
gen_require(`
type config_home_t;
')
manage_dirs_pattern($1, config_home_t, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_home_config_dirs'($*)) dnl
')
########################################
##
## Watch gnome homedir content directories.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_watch_home_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_watch_home_config_dirs'($*)) dnl
gen_require(`
type config_home_t;
')
watch_dirs_pattern($1, config_home_t, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_watch_home_config_dirs'($*)) dnl
')
########################################
##
## Watch gnome homedir content files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_watch_home_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_watch_home_config_files'($*)) dnl
gen_require(`
type config_home_t;
')
watch_files_pattern($1, config_home_t, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_watch_home_config_files'($*)) dnl
')
########################################
##
## manage gstreamer home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_gstreamer_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_gstreamer_home_files'($*)) dnl
gen_require(`
type gstreamer_home_t;
')
manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
gnome_filetrans_gstreamer_home_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_gstreamer_home_files'($*)) dnl
')
######################################
##
## Allow to execute gstreamer home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_exec_gstreamer_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_exec_gstreamer_home_files'($*)) dnl
gen_require(`
type gstreamer_home_t;
')
can_exec($1, gstreamer_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_exec_gstreamer_home_files'($*)) dnl
')
######################################
##
## Allow to execute config home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_exec_config_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_exec_config_home_files'($*)) dnl
gen_require(`
type config_home_t;
')
can_exec($1, config_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_exec_config_home_files'($*)) dnl
')
#######################################
##
## file name transition gstreamer home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_filetrans_gstreamer_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_filetrans_gstreamer_home_content'($*)) dnl
gen_require(`
type gstreamer_home_t;
')
userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache")
gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_filetrans_gstreamer_home_content'($*)) dnl
')
#######################################
##
## manage gstreamer home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_gstreamer_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_gstreamer_home_dirs'($*)) dnl
gen_require(`
type gstreamer_home_t;
')
manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_gstreamer_home_dirs'($*)) dnl
')
########################################
##
## Read/Write all inherited gnome home config
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_rw_inherited_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_rw_inherited_config'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
allow $1 gnome_home_type:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_rw_inherited_config'($*)) dnl
')
########################################
##
## Dontaudit Read/Write all inherited gnome home config
##
##
##
## Domain to not audit.
##
##
#
define(`gnome_dontaudit_rw_inherited_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_rw_inherited_config'($*)) dnl
gen_require(`
attribute gnome_home_type;
')
dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dontaudit_rw_inherited_config'($*)) dnl
')
########################################
##
## Send and receive messages from
## gconf system service over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_dbus_chat_gconfdefault',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dbus_chat_gconfdefault'($*)) dnl
gen_require(`
type gconfdefaultsm_t;
class dbus send_msg;
')
allow $1 gconfdefaultsm_t:dbus send_msg;
allow gconfdefaultsm_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dbus_chat_gconfdefault'($*)) dnl
')
########################################
##
## Send and receive messages from
## gkeyringd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_dbus_chat_gkeyringd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_dbus_chat_gkeyringd'($*)) dnl
gen_require(`
attribute gkeyringd_domain;
class dbus send_msg;
')
allow $1 gkeyringd_domain:dbus send_msg;
allow gkeyringd_domain $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_dbus_chat_gkeyringd'($*)) dnl
')
########################################
##
## Send signull signal to gkeyringd processes.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_signull_gkeyringd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_signull_gkeyringd'($*)) dnl
gen_require(`
attribute gkeyringd_domain;
')
allow $1 gkeyringd_domain:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_signull_gkeyringd'($*)) dnl
')
########################################
##
## Allow the domain to read gkeyringd state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_gkeyringd_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_gkeyringd_state'($*)) dnl
gen_require(`
attribute gkeyringd_domain;
')
ps_process_pattern($1, gkeyringd_domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_gkeyringd_state'($*)) dnl
')
########################################
##
## Create directories in user home directories
## with the gnome home file type.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_home_dir_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_home_dir_filetrans'($*)) dnl
gen_require(`
type gnome_home_t;
')
userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_home_dir_filetrans'($*)) dnl
')
########################################
##
## Check whether sendmail executable
## files are executable.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_access_check_usr_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_access_check_usr_config'($*)) dnl
gen_require(`
type config_usr_t;
')
allow $1 config_usr_t:dir_file_class_set audit_access;;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_access_check_usr_config'($*)) dnl
')
######################################
##
## Allow read kde config content
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_read_usr_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_read_usr_config'($*)) dnl
gen_require(`
type config_usr_t;
')
files_search_usr($1)
list_dirs_pattern($1, config_usr_t, config_usr_t)
read_files_pattern($1, config_usr_t, config_usr_t)
read_lnk_files_pattern($1, config_usr_t, config_usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_read_usr_config'($*)) dnl
')
#######################################
##
## Allow manage kde config content
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_manage_usr_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_manage_usr_config'($*)) dnl
gen_require(`
type config_usr_t;
')
files_search_usr($1)
manage_dirs_pattern($1, config_usr_t, config_usr_t)
manage_files_pattern($1, config_usr_t, config_usr_t)
manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_manage_usr_config'($*)) dnl
')
########################################
##
## Execute gnome-keyring in the user gkeyring domain
##
##
##
## Domain allowed access
##
##
#
define(`gnome_transition_gkeyringd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_transition_gkeyringd'($*)) dnl
gen_require(`
attribute gkeyringd_domain;
')
allow $1 gkeyringd_domain:process transition;
dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
allow gkeyringd_domain $1:process { sigchld signull };
allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_transition_gkeyringd'($*)) dnl
')
########################################
##
## Create gnome content in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_filetrans_home_content'($*)) dnl
gen_require(`
type config_home_t;
type cache_home_t;
type dbus_home_t;
type gconf_home_t;
type gnome_home_t;
type data_home_t, icc_data_home_t;
type gkeyringd_gnome_home_t;
')
userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
# ~/.color/icc: legacy
userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
gnome_cache_filetrans($1, config_home_t, dir, "dconf")
gnome_filetrans_gstreamer_home_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_filetrans_home_content'($*)) dnl
')
########################################
##
## Create gnome dconf dir in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_filetrans_config_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_filetrans_config_home_content'($*)) dnl
gen_require(`
type config_home_t;
')
gnome_cache_filetrans($1, config_home_t, dir, "dconf")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_filetrans_config_home_content'($*)) dnl
')
######################################
##
## File name transition for generic home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_filetrans_cert_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_filetrans_cert_home_content'($*)) dnl
gen_require(`
type home_cert_t;
')
gnome_data_filetrans($1, home_cert_t, dir, "certificates")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_filetrans_cert_home_content'($*)) dnl
')
######################################
##
## Create fontconfig directories in the .config and .cache subdirectories
## of the user home directory with correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_filetrans_fontconfig_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_filetrans_fontconfig_home_content'($*)) dnl
gen_require(`
type user_fonts_config_t, user_fonts_cache_t;
')
gnome_config_filetrans($1, user_fonts_config_t, dir, "fontconfig")
gnome_cache_filetrans($1, user_fonts_cache_t, dir, "fontconfig")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_filetrans_fontconfig_home_content'($*)) dnl
')
########################################
##
## Create gnome directory in the /root directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`gnome_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_filetrans_admin_home_content'($*)) dnl
gen_require(`
type config_home_t;
type cache_home_t;
type dbus_home_t;
type gstreamer_home_t;
type gconf_home_t;
type gnome_home_t;
type icc_data_home_t;
')
userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
gnome_filetrans_gstreamer_home_content($1)
# /root/.color/icc: legacy
userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_filetrans_admin_home_content'($*)) dnl
')
#####################################
##
## Execute gnome-keyring executable
## in the specified domain.
##
##
##
## Execute a gnome-keyring executable
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the ssh-agent policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`gnome_command_domtrans_gkeyringd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_command_domtrans_gkeyringd'($*)) dnl
gen_require(`
type gkeyringd_exec_t;
')
allow $2 gkeyringd_exec_t:file entrypoint;
domain_transition_pattern($1, gkeyringd_exec_t, $2)
type_transition $1 gkeyringd_exec_t:process $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_command_domtrans_gkeyringd'($*)) dnl
')
########################################
##
## Execute gnome-atspi services in the caller domain
##
##
##
## Domain allowed to transition.
##
##
#
define(`gnome_exec_atspi',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_exec_atspi'($*)) dnl
gen_require(`
type gnome_atspi_exec_t;
')
can_exec($1, gnome_atspi_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_exec_atspi'($*)) dnl
')
########################################
##
## Execute gnome-atspi services in the gnome-atspi domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`gnome_atspi_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnome_atspi_domtrans'($*)) dnl
gen_require(`
type gnome_atspi_t, gnome_atspi_exec_t;
')
domtrans_pattern($1, gnome_atspi_exec_t, gnome_atspi_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnome_atspi_domtrans'($*)) dnl
')
## Gnome clock handler for setting the time.
########################################
##
## Execute a domain transition to run gnomeclock.
##
##
##
## Domain allowed to transition.
##
##
#
define(`gnomeclock_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnomeclock_domtrans'($*)) dnl
gen_require(`
type gnomeclock_t, gnomeclock_exec_t;
')
domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnomeclock_domtrans'($*)) dnl
')
########################################
##
## Execute gnomeclock in the gnomeclock domain, and
## allow the specified role the gnomeclock domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`gnomeclock_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnomeclock_run'($*)) dnl
gen_require(`
type gnomeclock_t;
')
gnomeclock_domtrans($1)
role $2 types gnomeclock_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnomeclock_run'($*)) dnl
')
########################################
##
## Send and receive messages from
## gnomeclock over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`gnomeclock_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnomeclock_dbus_chat'($*)) dnl
gen_require(`
type gnomeclock_t;
class dbus send_msg;
')
allow $1 gnomeclock_t:dbus send_msg;
allow gnomeclock_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnomeclock_dbus_chat'($*)) dnl
')
########################################
##
## Do not audit send and receive messages from
## gnomeclock over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`gnomeclock_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gnomeclock_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type gnomeclock_t;
class dbus send_msg;
')
dontaudit $1 gnomeclock_t:dbus send_msg;
dontaudit gnomeclock_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gnomeclock_dontaudit_dbus_chat'($*)) dnl
')
## Policy for GNU Privacy Guard and related programs.
############################################################
##
## Role access for gpg
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`gpg_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_role'($*)) dnl
gen_require(`
attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
type gpg_t, gpg_exec_t;
type gpg_agent_t, gpg_agent_exec_t;
type gpg_agent_tmp_t;
type gpg_helper_t, gpg_pinentry_t;
type gpg_pinentry_tmp_t;
')
roleattribute $1 gpg_roles;
roleattribute $1 gpg_agent_roles;
roleattribute $1 gpg_helper_roles;
roleattribute $1 gpg_pinentry_roles;
# transition from the userdomain to the derived domain
domtrans_pattern($2, gpg_exec_t, gpg_t)
# allow ps to show gpg
ps_process_pattern($2, gpg_t)
allow $2 gpg_t:process { signull sigstop signal sigkill };
# communicate with the user
allow gpg_helper_t $2:fd use;
allow gpg_helper_t $2:fifo_file write;
# allow ps to show gpg-agent
ps_process_pattern($2, gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
allow $2 gpg_agent_t:process { signal sigkill };
manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
# Transition from the user domain to the agent domain.
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
allow gpg_pinentry_t $2:fifo_file { read write };
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
ifdef(`hide_broken_symptoms',`
#Leaked File Descriptors
dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_role'($*)) dnl
')
########################################
##
## Transition to a user gpg domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`gpg_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_domtrans'($*)) dnl
gen_require(`
type gpg_t, gpg_exec_t;
')
domtrans_pattern($1, gpg_exec_t, gpg_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_domtrans'($*)) dnl
')
######################################
##
## Execute gpg in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_exec'($*)) dnl
gen_require(`
type gpg_exec_t;
')
corecmd_search_bin($1)
can_exec($1, gpg_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_exec'($*)) dnl
')
######################################
##
## Transition to a gpg web domain.
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_domtrans_web',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_domtrans_web'($*)) dnl
gen_require(`
type gpg_web_t, gpg_exec_t;
')
domtrans_pattern($1, gpg_exec_t, gpg_web_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_domtrans_web'($*)) dnl
')
######################################
##
## Make gpg an entrypoint for
## the specified domain.
##
##
##
## The domain for which cifs_t is an entrypoint.
##
##
#
define(`gpg_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_entry_type'($*)) dnl
gen_require(`
type gpg_exec_t;
')
domain_entry_file($1, gpg_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_entry_type'($*)) dnl
')
########################################
##
## Send generic signals to user gpg processes.
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_signal'($*)) dnl
gen_require(`
type gpg_t;
')
allow $1 gpg_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_signal'($*)) dnl
')
########################################
##
## Read and write GPG agent pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_rw_agent_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_rw_agent_pipes'($*)) dnl
# Just wants read/write could this be a leak?
gen_require(`
type gpg_agent_t;
')
allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_rw_agent_pipes'($*)) dnl
')
########################################
##
## Send messages to and from GPG
## Pinentry over DBUS.
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_pinentry_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_pinentry_dbus_chat'($*)) dnl
gen_require(`
type gpg_pinentry_t;
class dbus send_msg;
')
allow $1 gpg_pinentry_t:dbus send_msg;
allow gpg_pinentry_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_pinentry_dbus_chat'($*)) dnl
')
########################################
##
## List Gnu Privacy Guard user secrets.
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_list_user_secrets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_list_user_secrets'($*)) dnl
gen_require(`
type gpg_secret_t;
')
list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_list_user_secrets'($*)) dnl
')
###########################
##
## Allow to manage gpg named home content
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_manage_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_manage_home_content'($*)) dnl
gen_require(`
type gpg_secret_t;
')
manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_manage_home_content'($*)) dnl
')
########################################
##
## Transition to gpg named home content
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_filetrans_home_content'($*)) dnl
gen_require(`
type gpg_secret_t;
')
userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_filetrans_home_content'($*)) dnl
')
########################################
##
## Connected to gpg_agent_t unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_agent_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_agent_stream_connect'($*)) dnl
gen_require(`
type gpg_agent_t;
')
allow $1 gpg_agent_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_agent_stream_connect'($*)) dnl
')
########################################
##
## Connected to gpg_agent_t unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gpg_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpg_noatsecure'($*)) dnl
gen_require(`
type gpg_t;
')
allow $1 gpg_t:process { noatsecure rlimitinh siginh };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpg_noatsecure'($*)) dnl
')
## General Purpose Mouse driver.
########################################
##
## Connect to GPM over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gpm_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpm_stream_connect'($*)) dnl
gen_require(`
type gpmctl_t, gpm_t;
')
dev_list_all_dev_nodes($1)
stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpm_stream_connect'($*)) dnl
')
########################################
##
## Get attributes of gpm control
## channel named sock files.
##
##
##
## Domain allowed access.
##
##
#
define(`gpm_getattr_gpmctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpm_getattr_gpmctl'($*)) dnl
gen_require(`
type gpmctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpm_getattr_gpmctl'($*)) dnl
')
########################################
##
## Do not audit attempts to get
## attributes of gpm control channel
## named sock files.
##
##
##
## Domain to not audit.
##
##
#
define(`gpm_dontaudit_getattr_gpmctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpm_dontaudit_getattr_gpmctl'($*)) dnl
gen_require(`
type gpmctl_t;
')
dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpm_dontaudit_getattr_gpmctl'($*)) dnl
')
########################################
##
## Set attributes of gpm control
## channel named sock files.
##
##
##
## Domain allowed access.
##
##
#
define(`gpm_setattr_gpmctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpm_setattr_gpmctl'($*)) dnl
gen_require(`
type gpmctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpm_setattr_gpmctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an gpm environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`gpm_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpm_admin'($*)) dnl
gen_require(`
type gpm_t, gpm_conf_t, gpm_initrc_exec_t;
type gpm_var_run_t, gpmctl_t;
')
allow $1 gpm_t:process { ptrace signal_perms };
ps_process_pattern($1, gpm_t)
init_labeled_script_domtrans($1, gpm_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 gpm_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, gpm_conf_t)
dev_list_all_dev_nodes($1)
admin_pattern($1, gpmctl_t)
files_search_pids($1)
admin_pattern($1, gpm_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpm_admin'($*)) dnl
')
## gpsd monitor daemon.
########################################
##
## Execute a domain transition to run gpsd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`gpsd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpsd_domtrans'($*)) dnl
gen_require(`
type gpsd_t, gpsd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, gpsd_exec_t, gpsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpsd_domtrans'($*)) dnl
')
########################################
##
## Execute gpsd in the gpsd domain, and
## allow the specified role the gpsd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`gpsd_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpsd_run'($*)) dnl
gen_require(`
attribute_role gpsd_roles;
')
gpsd_domtrans($1)
roleattribute $2 gpsd_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpsd_run'($*)) dnl
')
########################################
##
## Read and write gpsd shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`gpsd_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpsd_rw_shm'($*)) dnl
gen_require(`
type gpsd_t, gpsd_tmpfs_t;
')
allow $1 gpsd_t:shm rw_shm_perms;
allow $1 gpsd_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
allow $1 gpsd_tmpfs_t:file map;
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpsd_rw_shm'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an gpsd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`gpsd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gpsd_admin'($*)) dnl
gen_require(`
type gpsd_t, gpsd_initrc_exec_t, gpsd_var_run_t;
')
allow $1 gpsd_t:process { ptrace signal_perms };
ps_process_pattern($1, gpsd_t)
init_labeled_script_domtrans($1, gpsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 gpsd_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, gpsd_var_run_t)
gpsd_run($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gpsd_admin'($*)) dnl
')
## policy for gssproxy
########################################
##
## Execute TEMPLATE in the gssproxy domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`gssproxy_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_domtrans'($*)) dnl
gen_require(`
type gssproxy_t, gssproxy_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_domtrans'($*)) dnl
')
########################################
##
## Search gssproxy lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`gssproxy_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_search_lib'($*)) dnl
gen_require(`
type gssproxy_var_lib_t;
')
allow $1 gssproxy_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_search_lib'($*)) dnl
')
########################################
##
## Read gssproxy lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`gssproxy_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_read_lib_files'($*)) dnl
gen_require(`
type gssproxy_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_read_lib_files'($*)) dnl
')
########################################
##
## Manage gssproxy lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`gssproxy_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_manage_lib_files'($*)) dnl
gen_require(`
type gssproxy_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_manage_lib_files'($*)) dnl
')
########################################
##
## Manage gssproxy lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`gssproxy_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_manage_lib_dirs'($*)) dnl
gen_require(`
type gssproxy_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read gssproxy PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`gssproxy_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_read_pid_files'($*)) dnl
gen_require(`
type gssproxy_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_read_pid_files'($*)) dnl
')
########################################
##
## Execute gssproxy server in the gssproxy domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`gssproxy_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_systemctl'($*)) dnl
gen_require(`
type gssproxy_t;
type gssproxy_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 gssproxy_unit_file_t:file read_file_perms;
allow $1 gssproxy_unit_file_t:service manage_service_perms;
ps_process_pattern($1, gssproxy_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_systemctl'($*)) dnl
')
########################################
##
## Connect to gssproxy over an unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`gssproxy_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_stream_connect'($*)) dnl
gen_require(`
type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an gssproxy environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`gssproxy_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_admin'($*)) dnl
gen_require(`
type gssproxy_t;
type gssproxy_var_lib_t;
type gssproxy_var_run_t;
type gssproxy_unit_file_t;
')
allow $1 gssproxy_t:process { ptrace signal_perms };
ps_process_pattern($1, gssproxy_t)
files_search_var_lib($1)
admin_pattern($1, gssproxy_var_lib_t)
files_search_pids($1)
admin_pattern($1, gssproxy_var_run_t)
gssproxy_systemctl($1)
admin_pattern($1, gssproxy_unit_file_t)
allow $1 gssproxy_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_admin'($*)) dnl
')
########################################
##
## Read and write to svirt_image devices.
##
##
##
## Domain allowed access.
##
##
#
define(`gssproxy_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `gssproxy_noatsecure'($*)) dnl
gen_require(`
type gssproxy_t;
')
allow $1 gssproxy_t:process { noatsecure rlimitinh };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `gssproxy_noatsecure'($*)) dnl
')
## Least privileged terminal user role.
########################################
##
## Change to the guest role.
##
##
##
## Role allowed access.
##
##
##
#
define(`guest_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `guest_role_change'($*)) dnl
gen_require(`
role guest_r;
')
allow $1 guest_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `guest_role_change'($*)) dnl
')
########################################
##
## Change from the guest role.
##
##
##
## Change from the guest role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`guest_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `guest_role_change_to'($*)) dnl
gen_require(`
role guest_r;
')
allow guest_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `guest_role_change_to'($*)) dnl
')
## Software for reliable, scalable, distributed computing.
#######################################
##
## The template to define a hadoop domain.
##
##
##
## Domain prefix to be used.
##
##
#
define(`hadoop_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_domain_template'($*)) dnl
gen_require(`
attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file;
attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file;
attribute hadoop_tmp_file, hadoop_var_lib_file;
type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
type hadoop_exec_t, hadoop_hsperfdata_t;
')
########################################
#
# Declarations
#
type hadoop_$1_t, hadoop_domain;
domain_type(hadoop_$1_t)
domain_entry_file(hadoop_$1_t, hadoop_exec_t)
role system_r types hadoop_$1_t;
type hadoop_$1_initrc_t, hadoop_initrc_domain;
type hadoop_$1_initrc_exec_t, hadoop_init_script_file;
init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
role system_r types hadoop_$1_initrc_t;
type hadoop_$1_initrc_var_run_t, hadoop_pid_file;
files_pid_file(hadoop_$1_initrc_var_run_t)
type hadoop_$1_lock_t, hadoop_lock_file;
files_lock_file(hadoop_$1_lock_t)
type hadoop_$1_log_t, hadoop_log_file;
logging_log_file(hadoop_$1_log_t)
type hadoop_$1_tmp_t, hadoop_tmp_file;
files_tmp_file(hadoop_$1_tmp_t)
type hadoop_$1_var_lib_t, hadoop_var_lib_file;
files_type(hadoop_$1_var_lib_t)
####################################
#
# hadoop_domain policy
#
manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
auth_use_nsswitch(hadoop_$1_t)
####################################
#
# hadoop_initrc_domain policy
#
allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };
domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)
manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t)
files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file)
manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_domain_template'($*)) dnl
')
########################################
##
## Role access for hadoop.
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`hadoop_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_role'($*)) dnl
gen_require(`
attribute_role hadoop_roles, zookeeper_roles;
type hadoop_t, zookeeper_t, hadoop_home_t;
type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t;
')
hadoop_domtrans($2)
roleattribute $1 hadoop_roles;
hadoop_domtrans_zookeeper_client($2)
roleattribute $1 zookeeper_roles;
allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms };
ps_process_pattern($2, { hadoop_t zookeeper_t })
allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms };
allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_role'($*)) dnl
')
########################################
##
## Execute hadoop in the
## hadoop domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hadoop_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_domtrans'($*)) dnl
gen_require(`
type hadoop_t, hadoop_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, hadoop_exec_t, hadoop_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_domtrans'($*)) dnl
')
########################################
##
## Receive from hadoop peer.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_recvfrom',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom'($*)) dnl
gen_require(`
type hadoop_t;
')
allow $1 hadoop_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_recvfrom'($*)) dnl
')
########################################
##
## Execute zookeeper client in the
## zookeeper client domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hadoop_domtrans_zookeeper_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_domtrans_zookeeper_client'($*)) dnl
gen_require(`
type zookeeper_t, zookeeper_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_domtrans_zookeeper_client'($*)) dnl
')
########################################
##
## Receive from zookeeper peer.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_recvfrom_zookeeper_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_zookeeper_client'($*)) dnl
gen_require(`
type zookeeper_t;
')
allow $1 zookeeper_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_zookeeper_client'($*)) dnl
')
########################################
##
## Execute zookeeper server in the
## zookeeper server domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hadoop_domtrans_zookeeper_server',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_domtrans_zookeeper_server'($*)) dnl
gen_require(`
type zookeeper_server_t, zookeeper_server_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_domtrans_zookeeper_server'($*)) dnl
')
########################################
##
## Receive from zookeeper server peer.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_recvfrom_zookeeper_server',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_zookeeper_server'($*)) dnl
gen_require(`
type zookeeper_server_t;
')
allow $1 zookeeper_server_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_zookeeper_server'($*)) dnl
')
########################################
##
## Execute zookeeper server in the
## zookeeper domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hadoop_initrc_domtrans_zookeeper_server',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_initrc_domtrans_zookeeper_server'($*)) dnl
gen_require(`
type zookeeper_server_initrc_exec_t;
')
init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_initrc_domtrans_zookeeper_server'($*)) dnl
')
########################################
##
## Receive from datanode peer.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_recvfrom_datanode',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_datanode'($*)) dnl
gen_require(`
type hadoop_datanode_t;
')
allow $1 hadoop_datanode_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_datanode'($*)) dnl
')
########################################
##
## Read hadoop configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_read_config'($*)) dnl
gen_require(`
type hadoop_etc_t;
')
read_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_read_config'($*)) dnl
')
########################################
##
## Execute hadoop configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_exec_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_exec_config'($*)) dnl
gen_require(`
type hadoop_etc_t;
')
hadoop_read_config($1)
allow $1 hadoop_etc_t:file exec_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_exec_config'($*)) dnl
')
########################################
##
## Receive from jobtracker peer.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_recvfrom_jobtracker',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_jobtracker'($*)) dnl
gen_require(`
type hadoop_jobtracker_t;
')
allow $1 hadoop_jobtracker_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_jobtracker'($*)) dnl
')
########################################
##
## Match hadoop lan association.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_match_lan_spd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_match_lan_spd'($*)) dnl
gen_require(`
type hadoop_lan_t;
')
allow $1 hadoop_lan_t:association polmatch;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_match_lan_spd'($*)) dnl
')
########################################
##
## Receive from namenode peer.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_recvfrom_namenode',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_namenode'($*)) dnl
gen_require(`
type hadoop_namenode_t;
')
allow $1 hadoop_namenode_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_namenode'($*)) dnl
')
########################################
##
## Receive from secondary namenode peer.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_recvfrom_secondarynamenode',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_secondarynamenode'($*)) dnl
gen_require(`
type hadoop_secondarynamenode_t;
')
allow $1 hadoop_secondarynamenode_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_secondarynamenode'($*)) dnl
')
########################################
##
## Receive from tasktracker peer.
##
##
##
## Domain allowed access.
##
##
#
define(`hadoop_recvfrom_tasktracker',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_tasktracker'($*)) dnl
gen_require(`
type hadoop_tasktracker_t;
')
allow $1 hadoop_tasktracker_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_tasktracker'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an hadoop environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`hadoop_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hadoop_admin'($*)) dnl
gen_require(`
attribute hadoop_domain;
attribute hadoop_initrc_domain;
attribute hadoop_init_script_file;
attribute hadoop_pid_file;
attribute hadoop_lock_file;
attribute hadoop_log_file;
attribute hadoop_tmp_file;
attribute hadoop_var_lib_file;
type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
type zookeeper_server_var_t;
')
allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
init_labeled_script_domtrans($1, hadoop_init_script_file)
domain_system_change_exemption($1)
role_transition $2 hadoop_init_script_file system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
logging_search_logs($1)
admin_pattern($1, hadoop_log_file)
files_search_locks($1)
admin_pattern($1, hadoop_lock_file)
files_search_pids($1)
admin_pattern($1, hadoop_pid_file)
files_search_tmp($1)
admin_pattern($1, { hadoop_tmp_file hadoop_hsperfdata_t })
files_search_var_lib($1)
admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t })
hadoop_role($2, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hadoop_admin'($*)) dnl
')
## Hard disk temperature tool running as a daemon.
#######################################
##
## Execute a domain transition to run hddtemp.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hddtemp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hddtemp_domtrans'($*)) dnl
gen_require(`
type hddtemp_t, hddtemp_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hddtemp_domtrans'($*)) dnl
')
########################################
##
## Execute hddtemp in the hddtemp domain, and
## allow the specified role the hddtemp domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`hddtemp_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hddtemp_run'($*)) dnl
gen_require(`
type hddtemp_t;
attribute_role hddtemp_roles;
')
hddtemp_domtrans($1)
roleattribute $2 hddtemp_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hddtemp_run'($*)) dnl
')
######################################
##
## Execute hddtemp in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`hddtemp_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hddtemp_exec'($*)) dnl
gen_require(`
type hddtemp_exec_t;
')
corecmd_search_bin($1)
can_exec($1, hddtemp_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hddtemp_exec'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an hddtemp environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`hddtemp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hddtemp_admin'($*)) dnl
gen_require(`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
allow $1 hddtemp_t:process signal_perms;
ps_process_pattern($1, hddtemp_t)
tunable_policy(`deny_ptrace',`',`
allow $1 hddtemp_t:process ptrace;
')
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 hddtemp_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, hddtemp_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hddtemp_admin'($*)) dnl
')
## policy for hostapd
########################################
##
## Execute TEMPLATE in the hostapd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hostapd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hostapd_domtrans'($*)) dnl
gen_require(`
type hostapd_t, hostapd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, hostapd_exec_t, hostapd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hostapd_domtrans'($*)) dnl
')
########################################
##
## Execute hostapd server in the hostapd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hostapd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hostapd_systemctl'($*)) dnl
gen_require(`
type hostapd_t;
type hostapd_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 hostapd_unit_file_t:file read_file_perms;
allow $1 hostapd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, hostapd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hostapd_systemctl'($*)) dnl
')
########################################
##
## Read hostapd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`hostapd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hostapd_read_pid_files'($*)) dnl
gen_require(`
type hostapd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, hostapd_var_run_t, hostapd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hostapd_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an hostapd environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`hostapd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hostapd_admin'($*)) dnl
gen_require(`
type hostapd_t;
type hostapd_unit_file_t;
type hostapd_var_run_t;
')
allow $1 hostapd_t:process { signal_perms };
ps_process_pattern($1, hostapd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 hostapd_t:process ptrace;
')
hostapd_systemctl($1)
admin_pattern($1, hostapd_unit_file_t)
allow $1 hostapd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
admin_pattern($1, hostapd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hostapd_admin'($*)) dnl
')
## Port of Apple Rendezvous multicast DNS.
########################################
##
## Send generic signals to howl.
##
##
##
## Domain allowed access.
##
##
#
define(`howl_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `howl_signal'($*)) dnl
gen_require(`
type howl_t;
')
allow $1 howl_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `howl_signal'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an howl environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`howl_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `howl_admin'($*)) dnl
gen_require(`
type howl_t, howl_initrc_exec_t, howl_var_run_t;
')
allow $1 howl_t:process { ptrace signal_perms };
ps_process_pattern($1, howl_t)
init_labeled_script_domtrans($1, howl_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 howl_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, howl_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `howl_admin'($*)) dnl
')
## Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.
########################################
##
## Execute hsqldb_exec_t in the hsqldb domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hsqldb_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_domtrans'($*)) dnl
gen_require(`
type hsqldb_t, hsqldb_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, hsqldb_exec_t, hsqldb_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_domtrans'($*)) dnl
')
######################################
##
## Execute hsqldb in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`hsqldb_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_exec'($*)) dnl
gen_require(`
type hsqldb_exec_t;
')
corecmd_search_bin($1)
can_exec($1, hsqldb_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_exec'($*)) dnl
')
########################################
##
## Do not audit attempts to read,
## hsqldb tmp files
##
##
##
## Domain to not audit.
##
##
#
define(`hsqldb_dontaudit_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_dontaudit_read_tmp_files'($*)) dnl
gen_require(`
type hsqldb_tmp_t;
')
dontaudit $1 hsqldb_tmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_dontaudit_read_tmp_files'($*)) dnl
')
########################################
##
## Read hsqldb tmp files
##
##
##
## Domain allowed access.
##
##
#
define(`hsqldb_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_read_tmp_files'($*)) dnl
gen_require(`
type hsqldb_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_read_tmp_files'($*)) dnl
')
########################################
##
## Manage hsqldb tmp files
##
##
##
## Domain allowed access.
##
##
#
define(`hsqldb_manage_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_manage_tmp'($*)) dnl
gen_require(`
type hsqldb_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
manage_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
manage_lnk_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_manage_tmp'($*)) dnl
')
########################################
##
## Search hsqldb lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`hsqldb_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_search_lib'($*)) dnl
gen_require(`
type hsqldb_var_lib_t;
')
allow $1 hsqldb_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_search_lib'($*)) dnl
')
########################################
##
## Read hsqldb lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`hsqldb_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_read_lib_files'($*)) dnl
gen_require(`
type hsqldb_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_read_lib_files'($*)) dnl
')
########################################
##
## Manage hsqldb lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`hsqldb_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_manage_lib_files'($*)) dnl
gen_require(`
type hsqldb_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_manage_lib_files'($*)) dnl
')
########################################
##
## Manage hsqldb lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`hsqldb_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_manage_lib_dirs'($*)) dnl
gen_require(`
type hsqldb_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_manage_lib_dirs'($*)) dnl
')
########################################
##
## Execute hsqldb server in the hsqldb domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hsqldb_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_systemctl'($*)) dnl
gen_require(`
type hsqldb_t;
type hsqldb_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 hsqldb_unit_file_t:file read_file_perms;
allow $1 hsqldb_unit_file_t:service manage_service_perms;
ps_process_pattern($1, hsqldb_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an hsqldb environment
##
##
##
## Domain allowed access.
##
##
#
define(`hsqldb_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hsqldb_admin'($*)) dnl
gen_require(`
type hsqldb_t;
type hsqldb_tmp_t;
type hsqldb_var_lib_t;
type hsqldb_unit_file_t;
')
allow $1 hsqldb_t:process { signal_perms };
ps_process_pattern($1, hsqldb_t)
tunable_policy(`deny_ptrace',`',`
allow $1 hsqldb_t:process ptrace;
')
files_search_tmp($1)
admin_pattern($1, hsqldb_tmp_t)
files_search_var_lib($1)
admin_pattern($1, hsqldb_var_lib_t)
hsqldb_systemctl($1)
admin_pattern($1, hsqldb_unit_file_t)
allow $1 hsqldb_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hsqldb_admin'($*)) dnl
')
## Dump topology and locality information from hardware tables.
########################################
##
## Execute hwloc dhwd in the hwloc dhwd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hwloc_domtrans_dhwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hwloc_domtrans_dhwd'($*)) dnl
gen_require(`
type hwloc_dhwd_t, hwloc_dhwd_exec_t;
')
domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hwloc_domtrans_dhwd'($*)) dnl
')
########################################
##
## Execute hwloc dhwd in the hwloc dhwd domain, and
## allow the specified role the hwloc dhwd domain,
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`hwloc_run_dhwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hwloc_run_dhwd'($*)) dnl
gen_require(`
attribute_role hwloc_dhwd_roles;
')
hwloc_domtrans_dhwd($1)
roleattribute $2 hwloc_dhwd_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hwloc_run_dhwd'($*)) dnl
')
########################################
##
## Execute hwloc dhwd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`hwloc_exec_dhwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hwloc_exec_dhwd'($*)) dnl
gen_require(`
type hwloc_dhwd_exec_t;
')
can_exec($1, hwloc_dhwd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hwloc_exec_dhwd'($*)) dnl
')
########################################
##
## Read hwloc runtime files.
##
##
##
## Domain allowed access.
##
##
#
define(`hwloc_read_runtime_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hwloc_read_runtime_files'($*)) dnl
gen_require(`
type hwloc_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hwloc_read_runtime_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an hwloc environment.
##
##
##
## Domain allowed access.
##
##
##
#
define(`hwloc_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hwloc_admin'($*)) dnl
gen_require(`
type hwloc_dhwd_t, hwloc_var_run_t;
')
allow $1 hwloc_dhwd_t:process { signal_perms };
ps_process_pattern($1, hwloc_dhwd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 hwloc_dhwd_t:process ptrace;
')
admin_pattern($1, hwloc_var_run_t)
files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hwloc_admin'($*)) dnl
')
## policy for hypervkvp
########################################
##
## Execute TEMPLATE in the hypervkvp domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hypervkvp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hypervkvp_domtrans'($*)) dnl
gen_require(`
type hypervkvp_t, hypervkvp_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hypervkvp_domtrans'($*)) dnl
')
########################################
##
## Search hypervkvp lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`hypervkvp_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hypervkvp_search_lib'($*)) dnl
gen_require(`
type hypervkvp_var_lib_t;
')
allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hypervkvp_search_lib'($*)) dnl
')
########################################
##
## Read hypervkvp lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`hypervkvp_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hypervkvp_read_lib_files'($*)) dnl
gen_require(`
type hypervkvp_var_lib_t;
')
files_search_var_lib($1)
allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hypervkvp_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## hypervkvp lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`hypervkvp_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hypervkvp_manage_lib_files'($*)) dnl
gen_require(`
type hypervkvp_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hypervkvp_manage_lib_files'($*)) dnl
')
#######################################
##
## Execute hypervkvp server in the hypervkvp domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hypervkvp_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hypervkvp_systemctl'($*)) dnl
gen_require(`
type hypervkvp_t;
type hypervkvp_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 hypervkvp_unit_file_t:file read_file_perms;
allow $1 hypervkvp_unit_file_t:service manage_service_perms;
ps_process_pattern($1, hypervkvp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hypervkvp_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an hypervkvp environment
##
##
##
## Domain allowed access.
##
##
#
define(`hypervkvp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hypervkvp_admin'($*)) dnl
gen_require(`
type hypervkvp_t;
type hypervkvp_unit_file_t;
')
allow $1 hypervkvp_t:process signal_perms;
ps_process_pattern($1, hypervkvp_t)
tunable_policy(`deny_ptrace',`',`
allow $1 hypervkvp_t:process ptrace;
')
hypervkvp_manage_lib_files($1)
hypervkvp_systemctl($1)
admin_pattern($1, hypervkvp_unit_file_t)
allow $1 hypervkvp_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hypervkvp_admin'($*)) dnl
')
## IIIMF htt server.
########################################
##
## Use i18n_input over a TCP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`i18n_use',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `i18n_use'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `i18n_use'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an i18n input environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`i18n_input_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `i18n_input_admin'($*)) dnl
gen_require(`
type i18n_input_t, i18n_input_initrc_exec_t, i18n_input_var_run_t;
type i18n_input_log_t;
')
allow $1 i18n_input_t:process { ptrace signal_perms };
ps_process_pattern($1, i18n_input_t)
init_labeled_script_domtrans($1, i18n_input_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 i18n_input_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, i18n_input_var_run_t)
logging_search_logs($1)
admin_pattern($1, i18n_input_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `i18n_input_admin'($*)) dnl
')
## policy for ibacm
########################################
##
## Execute ibacm_exec_t in the ibacm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ibacm_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ibacm_domtrans'($*)) dnl
gen_require(`
type ibacm_t, ibacm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ibacm_exec_t, ibacm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ibacm_domtrans'($*)) dnl
')
######################################
##
## Execute ibacm in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ibacm_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ibacm_exec'($*)) dnl
gen_require(`
type ibacm_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ibacm_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ibacm_exec'($*)) dnl
')
########################################
##
## Read ibacm's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ibacm_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ibacm_read_log'($*)) dnl
gen_require(`
type ibacm_log_t;
')
logging_search_logs($1)
read_files_pattern($1, ibacm_log_t, ibacm_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ibacm_read_log'($*)) dnl
')
########################################
##
## Append to ibacm log files.
##
##
##
## Domain allowed access.
##
##
#
define(`ibacm_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ibacm_append_log'($*)) dnl
gen_require(`
type ibacm_log_t;
')
logging_search_logs($1)
append_files_pattern($1, ibacm_log_t, ibacm_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ibacm_append_log'($*)) dnl
')
########################################
##
## Manage ibacm log files
##
##
##
## Domain allowed access.
##
##
#
define(`ibacm_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ibacm_manage_log'($*)) dnl
gen_require(`
type ibacm_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, ibacm_log_t, ibacm_log_t)
manage_files_pattern($1, ibacm_log_t, ibacm_log_t)
manage_lnk_files_pattern($1, ibacm_log_t, ibacm_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ibacm_manage_log'($*)) dnl
')
########################################
##
## Read ibacm PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`ibacm_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ibacm_read_pid_files'($*)) dnl
gen_require(`
type ibacm_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, ibacm_var_run_t, ibacm_var_run_t)
read_lnk_files_pattern($1, ibacm_var_run_t, ibacm_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ibacm_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ibacm environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ibacm_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ibacm_admin'($*)) dnl
gen_require(`
type ibacm_t;
type ibacm_log_t;
type ibacm_var_run_t;
')
allow $1 ibacm_t:process { signal_perms };
ps_process_pattern($1, ibacm_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ibacm_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, ibacm_log_t)
files_search_pids($1)
admin_pattern($1, ibacm_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ibacm_admin'($*)) dnl
')
#######################################
##
## Allow caller to create netlink rdma socket for ibacm
##
##
##
## Domain allowed access.
##
##
#
define(`ibacm_create_netlink_rdma_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ibacm_create_netlink_rdma_socket'($*)) dnl
gen_require(`
type ibacm_t;
')
allow $1 ibacm_t:netlink_rdma_socket create_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ibacm_create_netlink_rdma_socket'($*)) dnl
')
## policy for ica
########################################
##
## Read and map ica tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`ica_read_map_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ica_read_map_tmpfs_files'($*)) dnl
gen_require(`
type ica_tmpfs_t;
')
fs_search_tmpfs($1)
mmap_read_files_pattern($1, ica_tmpfs_t, ica_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ica_read_map_tmpfs_files'($*)) dnl
')
########################################
##
## Read, write, and map ica tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`ica_rw_map_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ica_rw_map_tmpfs_files'($*)) dnl
gen_require(`
type ica_tmpfs_t;
')
fs_search_tmpfs($1)
mmap_rw_files_pattern($1, ica_tmpfs_t, ica_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ica_rw_map_tmpfs_files'($*)) dnl
')
########################################
##
## Transition to ica named content
##
##
##
## Domain allowed access.
##
##
#
define(`ica_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ica_filetrans_named_content'($*)) dnl
gen_require(`
type ica_tmpfs_t;
')
allow $1 ica_tmpfs_t:file create_file_perms;
fs_tmpfs_filetrans($1, ica_tmpfs_t, file, "icastats_0")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ica_filetrans_named_content'($*)) dnl
')
## ShoutCast compatible streaming media server.
########################################
##
## Execute a domain transition to run icecast.
##
##
##
## Domain allowed to transition.
##
##
#
define(`icecast_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_domtrans'($*)) dnl
gen_require(`
type icecast_t, icecast_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, icecast_exec_t, icecast_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_domtrans'($*)) dnl
')
########################################
##
## Send generic signals to icecast.
##
##
##
## Domain allowed access.
##
##
#
define(`icecast_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_signal'($*)) dnl
gen_require(`
type icecast_t;
')
allow $1 icecast_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_signal'($*)) dnl
')
########################################
##
## Execute icecast server in the icecast domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`icecast_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_initrc_domtrans'($*)) dnl
gen_require(`
type icecast_initrc_exec_t;
')
init_labeled_script_domtrans($1, icecast_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_initrc_domtrans'($*)) dnl
')
########################################
##
## Read icecast pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`icecast_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_read_pid_files'($*)) dnl
gen_require(`
type icecast_var_run_t;
')
files_search_pids($1)
allow $1 icecast_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_read_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## icecast pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`icecast_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_manage_pid_files'($*)) dnl
gen_require(`
type icecast_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_manage_pid_files'($*)) dnl
')
########################################
##
## Read icecast log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`icecast_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_read_log'($*)) dnl
gen_require(`
type icecast_log_t;
')
logging_search_logs($1)
read_files_pattern($1, icecast_log_t, icecast_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_read_log'($*)) dnl
')
########################################
##
## Append icecast log files.
##
##
##
## Domain allowed access.
##
##
#
define(`icecast_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_append_log'($*)) dnl
gen_require(`
type icecast_log_t;
')
logging_search_logs($1)
append_files_pattern($1, icecast_log_t, icecast_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_append_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## icecast log files.
##
##
##
## Domain allow access.
##
##
#
define(`icecast_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_manage_log'($*)) dnl
gen_require(`
type icecast_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, icecast_log_t, icecast_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_manage_log'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an icecast environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`icecast_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `icecast_admin'($*)) dnl
gen_require(`
type icecast_t, icecast_initrc_exec_t, icecast_log_t;
type icecast_var_run_t;
')
allow $1 icecast_t:process signal_perms;
ps_process_pattern($1, icecast_t)
tunable_policy(`deny_ptrace',`',`
allow $1 icecast_t:process ptrace;
')
# Allow icecast_t to restart the apache service
icecast_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
allow $2 system_r;
allow $1 icecast_t:process { ptrace signal_perms };
ps_process_pattern($1, icecast_t)
logging_search_logs($1)
admin_pattern($1, icecast_log_t)
files_search_pids($1)
admin_pattern($1, icecast_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `icecast_admin'($*)) dnl
')
## Bring up/down ethernet interfaces based on cable detection.
########################################
##
## Execute a domain transition to run ifplugd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ifplugd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ifplugd_domtrans'($*)) dnl
gen_require(`
type ifplugd_t, ifplugd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ifplugd_exec_t, ifplugd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ifplugd_domtrans'($*)) dnl
')
########################################
##
## Send generic signals to ifplugd.
##
##
##
## Domain allowed access.
##
##
#
define(`ifplugd_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ifplugd_signal'($*)) dnl
gen_require(`
type ifplugd_t;
')
allow $1 ifplugd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ifplugd_signal'($*)) dnl
')
########################################
##
## Read ifplugd configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ifplugd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ifplugd_read_config'($*)) dnl
gen_require(`
type ifplugd_etc_t;
')
files_search_etc($1)
read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ifplugd_read_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## ifplugd configuration content.
##
##
##
## Domain allowed access.
##
##
#
define(`ifplugd_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ifplugd_manage_config'($*)) dnl
gen_require(`
type ifplugd_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ifplugd_manage_config'($*)) dnl
')
########################################
##
## Read ifplugd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ifplugd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ifplugd_read_pid_files'($*)) dnl
gen_require(`
type ifplugd_var_run_t;
')
files_search_pids($1)
allow $1 ifplugd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ifplugd_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an ifplugd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ifplugd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ifplugd_admin'($*)) dnl
gen_require(`
type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
type ifplugd_initrc_exec_t;
')
allow $1 ifplugd_t:process signal_perms;
ps_process_pattern($1, ifplugd_t)
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ifplugd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ifplugd_etc_t)
files_list_pids($1)
admin_pattern($1, ifplugd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ifplugd_admin'($*)) dnl
')
## iMaze game server.
## Internet services daemon.
########################################
##
## Define the specified domain as a inetd service.
##
##
##
## Define the specified domain as a inetd service. The
## inetd_service_domain(), inetd_tcp_service_domain(),
## or inetd_udp_service_domain() interfaces should be used
## instead of this interface, as this interface only provides
## the common rules to these three interfaces.
##
##
##
##
## The type associated with the inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`inetd_core_service_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_core_service_domain'($*)) dnl
gen_require(`
type inetd_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(inetd_t, $2, $1)
allow inetd_t $1:process { siginh sigkill };
init_domain($1, $2)
optional_policy(`
abrt_stream_connect($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_core_service_domain'($*)) dnl
')
########################################
##
## Define the specified domain as a TCP inetd service.
##
##
##
## The type associated with the inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`inetd_tcp_service_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_tcp_service_domain'($*)) dnl
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1, $2)
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_tcp_service_domain'($*)) dnl
')
########################################
##
## Define the specified domain as a UDP inetd service.
##
##
##
## The type associated with the inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`inetd_udp_service_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_udp_service_domain'($*)) dnl
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1, $2)
allow $1 inetd_t:udp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_udp_service_domain'($*)) dnl
')
########################################
##
## Define the specified domain as a TCP and UDP inetd service.
##
##
##
## The type associated with the inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`inetd_service_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_service_domain'($*)) dnl
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1, $2)
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
allow $1 inetd_t:udp_socket rw_socket_perms;
optional_policy(`
stunnel_service_domain($1, $2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_service_domain'($*)) dnl
')
########################################
##
## Inherit and use inetd file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`inetd_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_use_fds'($*)) dnl
gen_require(`
type inetd_t;
')
allow $1 inetd_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_use_fds'($*)) dnl
')
########################################
##
## Connect to the inetd service using a TCP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`inetd_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_tcp_connect'($*)) dnl
')
########################################
##
## Run inetd child process in the
## inet child domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`inetd_domtrans_child',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_domtrans_child'($*)) dnl
gen_require(`
type inetd_child_t, inetd_child_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, inetd_child_exec_t, inetd_child_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_domtrans_child'($*)) dnl
')
########################################
##
## Send UDP network traffic to inetd. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`inetd_udp_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_udp_send'($*)) dnl
')
########################################
##
## Read and write inetd TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`inetd_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inetd_rw_tcp_sockets'($*)) dnl
gen_require(`
type inetd_t;
')
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inetd_rw_tcp_sockets'($*)) dnl
')
## Internet News NNTP server.
########################################
##
## Execute innd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_exec'($*)) dnl
gen_require(`
type innd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, innd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_exec'($*)) dnl
')
########################################
##
## Execute inn configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_exec_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_exec_config'($*)) dnl
gen_require(`
type innd_etc_t;
')
files_search_etc($1)
exec_files_pattern($1, innd_etc_t, innd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_exec_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## innd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_manage_log'($*)) dnl
gen_require(`
type innd_log_t;
')
manage_files_pattern($1, innd_log_t, innd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_manage_log'($*)) dnl
')
########################################
##
## Create specified objects in generic
## log directories with the innd log file type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`inn_generic_log_filetrans_innd_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_generic_log_filetrans_innd_log'($*)) dnl
gen_require(`
type innd_log_t;
')
logging_log_filetrans($1, innd_log_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_generic_log_filetrans_innd_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## innd pid content.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_manage_pid'($*)) dnl
gen_require(`
type innd_var_run_t;
')
files_search_pids($1)
allow $1 innd_var_run_t:dir manage_dir_perms;
allow $1 innd_var_run_t:file manage_file_perms;
allow $1 innd_var_run_t:sock_file manage_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_manage_pid'($*)) dnl
')
########################################
##
## Read innd configuration content.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_read_config'($*)) dnl
gen_require(`
type innd_etc_t;
')
files_search_etc($1)
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_read_config'($*)) dnl
')
########################################
##
## Read innd news library content.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_read_news_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_read_news_lib'($*)) dnl
gen_require(`
type innd_var_lib_t;
')
files_search_var_lib($1)
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_read_news_lib'($*)) dnl
')
########################################
##
## Write innd inherited news library content.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_write_inherited_news_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_write_inherited_news_lib'($*)) dnl
gen_require(`
type innd_var_lib_t;
')
allow $1 innd_var_lib_t:file write_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_write_inherited_news_lib'($*)) dnl
')
########################################
##
## Read innd news spool content.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_read_news_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_read_news_spool'($*)) dnl
gen_require(`
type news_spool_t;
')
files_search_spool($1)
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_read_news_spool'($*)) dnl
')
########################################
##
## Send to a innd unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`inn_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_dgram_send'($*)) dnl
gen_require(`
type innd_t, innd_var_run_t;
')
files_search_pids($1)
dgram_send_pattern($1, innd_var_run_t, innd_var_run_t, innd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_dgram_send'($*)) dnl
')
########################################
##
## Execute innd in the innd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`inn_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_domtrans'($*)) dnl
gen_require(`
type innd_t, innd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, innd_exec_t, innd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an inn environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`inn_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `inn_admin'($*)) dnl
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
type news_spool_t, innd_var_lib_t, innd_var_run_t;
type innd_initrc_exec_t;
')
allow $1 innd_t:process signal_perms;
ps_process_pattern($1, innd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 innd_t:process ptrace;
')
init_labeled_script_domtrans($1, innd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 innd_initrc_exec_t system_r;
allow $2 system_r;
allow $1 innd_t:process { ptrace signal_perms };
ps_process_pattern($1, innd_t)
files_list_etc($1)
admin_pattern($1, innd_etc_t)
logging_list_logs($1)
admin_pattern($1, innd_log_t)
files_list_var_lib($1)
admin_pattern($1, innd_var_lib_t)
files_list_pids($1)
admin_pattern($1, innd_var_run_t)
files_list_spool($1)
admin_pattern($1, news_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `inn_admin'($*)) dnl
')
## IP over DNS tunneling daemon.
########################################
##
## Execute NetworkManager with a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`iodined_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iodined_domtrans'($*)) dnl
gen_require(`
type iodined_t, iodined_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, iodined_exec_t, iodined_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iodined_domtrans'($*)) dnl
')
########################################
##
## Execute iodined server in the iodined domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`iodined_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iodined_systemctl'($*)) dnl
gen_require(`
type iodined_t;
type iodined_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 iodined_unit_file_t:file read_file_perms;
allow $1 iodined_unit_file_t:service manage_service_perms;
ps_process_pattern($1, iodined_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iodined_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an iodined environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`iodined_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iodined_admin'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use iodine_admin() instead.')
iodine_admin($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iodined_admin'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an iodined environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`iodine_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iodine_admin'($*)) dnl
gen_require(`
type iodined_t, iodined_initrc_exec_t;
')
allow $1 iodined_t:process { ptrace signal_perms };
ps_process_pattern($1, iodined_t)
init_labeled_script_domtrans($1, iodined_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 iodined_initrc_exec_t system_r;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iodine_admin'($*)) dnl
')
## Simple top-like I/O monitor
########################################
##
## Allow execution of iotop in the iotop domain from the target domain.
##
##
##
## Domain allowed to transition to iotop.
##
##
#
define(`iotop_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iotop_domtrans'($*)) dnl
gen_require(`
type iotop_t, iotop_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, iotop_exec_t, iotop_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iotop_domtrans'($*)) dnl
')
########################################
##
## Execute iotop in the iotop domain, and
## allow the specified role to access the iotop domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed into the iotop domain.
##
##
#
define(`iotop_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iotop_run'($*)) dnl
gen_require(`
type iotop_t;
attribute_role iotop_roles;
')
iotop_domtrans($1)
roleattribute $2 iotop_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iotop_run'($*)) dnl
')
## Policy for IPA services.
########################################
##
## Execute rtas_errd in the rtas_errd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipa_domtrans_otpd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_domtrans_otpd'($*)) dnl
gen_require(`
type ipa_otpd_t, ipa_otpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_domtrans_otpd'($*)) dnl
')
########################################
##
## Connect to ipa-otpd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_stream_connect_otpd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_stream_connect_otpd'($*)) dnl
gen_require(`
type ipa_otpd_t;
')
allow $1 ipa_otpd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_stream_connect_otpd'($*)) dnl
')
########################################
##
## Connect to ipa-ods-exporter over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_stream_connect_ods_exporter',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_stream_connect_ods_exporter'($*)) dnl
gen_require(`
type ipa_ods_exporter_t;
')
allow $1 ipa_ods_exporter_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_stream_connect_ods_exporter'($*)) dnl
')
########################################
##
## Execute ipa-helper in the ipa_helper domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipa_domtrans_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_domtrans_helper'($*)) dnl
gen_require(`
type ipa_helper_t, ipa_helper_exec_t;
')
domtrans_pattern($1, ipa_helper_exec_t, ipa_helper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_domtrans_helper'($*)) dnl
')
########################################
##
## Execute ipa-helper in the ipa_helper domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`ipa_run_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_run_helper'($*)) dnl
gen_require(`
type ipa_helper_t;
attribute_role ipa_helper_roles;
')
ipa_domtrans_helper($1)
roleattribute $2 ipa_helper_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_run_helper'($*)) dnl
')
########################################
##
## Allow domain to manage ipa lib files/dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_search_lib'($*)) dnl
gen_require(`
type ipa_var_lib_t;
')
search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_search_lib'($*)) dnl
')
########################################
##
## Allow domain to manage ipa lib files/dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_manage_lib'($*)) dnl
gen_require(`
type ipa_var_lib_t;
')
manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_manage_lib'($*)) dnl
')
########################################
##
## Allow domain to manage ipa log files/dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_manage_log'($*)) dnl
gen_require(`
type ipa_log_t;
')
manage_files_pattern($1, ipa_log_t, ipa_log_t)
manage_dirs_pattern($1, ipa_log_t, ipa_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_manage_log'($*)) dnl
')
########################################
##
## Allow domain to manage ipa lib files/dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_read_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_read_lib'($*)) dnl
gen_require(`
type ipa_var_lib_t;
')
read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_read_lib'($*)) dnl
')
########################################
##
## Allow domain to manage ipa run files/dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_manage_pid_files'($*)) dnl
gen_require(`
type ipa_var_run_t;
')
manage_files_pattern($1, ipa_var_run_t, ipa_var_run_t)
manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_manage_pid_files'($*)) dnl
')
########################################
##
## Create specified objects in generic
## pid directories with the ipa pid file type.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`ipa_filetrans_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_filetrans_pid'($*)) dnl
gen_require(`
type ipa_var_run_t;
')
files_pid_filetrans($1, ipa_var_run_t, file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_filetrans_pid'($*)) dnl
')
########################################
##
## Allow domain to manage ipa tmp files
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_delete_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_delete_tmp'($*)) dnl
gen_require(`
type ipa_tmp_t;
')
files_search_tmp($1)
allow $1 ipa_tmp_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_delete_tmp'($*)) dnl
')
########################################
##
## Create log files with a named file
## type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_named_filetrans_log_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_named_filetrans_log_dir'($*)) dnl
gen_require(`
type ipa_log_t;
')
logging_log_named_filetrans($1, ipa_log_t, dir, "ipa")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_named_filetrans_log_dir'($*)) dnl
')
#######################################
##
## Allow domain to create /tmp/ca.p12
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_filetrans_named_content'($*)) dnl
gen_require(`
type ipa_tmp_t;
')
files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_filetrans_named_content'($*)) dnl
')
########################################
##
## Create file ipasession.key in cert_t dir
## with ipa_cert_t type
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_cert_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_cert_filetrans_named_content'($*)) dnl
gen_require(`
type ipa_cert_t;
type cert_t;
')
filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key")
manage_files_pattern($1, ipa_cert_t, ipa_cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_cert_filetrans_named_content'($*)) dnl
')
########################################
##
## Allow domain to read ipa tmp files/dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_read_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_read_tmp'($*)) dnl
gen_require(`
type ipa_tmp_t;
')
read_files_pattern($1, ipa_tmp_t, ipa_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_read_tmp'($*)) dnl
')
########################################
##
## Execute ipa_custodia_exec_t in the ipa_custodia domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipa_custodia_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_custodia_domtrans'($*)) dnl
gen_require(`
type ipa_custodia_t, ipa_custodia_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ipa_custodia_exec_t, ipa_custodia_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_custodia_domtrans'($*)) dnl
')
######################################
##
## Execute ipa_custodia in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_custodia_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_custodia_exec'($*)) dnl
gen_require(`
type ipa_custodia_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ipa_custodia_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_custodia_exec'($*)) dnl
')
#####################################
##
## Connect to ipa_custodia with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_custodia_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_custodia_stream_connect'($*)) dnl
gen_require(`
type ipa_custodia_t;
')
allow $1 ipa_custodia_t:unix_stream_socket { connectto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_custodia_stream_connect'($*)) dnl
')
########################################
##
## Allow ipa_helper noatsecure
##
##
##
## Domain allowed access.
##
##
#
define(`ipa_helper_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipa_helper_noatsecure'($*)) dnl
gen_require(`
type ipa_helper_t;
')
allow $1 ipa_helper_t:process { noatsecure };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipa_helper_noatsecure'($*)) dnl
')
## IPMI event daemon for sending events to syslog.
########################################
##
## Execute ipmievd_exec_t in the ipmievd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipmievd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipmievd_domtrans'($*)) dnl
gen_require(`
type ipmievd_t, ipmievd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ipmievd_exec_t, ipmievd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipmievd_domtrans'($*)) dnl
')
######################################
##
## Execute ipmievd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ipmievd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipmievd_exec'($*)) dnl
gen_require(`
type ipmievd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ipmievd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipmievd_exec'($*)) dnl
')
########################################
##
## Read ipmievd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`ipmievd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipmievd_read_pid_files'($*)) dnl
gen_require(`
type ipmievd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, ipmievd_var_run_t, ipmievd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipmievd_read_pid_files'($*)) dnl
')
########################################
##
## Execute ipmievd server in the ipmievd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipmievd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipmievd_systemctl'($*)) dnl
gen_require(`
type ipmievd_t;
type ipmievd_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 ipmievd_unit_file_t:file read_file_perms;
allow $1 ipmievd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ipmievd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipmievd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ipmievd environment
##
##
##
## Domain allowed access.
##
##
#
define(`ipmievd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipmievd_admin'($*)) dnl
gen_require(`
type ipmievd_t;
type ipmievd_var_run_t;
type ipmievd_unit_file_t;
')
allow $1 ipmievd_t:process { signal_perms };
ps_process_pattern($1, ipmievd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ipmievd_t:process ptrace;
')
files_search_pids($1)
admin_pattern($1, ipmievd_var_run_t)
ipmievd_systemctl($1)
admin_pattern($1, ipmievd_unit_file_t)
allow $1 ipmievd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipmievd_admin'($*)) dnl
')
## IRC client policy.
########################################
##
## Role access for IRC.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`irc_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `irc_role'($*)) dnl
gen_require(`
attribute_role irc_roles;
type irc_t, irc_exec_t, irc_home_t;
type irc_tmp_t, irc_log_home_t;
type irssi_t, irssi_exec_t, irssi_home_t;
')
########################################
#
# Declarations
#
roleattribute $1 irc_roles;
########################################
#
# Policy
#
domtrans_pattern($2, irc_exec_t, irc_t)
ps_process_pattern($2, irc_t)
allow $2 irc_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 irc_t:process ptrace;
')
domtrans_pattern($2, irssi_exec_t, irssi_t)
allow $2 irssi_t:process signal_perms;
ps_process_pattern($2, irssi_t)
tunable_policy(`deny_ptrace',`',`
allow $2 irssi_t:process ptrace;
')
allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
irc_filetrans_home_content($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `irc_role'($*)) dnl
')
#######################################
##
## Transition to alsa named content
##
##
##
## Domain allowed access.
##
##
#
define(`irc_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `irc_filetrans_home_content'($*)) dnl
gen_require(`
type irc_home_t;
type irssi_home_t;
')
userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `irc_filetrans_home_content'($*)) dnl
')
## IRC servers.
########################################
##
## All of the rules required to
## administrate an ircd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ircd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ircd_admin'($*)) dnl
gen_require(`
type ircd_t, ircd_initrc_exec_t, ircd_etc_t;
type ircd_log_t, ircd_var_lib_t, ircd_var_run_t;
')
init_labeled_script_domtrans($1, ircd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ircd_initrc_exec_t system_r;
allow $2 system_r;
allow $1 ircd_t:process { ptrace signal_perms };
ps_process_pattern($1, ircd_t)
files_search_etc($1)
admin_pattern($1, ircd_etc_t)
logging_search_logs($1)
admin_pattern($1, ircd_log_t)
files_search_var_lib($1)
admin_pattern($1, ircd_var_lib_t)
files_search_pids($1)
admin_pattern($1, ircd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ircd_admin'($*)) dnl
')
## IRQ balancing daemon.
########################################
##
## All of the rules required to
## administrate an irqbalance environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`irqbalance_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `irqbalance_admin'($*)) dnl
gen_require(`
type irqbalance_t, irqbalance_initrc_exec_t, irqbalance_var_run_t;
')
allow $1 irqbalance_t:process { ptrace signal_perms };
ps_process_pattern($1, irqbalance_t)
init_labeled_script_domtrans($1, irqbalance_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 irqbalance_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, irqbalance_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `irqbalance_admin'($*)) dnl
')
## Establish connections to iSCSI devices.
########################################
##
## Execute a domain transition to run iscsid.
##
##
##
## Domain allowed to transition.
##
##
#
define(`iscsid_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsid_domtrans'($*)) dnl
gen_require(`
type iscsid_t, iscsid_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsid_domtrans'($*)) dnl
')
########################################
##
## Execute iscsid programs in the iscsid domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the iscsid domain.
##
##
##
#
define(`iscsid_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsid_run'($*)) dnl
gen_require(`
attribute_role iscsid_roles;
')
iscsid_domtrans($1)
roleattribute $2 iscsid_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsid_run'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## iscsid lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`iscsi_manage_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsi_manage_lock'($*)) dnl
gen_require(`
type iscsi_lock_t;
')
files_search_locks($1)
manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsi_manage_lock'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## iscsid sempaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`iscsi_manage_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsi_manage_semaphores'($*)) dnl
gen_require(`
type iscsid_t;
')
allow $1 iscsid_t:sem create_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsi_manage_semaphores'($*)) dnl
')
########################################
##
## Connect to iscsid using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`iscsi_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsi_stream_connect'($*)) dnl
gen_require(`
type iscsid_t, iscsi_var_lib_t;
')
files_search_var_lib($1)
stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsi_stream_connect'($*)) dnl
')
########################################
##
## Read iscsid lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`iscsi_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsi_read_lib_files'($*)) dnl
gen_require(`
type iscsi_var_lib_t;
')
read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
allow $1 iscsi_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsi_read_lib_files'($*)) dnl
')
########################################
##
## Transition to iscsi named content
##
##
##
## Domain allowed access.
##
##
#
define(`iscsi_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsi_filetrans_named_content'($*)) dnl
gen_require(`
type iscsi_lock_t;
')
files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsi_filetrans_named_content'($*)) dnl
')
########################################
##
## Execute iscsi server in the iscsi domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`iscsi_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsi_systemctl'($*)) dnl
gen_require(`
type iscsid_t;
type iscsi_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 iscsi_unit_file_t:file read_file_perms;
allow $1 iscsi_unit_file_t:service manage_service_perms;
ps_process_pattern($1, iscsid_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsi_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an iscsi environment.
##
##
##
## Domain allowed access.
##
##
##
#
define(`iscsi_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsi_admin'($*)) dnl
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
type iscsi_unit_file_t;
')
allow $1 iscsid_t:process { ptrace signal_perms };
ps_process_pattern($1, iscsid_t)
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 iscsi_unit_file_t:file manage_file_perms;
allow $1 iscsi_unit_file_t:service manage_service_perms;
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
files_search_locks($1)
admin_pattern($1, iscsi_lock_t)
files_search_var_lib($1)
admin_pattern($1, iscsi_var_lib_t)
files_search_pids($1)
admin_pattern($1, iscsi_var_run_t)
files_search_tmp($1)
admin_pattern($1, iscsi_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsi_admin'($*)) dnl
')
########################################
##
## Read iscsi PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`iscsi_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iscsi_read_pid_files'($*)) dnl
gen_require(`
type iscsi_var_run_t;
')
allow $1 iscsi_var_run_t:file read_file_perms;
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iscsi_read_pid_files'($*)) dnl
')
## Internet Storage Name Service.
########################################
##
## All of the rules required to
## administrate an isnsd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`isnsd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `isnsd_admin'($*)) dnl
gen_require(`
type isnsd_t, isnsd_initrc_exec_t, isnsd_var_lib_t;
type isnsd_var_run_t;
')
allow $1 isnsd_t:process { ptrace signal_perms };
ps_process_pattern($1, isnsd_t)
init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 isnsd_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, isnsd_var_lib_t)
files_search_pids($1)
admin_pattern($1, isnsd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `isnsd_admin'($*)) dnl
')
## Jabber instant messaging server
#####################################
##
## Creates types and rules for a basic
## jabber init daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`jabber_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jabber_domain_template'($*)) dnl
gen_require(`
attribute jabberd_domain;
')
##############################
#
# $1_t declarations
#
type $1_t, jabberd_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
kernel_read_system_state($1_t)
corenet_all_recvfrom_netlabel($1_t)
logging_send_syslog_msg($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jabber_domain_template'($*)) dnl
')
#######################################
##
## Execute a domain transition to run jabberd services
##
##
##
## Domain allowed to transition.
##
##
#
define(`jabber_domtrans_jabberd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jabber_domtrans_jabberd'($*)) dnl
gen_require(`
type jabberd_t, jabberd_exec_t;
')
domtrans_pattern($1, jabberd_exec_t, jabberd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jabber_domtrans_jabberd'($*)) dnl
')
######################################
##
## Execute a domain transition to run jabberd router service
##
##
##
## Domain allowed to transition.
##
##
#
define(`jabber_domtrans_jabberd_router',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jabber_domtrans_jabberd_router'($*)) dnl
gen_require(`
type jabberd_router_t, jabberd_router_exec_t;
')
domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jabber_domtrans_jabberd_router'($*)) dnl
')
#######################################
##
## Read jabberd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`jabberd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jabberd_read_lib_files'($*)) dnl
gen_require(`
type jabberd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jabberd_read_lib_files'($*)) dnl
')
#######################################
##
## Dontaudit inherited read jabberd lib files.
##
##
##
## Domain to not audit.
##
##
#
define(`jabberd_dontaudit_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jabberd_dontaudit_read_lib_files'($*)) dnl
gen_require(`
type jabberd_var_lib_t;
')
dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jabberd_dontaudit_read_lib_files'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## jabberd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`jabberd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jabberd_manage_lib_files'($*)) dnl
gen_require(`
type jabberd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jabberd_manage_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an jabber environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the jabber domain.
##
##
##
#
define(`jabber_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jabber_admin'($*)) dnl
gen_require(`
type jabberd_t, jabberd_var_lib_t;
type jabberd_initrc_exec_t, jabberd_router_t;
type jabberd_lock_t;
type jabberd_var_spool_t;
')
allow $1 jabberd_t:process signal_perms;
ps_process_pattern($1, jabberd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 jabberd_t:process ptrace;
allow $1 jabberd_router_t:process ptrace;
')
allow $1 jabberd_router_t:process signal_perms;
ps_process_pattern($1, jabberd_router_t)
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
allow $2 system_r;
files_search_locks($1)
admin_pattern($1, jabberd_lock_t)
files_search_spool($1)
admin_pattern($1, jabberd_var_spool_t)
files_search_var_lib($1)
admin_pattern($1, jabberd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jabber_admin'($*)) dnl
')
## Java virtual machine
########################################
##
## Role access for java.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`java_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_role'($*)) dnl
gen_require(`
attribute_role java_roles;
type java_t, java_exec_t, java_tmp_t;
type java_tmpfs_t;
')
########################################
#
# Declarations
#
roleattribute $1 java_roles;
########################################
#
# Policy
#
domtrans_pattern($2, java_exec_t, java_t)
allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
ps_process_pattern($2, java_t)
allow $2 java_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 { java_tmp_t java_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $2 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow java_t $2:process signull;
allow java_t $2:unix_stream_socket connectto;
allow java_t $2:unix_stream_socket { read write };
allow java_t $2:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_role'($*)) dnl
')
#######################################
##
## The role template for the java module.
##
##
##
## This template creates a derived domains which are used
## for java applications.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`java_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_role_template'($*)) dnl
gen_require(`
attribute java_domain;
type java_exec_t, java_tmp_t, java_tmpfs_t;
type java_home_t;
')
########################################
#
# Declarations
#
type $1_java_t, java_domain;
userdom_user_application_domain($1_java_t, java_exec_t)
role $2 types $1_java_t;
########################################
#
# Policy
#
domtrans_pattern($3, java_exec_t, $1_java_t)
allow $3 $1_java_t:process { ptrace noatsecure siginh rlimitinh signal_perms };
ps_process_pattern($3, $1_java_t)
allow $3 { java_home_t java_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $3 { java_tmp_t java_tmpfs_t java_home_t }:file { manage_file_perms relabel_file_perms };
allow $3 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $3 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $3 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
userdom_user_home_dir_filetrans($3, java_home_t, dir, ".java")
allow $1_java_t $3:process signull;
allow $1_java_t $3:unix_stream_socket connectto;
allow $1_java_t $3:unix_stream_socket { read write };
allow $1_java_t $3:tcp_socket { read write };
corecmd_bin_domtrans($1_java_t, $3)
auth_use_nsswitch($1_java_t)
optional_policy(`
xserver_role($2, $1_java_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_role_template'($*)) dnl
')
########################################
##
## Execute the java program in the java domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`java_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_domtrans'($*)) dnl
gen_require(`
type java_t, java_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_domtrans'($*)) dnl
')
########################################
##
## Execute java in the java domain, and
## allow the specified role the java domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`java_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_run'($*)) dnl
gen_require(`
attribute_role java_roles;
')
java_domtrans($1)
roleattribute $2 java_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_run'($*)) dnl
')
########################################
##
## Execute the java program in the
## unconfined java domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`java_domtrans_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_domtrans_unconfined'($*)) dnl
gen_require(`
type unconfined_java_t, java_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, unconfined_java_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_domtrans_unconfined'($*)) dnl
')
########################################
##
## Execute the java program in the
## unconfined java domain and allow the
## specified role the java domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`java_run_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_run_unconfined'($*)) dnl
gen_require(`
attribute_role unconfined_java_roles;
')
java_domtrans_unconfined($1)
roleattribute $2 unconfined_java_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_run_unconfined'($*)) dnl
')
########################################
##
## Execute the java program in
## the callers domain.
##
##
##
## Domain allowed access.
##
##
#
define(`java_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_exec'($*)) dnl
gen_require(`
type java_exec_t;
')
corecmd_search_bin($1)
can_exec($1, java_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_exec'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## generic java home content.
##
##
##
## Domain allowed access.
##
##
#
define(`java_manage_generic_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_manage_generic_home_content'($*)) dnl
gen_require(`
type java_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 java_home_t:dir manage_dir_perms;
allow $1 java_home_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_manage_generic_home_content'($*)) dnl
')
########################################
##
## Create specified objects in user home
## directories with the generic java
## home type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`java_home_filetrans_java_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `java_home_filetrans_java_home'($*)) dnl
gen_require(`
type java_home_t;
')
userdom_user_home_dir_filetrans($1, java_home_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `java_home_filetrans_java_home'($*)) dnl
')
## Jetty - HTTP server and Servlet container
########################################
##
## Execute jetty_exec_t in the jetty domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`jetty_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_domtrans'($*)) dnl
gen_require(`
type jetty_t, jetty_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, jetty_exec_t, jetty_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_domtrans'($*)) dnl
')
######################################
##
## Execute jetty in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_exec'($*)) dnl
gen_require(`
type jetty_exec_t;
')
corecmd_search_bin($1)
can_exec($1, jetty_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_exec'($*)) dnl
')
########################################
##
## Search jetty cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_search_cache'($*)) dnl
gen_require(`
type jetty_cache_t;
')
allow $1 jetty_cache_t:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_search_cache'($*)) dnl
')
########################################
##
## Read jetty cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_read_cache_files'($*)) dnl
gen_require(`
type jetty_cache_t;
')
files_search_var($1)
read_files_pattern($1, jetty_cache_t, jetty_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_read_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## jetty cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_manage_cache_files'($*)) dnl
gen_require(`
type jetty_cache_t;
')
files_search_var($1)
manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_manage_cache_files'($*)) dnl
')
########################################
##
## Manage jetty cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_manage_cache_dirs'($*)) dnl
gen_require(`
type jetty_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_manage_cache_dirs'($*)) dnl
')
########################################
##
## Read jetty's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`jetty_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_read_log'($*)) dnl
gen_require(`
type jetty_log_t;
')
logging_search_logs($1)
read_files_pattern($1, jetty_log_t, jetty_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_read_log'($*)) dnl
')
########################################
##
## Append to jetty log files.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_append_log'($*)) dnl
gen_require(`
type jetty_log_t;
')
logging_search_logs($1)
append_files_pattern($1, jetty_log_t, jetty_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_append_log'($*)) dnl
')
########################################
##
## Manage jetty log files
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_manage_log'($*)) dnl
gen_require(`
type jetty_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
manage_files_pattern($1, jetty_log_t, jetty_log_t)
manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_manage_log'($*)) dnl
')
########################################
##
## Do not audit attempts to read,
## jetty tmp files
##
##
##
## Domain to not audit.
##
##
#
define(`jetty_dontaudit_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_dontaudit_read_tmp_files'($*)) dnl
gen_require(`
type jetty_tmp_t;
')
dontaudit $1 jetty_tmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_dontaudit_read_tmp_files'($*)) dnl
')
########################################
##
## Read jetty tmp files
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_read_tmp_files'($*)) dnl
gen_require(`
type jetty_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_read_tmp_files'($*)) dnl
')
########################################
##
## Manage jetty tmp files
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_manage_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_manage_tmp'($*)) dnl
gen_require(`
type jetty_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, jetty_tmp_t, jetty_tmp_t)
manage_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
manage_lnk_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_manage_tmp'($*)) dnl
')
########################################
##
## Search jetty lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_search_lib'($*)) dnl
gen_require(`
type jetty_var_lib_t;
')
allow $1 jetty_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_search_lib'($*)) dnl
')
########################################
##
## Read jetty lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_read_lib_files'($*)) dnl
gen_require(`
type jetty_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_read_lib_files'($*)) dnl
')
########################################
##
## Manage jetty lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_manage_lib_files'($*)) dnl
gen_require(`
type jetty_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_manage_lib_files'($*)) dnl
')
########################################
##
## Manage jetty lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_manage_lib_dirs'($*)) dnl
gen_require(`
type jetty_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read jetty PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`jetty_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_read_pid_files'($*)) dnl
gen_require(`
type jetty_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, jetty_var_run_t, jetty_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_read_pid_files'($*)) dnl
')
########################################
##
## Execute jetty server in the jetty domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`jetty_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_systemctl'($*)) dnl
gen_require(`
type jetty_t;
type jetty_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 jetty_unit_file_t:file read_file_perms;
allow $1 jetty_unit_file_t:service manage_service_perms;
ps_process_pattern($1, jetty_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an jetty environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`jetty_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jetty_admin'($*)) dnl
gen_require(`
type jetty_t;
type jetty_cache_t;
type jetty_log_t;
type jetty_tmp_t;
type jetty_var_lib_t;
type jetty_var_run_t;
type jetty_unit_file_t;
')
allow $1 jetty_t:process { signal_perms };
ps_process_pattern($1, jetty_t)
tunable_policy(`deny_ptrace',`',`
allow $1 jetty_t:process ptrace;
')
files_search_var($1)
admin_pattern($1, jetty_cache_t)
logging_search_logs($1)
admin_pattern($1, jetty_log_t)
files_search_tmp($1)
admin_pattern($1, jetty_tmp_t)
files_search_var_lib($1)
admin_pattern($1, jetty_var_lib_t)
files_search_pids($1)
admin_pattern($1, jetty_var_run_t)
jetty_systemctl($1)
admin_pattern($1, jetty_unit_file_t)
allow $1 jetty_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jetty_admin'($*)) dnl
')
## policy for jockey
########################################
##
## Transition to jockey.
##
##
##
## Domain allowed to transition.
##
##
#
define(`jockey_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jockey_domtrans'($*)) dnl
gen_require(`
type jockey_t, jockey_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, jockey_exec_t, jockey_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jockey_domtrans'($*)) dnl
')
########################################
##
## Search jockey cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`jockey_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jockey_search_cache'($*)) dnl
gen_require(`
type jockey_cache_t;
')
allow $1 jockey_cache_t:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jockey_search_cache'($*)) dnl
')
########################################
##
## Read jockey cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`jockey_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jockey_read_cache_files'($*)) dnl
gen_require(`
type jockey_cache_t;
')
files_search_var($1)
read_files_pattern($1, jockey_cache_t, jockey_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jockey_read_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## jockey cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`jockey_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jockey_manage_cache_files'($*)) dnl
gen_require(`
type jockey_cache_t;
')
files_search_var($1)
manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jockey_manage_cache_files'($*)) dnl
')
########################################
##
## Manage jockey cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`jockey_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jockey_manage_cache_dirs'($*)) dnl
gen_require(`
type jockey_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jockey_manage_cache_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an jockey environment
##
##
##
## Domain allowed access.
##
##
#
define(`jockey_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `jockey_admin'($*)) dnl
gen_require(`
type jockey_t;
type jockey_cache_t;
type jockey_var_log_t;
')
allow $1 jockey_t:process { ptrace signal_perms };
ps_process_pattern($1, jockey_t)
files_search_var($1)
admin_pattern($1, jockey_cache_t)
logging_search_logs($1)
admin_pattern($1, jockey_var_log_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `jockey_admin'($*)) dnl
')
## policy for journalctl
########################################
##
## Execute TEMPLATE in the journalctl domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`journalctl_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `journalctl_domtrans'($*)) dnl
gen_require(`
type journalctl_t, journalctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, journalctl_exec_t, journalctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `journalctl_domtrans'($*)) dnl
')
######################################
##
## Execute journalctl in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`journalctl_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `journalctl_exec'($*)) dnl
gen_require(`
type journalctl_exec_t;
')
corecmd_search_bin($1)
can_exec($1, journalctl_exec_t)
allow $1 journalctl_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `journalctl_exec'($*)) dnl
')
########################################
##
## Execute journalctl in the journalctl domain, and
## allow the specified role the journalctl domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the journalctl domain.
##
##
#
define(`journalctl_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `journalctl_run'($*)) dnl
gen_require(`
type journalctl_t;
attribute_role journalctl_roles;
')
journalctl_domtrans($1)
roleattribute $2 journalctl_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `journalctl_run'($*)) dnl
')
########################################
##
## Role access for journalctl
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`journalctl_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `journalctl_role'($*)) dnl
gen_require(`
type journalctl_t;
attribute_role journalctl_roles;
')
roleattribute $1 journalctl_roles;
journalctl_domtrans($2)
ps_process_pattern($2, journalctl_t)
allow $2 journalctl_t:process { signull signal sigkill };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `journalctl_role'($*)) dnl
')
## Kernel crash dumping mechanism
######################################
##
## Execute kdump in the kdump domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kdump_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_domtrans'($*)) dnl
gen_require(`
type kdump_t, kdump_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kdump_exec_t, kdump_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_domtrans'($*)) dnl
')
######################################
##
## Execute kdumpctl in the kdumpctl domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kdumpctl_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdumpctl_domtrans'($*)) dnl
gen_require(`
type kdumpctl_t, kdumpctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdumpctl_domtrans'($*)) dnl
')
#######################################
##
## Execute kdump in the kdump domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kdump_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_initrc_domtrans'($*)) dnl
gen_require(`
type kdump_initrc_exec_t;
')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute kdump server in the kdump domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kdump_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_systemctl'($*)) dnl
gen_require(`
type kdump_unit_file_t;
type kdump_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_search_unit_dirs($1)
allow $1 kdump_unit_file_t:file read_file_perms;
allow $1 kdump_unit_file_t:service all_service_perms;
ps_process_pattern($1, kdump_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_systemctl'($*)) dnl
')
#####################################
##
## Read kdump configuration file.
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_read_config'($*)) dnl
gen_require(`
type kdump_etc_t;
')
files_search_etc($1)
allow $1 kdump_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_read_config'($*)) dnl
')
#####################################
##
## Read kdump crash files.
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_read_crash',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_read_crash'($*)) dnl
gen_require(`
type kdump_crash_t;
')
files_search_var($1)
read_files_pattern($1, kdump_crash_t, kdump_crash_t)
list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_read_crash'($*)) dnl
')
#####################################
##
## Read kdump crash files.
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_manage_crash',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_manage_crash'($*)) dnl
gen_require(`
type kdump_crash_t;
')
files_search_var($1)
manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
manage_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_manage_crash'($*)) dnl
')
#####################################
##
## Dontaudit read kdump configuration file.
##
##
##
## Domain to not audit.
##
##
#
define(`kdump_dontaudit_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_dontaudit_read_config'($*)) dnl
gen_require(`
type kdump_etc_t;
')
dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_dontaudit_read_config'($*)) dnl
')
####################################
##
## Manage kdump configuration file.
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_manage_config'($*)) dnl
gen_require(`
type kdump_etc_t;
')
files_search_etc($1)
allow $1 kdump_etc_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_manage_config'($*)) dnl
')
#####################################
##
## Read and write kdump lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_rw_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_rw_lock'($*)) dnl
gen_require(`
type kdump_lock_t;
')
files_search_locks($1)
rw_files_pattern($1, kdump_lock_t, kdump_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_rw_lock'($*)) dnl
')
###################################
##
## Read/write inherited kdump /var/tmp named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_rw_inherited_kdumpctl_tmp_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_rw_inherited_kdumpctl_tmp_pipes'($*)) dnl
gen_require(`
type kdumpctl_tmp_t;
')
files_search_tmp($1)
allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_rw_inherited_kdumpctl_tmp_pipes'($*)) dnl
')
###################################
##
## Manage kdump /var/tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_manage_kdumpctl_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_manage_kdumpctl_tmp_files'($*)) dnl
gen_require(`
type kdumpctl_tmp_t;
')
files_search_tmp($1)
manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
allow $1 kdumpctl_tmp_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_manage_kdumpctl_tmp_files'($*)) dnl
')
#######################################
##
## Transition content labels to kdump named content
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_filetrans_named_content'($*)) dnl
gen_require(`
type kdump_lock_t;
')
files_lock_filetrans($1, kdump_lock_t, file, "kdump")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_filetrans_named_content'($*)) dnl
')
######################################
##
## All of the rules required to administrate
## an kdump environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the kdump domain.
##
##
##
#
define(`kdump_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_admin'($*)) dnl
gen_require(`
type kdump_t, kdump_etc_t;
type kdump_initrc_exec_t;
type kdump_unit_file_t;
type kdump_crash_t;
')
allow $1 kdump_t:process signal_perms;
ps_process_pattern($1, kdump_t)
tunable_policy(`deny_ptrace',`',`
allow $1 kdump_t:process ptrace;
')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kdump_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
files_search_var($1)
admin_pattern($1, kdump_crash_t)
kdump_systemctl($1)
admin_pattern($1, kdump_unit_file_t)
allow $1 kdump_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_admin'($*)) dnl
')
###################################
##
## Dontaudit Read/write inherited kdump /var/tmp named pipes.
##
##
##
## Domain to not audit
##
##
#
define(`kdump_dontaudit_inherited_kdumpctl_tmp_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_dontaudit_inherited_kdumpctl_tmp_pipes'($*)) dnl
gen_require(`
type kdumpctl_tmp_t;
')
dontaudit $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_dontaudit_inherited_kdumpctl_tmp_pipes'($*)) dnl
')
###################################
##
## Manage kdump lib files
##
##
##
## Domain to allow access
##
##
#
define(`kdump_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_manage_lib_files'($*)) dnl
gen_require(`
type kdump_var_lib_t;
')
manage_files_pattern($1, kdump_var_lib_t, kdump_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_manage_lib_files'($*)) dnl
')
#######################################
##
## Send to kdumpctl over a unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`kdump_dgram_send_kdumpctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdump_dgram_send_kdumpctl'($*)) dnl
gen_require(`
type kdumpctl_t;
')
allow $1 kdumpctl_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdump_dgram_send_kdumpctl'($*)) dnl
')
## system-config-kdump GUI
########################################
##
## Send and receive messages from
## kdumpgui over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`kdumpgui_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kdumpgui_dbus_chat'($*)) dnl
gen_require(`
type kdumpgui_t;
class dbus send_msg;
')
allow $1 kdumpgui_t:dbus send_msg;
allow kdumpgui_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kdumpgui_dbus_chat'($*)) dnl
')
## keepalived - load-balancing and high-availability service
########################################
##
## Execute keepalived in the keepalived domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`keepalived_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keepalived_domtrans'($*)) dnl
gen_require(`
type keepalived_t, keepalived_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, keepalived_exec_t, keepalived_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keepalived_domtrans'($*)) dnl
')
########################################
##
## Execute keepalived server in the keepalived domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`keepalived_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keepalived_systemctl'($*)) dnl
gen_require(`
type keepalived_t;
type keepalived_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 keepalived_unit_file_t:file read_file_perms;
allow $1 keepalived_unit_file_t:service manage_service_perms;
ps_process_pattern($1, keepalived_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keepalived_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an keepalived environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`keepalived_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keepalived_admin'($*)) dnl
gen_require(`
type keepalived_t;
type keepalived_unit_file_t;
')
allow $1 keepalived_t:process { signal_perms };
ps_process_pattern($1, keepalived_t)
tunable_policy(`deny_ptrace',`',`
allow $1 keepalived_t:process ptrace;
')
keepalived_systemctl($1)
admin_pattern($1, keepalived_unit_file_t)
allow $1 keepalived_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keepalived_admin'($*)) dnl
')
## MIT Kerberos admin and KDC
##
##
## This policy supports:
##
##
## Servers:
##
##
##
## Clients:
##
## - kinit
## - kdestroy
## - klist
## - ksu (incomplete)
##
##
##
########################################
##
## Execute kadmind in the current domain
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_exec_kadmind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_exec_kadmind'($*)) dnl
gen_require(`
type kadmind_exec_t;
')
can_exec($1, kadmind_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_exec_kadmind'($*)) dnl
')
########################################
##
## Execute a domain transition to run kpropd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kerberos_domtrans_kpropd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_domtrans_kpropd'($*)) dnl
gen_require(`
type kpropd_t, kpropd_exec_t;
')
domtrans_pattern($1, kpropd_exec_t, kpropd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_domtrans_kpropd'($*)) dnl
')
########################################
##
## Use kerberos services
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_use',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_use'($*)) dnl
gen_require(`
type krb5_conf_t, krb5kdc_conf_t;
type krb5_host_rcache_t;
')
files_search_etc($1)
read_files_pattern($1, krb5_conf_t, krb5_conf_t)
list_dirs_pattern($1, krb5_conf_t, krb5_conf_t)
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
#kerberos libraries are attempting to set the correct file context
dontaudit $1 self:process setfscreate;
selinux_dontaudit_validate_context($1)
seutil_read_file_contexts($1)
tunable_policy(`kerberos_enabled',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_kerberos_port($1)
corenet_udp_sendrecv_kerberos_port($1)
corenet_tcp_bind_generic_node($1)
corenet_udp_bind_generic_node($1)
corenet_tcp_connect_kerberos_port($1)
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
allow $1 krb5_host_rcache_t:dir search_dir_perms;
allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
tunable_policy(`kerberos_enabled',`
pcscd_stream_connect($1)
')
')
optional_policy(`
sssd_read_public_files($1)
')
# Allow to use kerberos KCM daemon (sssd-kcm)
optional_policy(`
sssd_run_stream_connect($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_use'($*)) dnl
')
########################################
##
## Read the kerberos configuration file (/etc/krb5.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_read_config'($*)) dnl
gen_require(`
type krb5_conf_t, krb5_home_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file read_file_perms;
allow $1 krb5_home_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_read_config'($*)) dnl
')
########################################
##
## Do not audit attempts to write the kerberos
## configuration file (/etc/krb5.conf).
##
##
##
## Domain to not audit.
##
##
#
define(`kerberos_dontaudit_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_dontaudit_write_config'($*)) dnl
gen_require(`
type krb5_conf_t;
')
dontaudit $1 krb5_conf_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_dontaudit_write_config'($*)) dnl
')
########################################
##
## Read and write the kerberos configuration file (/etc/krb5.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_rw_config'($*)) dnl
gen_require(`
type krb5_conf_t;
')
files_search_etc($1)
allow $1 krb5_conf_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_rw_config'($*)) dnl
')
########################################
##
## Read the kerberos key table.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_read_keytab',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_read_keytab'($*)) dnl
gen_require(`
type krb5_keytab_t;
')
files_search_etc($1)
allow $1 krb5_keytab_t:dir search_dir_perms;
allow $1 krb5_keytab_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_read_keytab'($*)) dnl
')
########################################
##
## Read/Write the kerberos key table.
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_rw_keytab',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_rw_keytab'($*)) dnl
gen_require(`
type krb5_keytab_t;
')
files_search_etc($1)
allow $1 krb5_keytab_t:dir search_dir_perms;
allow $1 krb5_keytab_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_rw_keytab'($*)) dnl
')
########################################
##
## Create keytab file in /etc
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`kerberos_etc_filetrans_keytab',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_etc_filetrans_keytab'($*)) dnl
gen_require(`
type krb5_keytab_t;
')
allow $1 krb5_keytab_t:dir search_dir_perms;
allow $1 krb5_keytab_t:file manage_file_perms;
files_etc_filetrans($1, krb5_keytab_t, file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_etc_filetrans_keytab'($*)) dnl
')
########################################
##
## Create a derived type for kerberos keytab
##
##
##
## The prefix to be used for deriving type names.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_keytab_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_keytab_template'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
kerberos_read_keytab($2)
kerberos_use($2)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_keytab_template'($*)) dnl
')
########################################
##
## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_read_kdc_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_read_kdc_config'($*)) dnl
gen_require(`
type krb5kdc_conf_t;
')
files_search_etc($1)
read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_read_kdc_config'($*)) dnl
')
########################################
##
## Manage the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_manage_kdc_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_manage_kdc_config'($*)) dnl
gen_require(`
type krb5kdc_conf_t;
')
files_search_etc($1)
manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_manage_kdc_config'($*)) dnl
')
########################################
##
## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_read_host_rcache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_read_host_rcache'($*)) dnl
gen_require(`
type krb5_host_rcache_t;
')
read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_read_host_rcache'($*)) dnl
')
########################################
##
## Read/Write the kerberos host rcache files.
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_rw_host_rcache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_rw_host_rcache'($*)) dnl
gen_require(`
type krb5_host_rcache_t;
')
allow $1 krb5_host_rcache_t:dir search_dir_perms;
allow $1 krb5_host_rcache_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_rw_host_rcache'($*)) dnl
')
########################################
##
## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_manage_host_rcache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_manage_host_rcache'($*)) dnl
gen_require(`
type krb5_host_rcache_t;
')
# creates files as system_u no matter what the selinux user
# cjp: should be in the below tunable but typeattribute
# does not work in conditionals
domain_obj_id_change_exemption($1)
tunable_policy(`kerberos_enabled',`
allow $1 self:process setfscreate;
selinux_validate_context($1)
seutil_read_file_contexts($1)
files_rw_generic_tmp_dir($1)
manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_manage_host_rcache'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an kerberos environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the kerberos domain.
##
##
##
#
define(`kerberos_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_admin'($*)) dnl
gen_require(`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
type krb5kdc_var_run_t, krb5_host_rcache_t;
')
allow $1 kadmind_t:process signal_perms;
ps_process_pattern($1, kadmind_t)
tunable_policy(`deny_ptrace',`',`
allow $1 kadmind_t:process ptrace;
allow $1 krb5kdc_t:process ptrace;
allow $1 kpropd_t:process ptrace;
')
allow $1 krb5kdc_t:process signal_perms;
ps_process_pattern($1, krb5kdc_t)
allow $1 kpropd_t:process signal_perms;
ps_process_pattern($1, kpropd_t)
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kerberos_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, kadmind_log_t)
files_list_tmp($1)
admin_pattern($1, kadmind_tmp_t)
files_list_pids($1)
admin_pattern($1, kadmind_var_run_t)
admin_pattern($1, krb5_conf_t)
admin_pattern($1, krb5_host_rcache_t)
admin_pattern($1, krb5_keytab_t)
admin_pattern($1, krb5kdc_principal_t)
admin_pattern($1, krb5kdc_tmp_t)
admin_pattern($1, krb5kdc_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_admin'($*)) dnl
')
########################################
##
## Type transition files created in /tmp
## to the krb5_host_rcache type.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`kerberos_tmp_filetrans_host_rcache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_tmp_filetrans_host_rcache'($*)) dnl
gen_require(`
type krb5_host_rcache_t;
')
manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_tmp_filetrans_host_rcache'($*)) dnl
')
########################################
##
## Type transition files created in /tmp
## to the kadmind_tmp type.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`kerberos_tmp_filetrans_kadmin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_tmp_filetrans_kadmin'($*)) dnl
gen_require(`
type kadmind_tmp_t;
')
manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_tmp_filetrans_kadmin'($*)) dnl
')
########################################
##
## read kerberos homedir content (.k5login)
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_read_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_read_home_content'($*)) dnl
gen_require(`
type krb5_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, krb5_home_t, krb5_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_read_home_content'($*)) dnl
')
########################################
##
## Manage the kerberos kdc /var/lib files
## and directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kerberos_manage_kdc_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_manage_kdc_var_lib'($*)) dnl
gen_require(`
type krb5kdc_var_lib_t;
')
files_search_etc($1)
manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_manage_kdc_var_lib'($*)) dnl
')
########################################
##
## create kerberos content in the in the /root directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_filetrans_admin_home_content'($*)) dnl
gen_require(`
type krb5_home_t;
')
userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5identity")
userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_filetrans_admin_home_content'($*)) dnl
')
########################################
##
## Transition to kerberos named content
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_filetrans_home_content'($*)) dnl
gen_require(`
type krb5_home_t;
')
userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5identity")
userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_filetrans_home_content'($*)) dnl
')
########################################
##
## Transition to kerberos named content
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_filetrans_named_content'($*)) dnl
gen_require(`
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
type krb5kdc_principal_t;
')
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
#filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
kerberos_etc_filetrans_keytab($1, "krb5.keytab")
kerberos_filetrans_admin_home_content($1)
kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
kerberos_tmp_filetrans_host_rcache($1, "host_0")
kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
kerberos_tmp_filetrans_host_rcache($1, "imap_0")
kerberos_tmp_filetrans_host_rcache($1, "krb5_0.rcache2")
kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_filetrans_named_content'($*)) dnl
')
########################################
##
## Write to temporary kadmind files.
##
##
##
## Domain allowed access.
##
##
#
define(`kerberos_write_kadmind_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerberos_write_kadmind_tmp_files'($*)) dnl
gen_require(`
type kadmind_tmp_t;
')
files_search_tmp($1)
allow $1 kadmind_tmp_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerberos_write_kadmind_tmp_files'($*)) dnl
')
## Service for reporting kernel oopses to kerneloops.org.
########################################
##
## Execute a domain transition to run kerneloops.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kerneloops_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerneloops_domtrans'($*)) dnl
gen_require(`
type kerneloops_t, kerneloops_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerneloops_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## kerneloops over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`kerneloops_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerneloops_dbus_chat'($*)) dnl
gen_require(`
type kerneloops_t;
class dbus send_msg;
')
allow $1 kerneloops_t:dbus send_msg;
allow kerneloops_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerneloops_dbus_chat'($*)) dnl
')
########################################
##
## Do not audit attempts to Send and
## receive messages from kerneloops
## over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`kerneloops_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerneloops_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type kerneloops_t;
class dbus send_msg;
')
dontaudit $1 kerneloops_t:dbus send_msg;
dontaudit kerneloops_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerneloops_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## kerneloops temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`kerneloops_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerneloops_manage_tmp_files'($*)) dnl
gen_require(`
type kerneloops_tmp_t;
')
files_search_tmp($1)
allow $1 kerneloops_tmp_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerneloops_manage_tmp_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an kerneloops environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`kerneloops_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kerneloops_admin'($*)) dnl
gen_require(`
type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
')
allow $1 kerneloops_t:process signal_perms;
ps_process_pattern($1, kerneloops_t)
tunable_policy(`deny_ptrace',`',`
allow $1 kerneloops_t:process ptrace;
')
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
allow $2 system_r;
files_search_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kerneloops_admin'($*)) dnl
')
## policy for system-setup-keyboard daemon
########################################
##
## Execute a domain transition to run keyboard setup daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`keyboardd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keyboardd_domtrans'($*)) dnl
gen_require(`
type keyboardd_t, keyboardd_exec_t;
')
domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keyboardd_domtrans'($*)) dnl
')
######################################
##
## Allow attempts to read to
## keyboardd unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`keyboardd_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keyboardd_read_pipes'($*)) dnl
gen_require(`
type keyboardd_t;
')
allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keyboardd_read_pipes'($*)) dnl
')
## policy for keystone
########################################
##
## Transition to keystone.
##
##
##
## Domain allowed to transition.
##
##
#
define(`keystone_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_domtrans'($*)) dnl
gen_require(`
type keystone_t, keystone_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, keystone_exec_t, keystone_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_domtrans'($*)) dnl
')
########################################
##
## Read keystone's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`keystone_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_read_log'($*)) dnl
gen_require(`
type keystone_log_t;
')
logging_search_logs($1)
read_files_pattern($1, keystone_log_t, keystone_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_read_log'($*)) dnl
')
########################################
##
## Append to keystone log files.
##
##
##
## Domain allowed access.
##
##
#
define(`keystone_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_append_log'($*)) dnl
gen_require(`
type keystone_log_t;
')
logging_search_logs($1)
append_files_pattern($1, keystone_log_t, keystone_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_append_log'($*)) dnl
')
########################################
##
## Manage keystone log files
##
##
##
## Domain allowed access.
##
##
#
define(`keystone_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_manage_log'($*)) dnl
gen_require(`
type keystone_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
manage_files_pattern($1, keystone_log_t, keystone_log_t)
manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_manage_log'($*)) dnl
')
########################################
##
## Search keystone lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`keystone_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_search_lib'($*)) dnl
gen_require(`
type keystone_var_lib_t;
')
allow $1 keystone_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_search_lib'($*)) dnl
')
########################################
##
## Read keystone lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`keystone_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_read_lib_files'($*)) dnl
gen_require(`
type keystone_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_read_lib_files'($*)) dnl
')
########################################
##
## Manage keystone lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`keystone_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_manage_lib_files'($*)) dnl
gen_require(`
type keystone_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_manage_lib_files'($*)) dnl
')
########################################
##
## Manage keystone lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`keystone_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_manage_lib_dirs'($*)) dnl
gen_require(`
type keystone_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_manage_lib_dirs'($*)) dnl
')
########################################
##
## Execute keystone server in the keystone domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`keystone_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_systemctl'($*)) dnl
gen_require(`
type keystone_t;
type keystone_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 keystone_unit_file_t:file read_file_perms;
allow $1 keystone_unit_file_t:service manage_service_perms;
ps_process_pattern($1, keystone_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an keystone environment
##
##
##
## Domain allowed access.
##
##
#
define(`keystone_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `keystone_admin'($*)) dnl
gen_require(`
type keystone_t;
type keystone_log_t;
type keystone_var_lib_t;
type keystone_unit_file_t;
')
allow $1 keystone_t:process { ptrace signal_perms };
ps_process_pattern($1, keystone_t)
logging_search_logs($1)
admin_pattern($1, keystone_log_t)
files_search_var_lib($1)
admin_pattern($1, keystone_var_lib_t)
keystone_systemctl($1)
admin_pattern($1, keystone_unit_file_t)
allow $1 keystone_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `keystone_admin'($*)) dnl
')
## IEEE 802.11 wireless LAN sniffer.
########################################
##
## Role access for kismet.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`kismet_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_role'($*)) dnl
gen_require(`
type kismet_exec_t, kismet_home_t, kismet_tmp_t;
type kistmet_tmpfs_t, kismet_t;
')
kismet_run($1, $2)
allow $2 kistmet_t:process { ptrace signal_perms };
ps_process_pattern($2, kismet_t)
allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 kismet_home_t:file { manage_file_perms relabel_file_perms };
userdom_user_home_dir_filetrans($2, kismet_home_t, dir, ".kismet")
allow $2 kismet_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 kismet_tmp_t:file { manage_file_perms relabel_file_perms };
allow $2 kismet_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $2 kismet_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 kismet_tmpfs_t:file { manage_file_perms relabel_file_perms };
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_role'($*)) dnl
')
########################################
##
## Execute a domain transition to run kismet.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kismet_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_domtrans'($*)) dnl
gen_require(`
type kismet_t, kismet_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kismet_exec_t, kismet_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_domtrans'($*)) dnl
')
########################################
##
## Execute kismet in the kismet domain, and
## allow the specified role the kismet domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`kismet_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_run'($*)) dnl
gen_require(`
attribute_role kismet_roles;
')
kismet_domtrans($1)
roleattribute $2 kismet_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_run'($*)) dnl
')
########################################
##
## Read kismet pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`kismet_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_read_pid_files'($*)) dnl
gen_require(`
type kismet_var_run_t;
')
files_search_pids($1)
allow $1 kismet_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_read_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## kismet pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`kismet_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_manage_pid_files'($*)) dnl
gen_require(`
type kismet_var_run_t;
')
files_search_pids($1)
allow $1 kismet_var_run_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_manage_pid_files'($*)) dnl
')
########################################
##
## Search kismet lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kismet_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_search_lib'($*)) dnl
gen_require(`
type kismet_var_lib_t;
')
files_search_var_lib($1)
allow $1 kismet_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_search_lib'($*)) dnl
')
########################################
##
## Read kismet lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`kismet_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_read_lib_files'($*)) dnl
gen_require(`
type kismet_var_lib_t;
')
files_search_var_lib($1)
allow $1 kismet_var_lib_t:dir list_dir_perms;
allow $1 kismet_var_lib_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## kismet lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`kismet_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_manage_lib_files'($*)) dnl
gen_require(`
type kismet_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_manage_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## kismet lib content.
##
##
##
## Domain allowed access.
##
##
#
define(`kismet_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_manage_lib'($*)) dnl
gen_require(`
type kismet_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_manage_lib'($*)) dnl
')
########################################
##
## Read kismet log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kismet_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_read_log'($*)) dnl
gen_require(`
type kismet_log_t;
')
logging_search_logs($1)
read_files_pattern($1, kismet_log_t, kismet_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_read_log'($*)) dnl
')
########################################
##
## Append kismet log files.
##
##
##
## Domain allowed access.
##
##
#
define(`kismet_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_append_log'($*)) dnl
gen_require(`
type kismet_log_t;
')
logging_search_logs($1)
append_files_pattern($1, kismet_log_t, kismet_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_append_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## kismet log content.
##
##
##
## Domain allowed access.
##
##
#
define(`kismet_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_manage_log'($*)) dnl
gen_require(`
type kismet_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, kismet_log_t, kismet_log_t)
manage_files_pattern($1, kismet_log_t, kismet_log_t)
manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_manage_log'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an kismet environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`kismet_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kismet_admin'($*)) dnl
gen_require(`
type kismet_t, kismet_var_lib_t, kismet_var_run_t;
type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
init_labeled_script_domtrans($1, kismet_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kismet_initrc_exec_t system_r;
allow $2 system_r;
ps_process_pattern($1, kismet_t)
allow $1 kismet_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $1 kismet_t:process ptrace;
')
files_search_var_lib($1)
admin_pattern($1, kismet_var_lib_t)
files_search_pids($1)
admin_pattern($1, kismet_var_run_t)
logging_search_logs($1)
admin_pattern($1, kismet_log_t)
files_search_tmp($1)
admin_pattern($1, kismet_tmp_t)
kismet_run($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kismet_admin'($*)) dnl
')
## Terminal emulator for Linux graphical console
########################################
##
## Execute kmscon in the kmscon domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kmscon_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kmscon_systemctl'($*)) dnl
gen_require(`
type kmscon_unit_file_t;
type kmscon_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 kmscon_unit_file_t:file read_file_perms;
allow $1 kmscon_unit_file_t:service manage_service_perms;
ps_process_pattern($1, kmscon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kmscon_systemctl'($*)) dnl
')
## Policy for kpatch
########################################
##
## Transition to kpatch.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kpatch_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kpatch_domtrans'($*)) dnl
gen_require(`
type kpatch_t, kpatch_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kpatch_exec_t, kpatch_t)
dontaudit kpatch_t $1:unix_stream_socket { getattr read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kpatch_domtrans'($*)) dnl
')
########################################
##
## NNP Transition to kpatch.
##
##
##
## Domain allowed to transition.
##
##
#
define(`kpatch_nnp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kpatch_nnp_domtrans'($*)) dnl
gen_require(`
type kpatch_t;
')
allow $1 kpatch_t:process2 { nnp_transition nosuid_transition };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kpatch_nnp_domtrans'($*)) dnl
')
########################################
##
## Read kpatch lib files
##
##
##
## Domain allowed access
##
##
#
define(`kpatch_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kpatch_read_lib_files'($*)) dnl
gen_require(`
type kpatch_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, kpatch_var_lib_t, kpatch_var_lib_t)
read_files_pattern($1, kpatch_var_lib_t, kpatch_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kpatch_read_lib_files'($*)) dnl
')
########################################
##
## Execute kpatch in the kpatch domain, and
## allow the specified role the kpatch domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the kpatch domain.
##
##
#
define(`kpatch_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kpatch_run'($*)) dnl
gen_require(`
type kpatch_t;
')
kpatch_domtrans($1)
kpatch_nnp_domtrans($1)
role $2 types kpatch_t;
allow $1 kpatch_t:process signal_perms;
dontaudit kpatch_t $1:dir list_dir_perms;
dontaudit kpatch_t $1:file read_file_perms;
dontaudit kpatch_t $1:unix_stream_socket rw_socket_perms;
allow kpatch_t $1:shm create_shm_perms;
allow kpatch_t $1:sem create_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kpatch_run'($*)) dnl
')
## Kernel Samepage Merging Tuning Daemon.
########################################
##
## Execute a domain transition to run ksmtuned.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ksmtuned_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ksmtuned_domtrans'($*)) dnl
gen_require(`
type ksmtuned_t, ksmtuned_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ksmtuned_domtrans'($*)) dnl
')
########################################
##
## Execute ksmtuned server in
## the ksmtuned domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ksmtuned_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ksmtuned_initrc_domtrans'($*)) dnl
gen_require(`
type ksmtuned_initrc_exec_t;
')
init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ksmtuned_initrc_domtrans'($*)) dnl
')
#######################################
##
## Execute ksmtuned server in the ksmtunedd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ksmtuned_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ksmtuned_systemctl'($*)) dnl
gen_require(`
type ksmtuned_unit_file_t;
type ksmtuned_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 ksmtuned_unit_file_t:file read_file_perms;
allow $1 ksmtuned_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ksmtuned_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ksmtuned_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an ksmtuned environment.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ksmtuned_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ksmtuned_admin'($*)) dnl
gen_require(`
type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
type ksmtuned_log_t;
')
allow $1 ksmtuned_t:process signal_perms;
ps_process_pattern($1, ksmtuned_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ksmtuned_t:process ptrace;
')
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
logging_search_logs($1)
admin_pattern($1, ksmtuned_log_t)
ksmtuned_systemctl($1)
admin_pattern($1, ksmtuned_unit_file_t)
allow $1 ksmtuned_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ksmtuned_admin'($*)) dnl
')
## talk-server - daemon programs for the Internet talk
########################################
##
## Execute TEMPLATE in the ktalkd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ktalk_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ktalk_domtrans'($*)) dnl
gen_require(`
type ktalkd_t, ktalkd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ktalk_domtrans'($*)) dnl
')
########################################
##
## Execute ktalkd server in the ktalkd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ktalk_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ktalk_systemctl'($*)) dnl
gen_require(`
type ktalkd_t;
type ktalkd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 ktalkd_unit_file_t:file read_file_perms;
allow $1 ktalkd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ktalkd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ktalk_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ktalkd environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`ktalk_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ktalk_admin'($*)) dnl
gen_require(`
type ktalkd_t;
type ktalkd_unit_file_t;
')
allow $1 ktalkd_t:process { ptrace signal_perms };
ps_process_pattern($1, ktalkd_t)
ktalk_systemctl($1)
admin_pattern($1, ktalkd_unit_file_t)
allow $1 ktalkd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ktalk_admin'($*)) dnl
')
## Layer 2 Tunneling Protocol daemons.
########################################
##
## Transition to l2tpd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`l2tpd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_domtrans'($*)) dnl
gen_require(`
type l2tpd_t, l2tpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_domtrans'($*)) dnl
')
########################################
##
## Execute l2tpd server in the l2tpd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_initrc_domtrans'($*)) dnl
gen_require(`
type l2tpd_initrc_exec_t;
')
init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_initrc_domtrans'($*)) dnl
')
########################################
##
## Send to l2tpd via a unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_dgram_send'($*)) dnl
gen_require(`
type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
')
files_search_tmp($1)
dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_dgram_send'($*)) dnl
')
########################################
##
## Read and write l2tpd sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_rw_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_rw_socket'($*)) dnl
gen_require(`
type l2tpd_t;
')
allow $1 l2tpd_t:socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_rw_socket'($*)) dnl
')
########################################
##
## Read l2tpd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_read_pid_files'($*)) dnl
gen_require(`
type l2tpd_var_run_t;
')
files_search_pids($1)
allow $1 l2tpd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_read_pid_files'($*)) dnl
')
#####################################
##
## Connect to l2tpd over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_stream_connect'($*)) dnl
gen_require(`
type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t;
')
files_search_pids($1)
stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_stream_connect'($*)) dnl
')
########################################
##
## Read and write l2tpd unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_rw_pipes'($*)) dnl
gen_require(`
type l2tpd_t;
')
allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_rw_pipes'($*)) dnl
')
########################################
##
## Allow send a signal to l2tpd.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_signal'($*)) dnl
gen_require(`
type l2tpd_t;
')
allow $1 l2tpd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_signal'($*)) dnl
')
########################################
##
## Allow send signull to l2tpd.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_signull'($*)) dnl
gen_require(`
type l2tpd_t;
')
allow $1 l2tpd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_signull'($*)) dnl
')
########################################
##
## Allow send sigkill to l2tpd.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_sigkill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_sigkill'($*)) dnl
gen_require(`
type l2tpd_t;
')
allow $1 l2tpd_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_sigkill'($*)) dnl
')
########################################
##
## Send and receive messages from
## l2tpd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_dbus_chat'($*)) dnl
gen_require(`
type l2tpd_t;
class dbus send_msg;
')
allow $1 l2tpd_t:dbus send_msg;
allow l2tpd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_dbus_chat'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an l2tpd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`l2tpd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_admin'($*)) dnl
gen_require(`
type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
type l2tp_conf_t, l2tpd_tmp_t;
')
allow $1 l2tpd_t:process signal_perms;
ps_process_pattern($1, l2tpd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 l2tpd_t:process ptrace;
')
l2tpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 l2tpd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, l2tp_conf_t)
files_search_pids($1)
admin_pattern($1, l2tpd_var_run_t)
files_search_tmp($1)
admin_pattern($1, l2tpd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_admin'($*)) dnl
')
########################################
##
## Read and write to l2tpd unix
## sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`l2tpd_rw_pppox_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `l2tpd_rw_pppox_sockets'($*)) dnl
gen_require(`
type l2tpd_t;
')
allow $1 l2tpd_t:pppox_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `l2tpd_rw_pppox_sockets'($*)) dnl
')
## OpenLDAP directory server
#######################################
##
## Execute OpenLDAP in the ldap domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_domtrans'($*)) dnl
gen_require(`
type slapd_t, slapd_exec_t;
')
domtrans_pattern($1, slapd_exec_t, slapd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_domtrans'($*)) dnl
')
#######################################
##
## Execute OpenLDAP server in the ldap domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_initrc_domtrans'($*)) dnl
gen_require(`
type slapd_initrc_exec_t;
')
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute slapd server in the slapd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ldap_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_systemctl'($*)) dnl
gen_require(`
type slapd_unit_file_t;
type slapd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 slapd_unit_file_t:file read_file_perms;
allow $1 slapd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, slapd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_systemctl'($*)) dnl
')
########################################
##
## Read the contents of the OpenLDAP
## database directories.
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_list_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_list_db'($*)) dnl
gen_require(`
type slapd_db_t;
')
allow $1 slapd_db_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_list_db'($*)) dnl
')
########################################
##
## Read the contents of the OpenLDAP
## database files.
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_read_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_read_db_files'($*)) dnl
gen_require(`
type slapd_db_t;
')
read_files_pattern($1, slapd_db_t, slapd_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_read_db_files'($*)) dnl
')
########################################
##
## Read the OpenLDAP configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ldap_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_read_config'($*)) dnl
gen_require(`
type slapd_etc_t;
')
files_search_etc($1)
allow $1 slapd_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_read_config'($*)) dnl
')
########################################
##
## Read the OpenLDAP cert files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ldap_read_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_read_certs'($*)) dnl
gen_require(`
type slapd_cert_t;
')
files_search_etc($1)
allow $1 slapd_cert_t:dir list_dir_perms;
read_files_pattern($1, slapd_cert_t, slapd_cert_t)
read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_read_certs'($*)) dnl
')
########################################
##
## Use LDAP over TCP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_use',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_use'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_use'($*)) dnl
')
########################################
##
## Connect to slapd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_stream_connect'($*)) dnl
gen_require(`
type slapd_t, slapd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ldap environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the ldap domain.
##
##
##
#
define(`ldap_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_admin'($*)) dnl
gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
type slapd_unit_file_t;
')
allow $1 slapd_t:process signal_perms;
ps_process_pattern($1, slapd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 slapd_t:process ptrace;
')
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 slapd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
admin_pattern($1, slapd_lock_t)
files_list_var_lib($1)
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
admin_pattern($1, slapd_tmp_t)
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
ldap_systemctl($1)
admin_pattern($1, slapd_unit_file_t)
allow $1 slapd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_admin'($*)) dnl
')
####################################
##
## Read slapd tmpfs files
##
##
##
## Domain allowed access.
##
##
#
define(`ldap_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ldap_read_tmpfs_files'($*)) dnl
gen_require(`
type slapd_tmpfs_t;
')
read_files_pattern($1, slapd_tmpfs_t, slapd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ldap_read_tmpfs_files'($*)) dnl
')
## Log analyzer for squid proxy.
########################################
##
## Execute the lightsquid program in
## the lightsquid domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lightsquid_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lightsquid_domtrans'($*)) dnl
gen_require(`
type lightsquid_t, lightsquid_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, lightsquid_exec_t, lightsquid_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lightsquid_domtrans'($*)) dnl
')
########################################
##
## Execute lightsquid in the
## lightsquid domain, and allow the
## specified role the lightsquid domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`lightsquid_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lightsquid_run'($*)) dnl
gen_require(`
attribute_role lightsquid_roles;
')
lightsquid_domtrans($1)
roleattribute $2 lightsquid_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lightsquid_run'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an lightsquid environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`lightsquid_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lightsquid_admin'($*)) dnl
gen_require(`
type lightsquid_t, lightsquid_rw_content_t;
')
allow $1 lightsquid_t:process { ptrace signal_perms };
ps_process_pattern($1, lightsquid_t)
lightsquid_run($1, $2)
files_search_var_lib($1)
admin_pattern($1, lightsquid_rw_content_t)
optional_policy(`
apache_list_sys_content($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lightsquid_admin'($*)) dnl
')
## Likewise Active Directory support for UNIX.
##
##
## Likewise Open is a free, open source application that joins Linux, Unix,
## and Mac machines to Microsoft Active Directory to securely authenticate
## users with their domain credentials.
##
##
#######################################
##
## The template to define a likewise domain.
##
##
##
## This template creates a domain to be used for
## a new likewise daemon.
##
##
##
##
## The type of daemon to be used.
##
##
#
define(`likewise_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `likewise_domain_template'($*)) dnl
gen_require(`
attribute likewise_domains;
type likewise_var_lib_t;
')
########################################
#
# Declarations
#
type $1_t;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
domain_use_interactive_fds($1_t)
typeattribute $1_t likewise_domains;
type $1_var_run_t;
files_pid_file($1_var_run_t)
type $1_var_socket_t;
files_type($1_var_socket_t)
type $1_var_lib_t;
files_type($1_var_lib_t)
####################################
#
# Local Policy
#
allow $1_t self:process { signal_perms getsched setsched };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file)
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
kernel_read_system_state($1_t)
logging_send_syslog_msg($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `likewise_domain_template'($*)) dnl
')
########################################
##
## Connect to lsassd.
##
##
##
## Domain allowed access.
##
##
#
define(`likewise_stream_connect_lsassd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `likewise_stream_connect_lsassd'($*)) dnl
gen_require(`
type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
')
files_search_pids($1)
stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `likewise_stream_connect_lsassd'($*)) dnl
')
## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.
########################################
##
## Execute domain in the phc2sys domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`linuxptp_domtrans_phc2sys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `linuxptp_domtrans_phc2sys'($*)) dnl
gen_require(`
type phc2sys_t, phc2sys_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, phc2sys_exec_t, phc2sys_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `linuxptp_domtrans_phc2sys'($*)) dnl
')
########################################
##
## Execute domain in the phc2sys domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`linuxptp_domtrans_ptp4l',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `linuxptp_domtrans_ptp4l'($*)) dnl
gen_require(`
type ptp4l_t, ptp4l_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ptp4l_exec_t, ptp4l_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `linuxptp_domtrans_ptp4l'($*)) dnl
')
######################################
##
## Connect to timemaster using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`timemaster_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `timemaster_stream_connect'($*)) dnl
gen_require(`
type timemaster_t, timemaster_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `timemaster_stream_connect'($*)) dnl
')
########################################
##
## Read timemaster conf files.
##
##
##
## Domain allowed access.
##
##
#
define(`timemaster_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `timemaster_read_pid_files'($*)) dnl
gen_require(`
type timemaster_var_run_t;
')
read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `timemaster_read_pid_files'($*)) dnl
')
########################################
##
## Read and write timemaster shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`timemaster_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `timemaster_rw_shm'($*)) dnl
gen_require(`
type timemaster_t, timemaster_tmpfs_t;
')
allow $1 timemaster_t:shm rw_shm_perms;
list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `timemaster_rw_shm'($*)) dnl
')
########################################
##
## Read and write ptp4l_t shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`ptp4l_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ptp4l_rw_shm'($*)) dnl
gen_require(`
type ptp4l_t, timemaster_tmpfs_t;
')
allow $1 ptp4l_t:shm rw_shm_perms;
list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ptp4l_rw_shm'($*)) dnl
')
########################################
##
## Read and write phc2sys_t shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`phc2sys_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `phc2sys_rw_shm'($*)) dnl
gen_require(`
type phc2sys_t, timemaster_tmpfs_t;
')
allow $1 phc2sys_t:shm rw_shm_perms;
list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `phc2sys_rw_shm'($*)) dnl
')
## Linux infared remote control daemon.
########################################
##
## Execute a domain transition to run lircd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lircd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lircd_domtrans'($*)) dnl
gen_require(`
type lircd_t, lircd_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, lircd_exec_t, lircd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lircd_domtrans'($*)) dnl
')
######################################
##
## Connect to lircd over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`lircd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lircd_stream_connect'($*)) dnl
gen_require(`
type lircd_var_run_t, lircd_t;
')
files_search_pids($1)
stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lircd_stream_connect'($*)) dnl
')
#######################################
##
## Read lircd etc files.
##
##
##
## Domain allowed access.
##
##
#
define(`lircd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lircd_read_config'($*)) dnl
gen_require(`
type lircd_etc_t;
')
files_search_etc($1)
read_files_pattern($1, lircd_etc_t, lircd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lircd_read_config'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate a lircd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`lircd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lircd_admin'($*)) dnl
gen_require(`
type lircd_t, lircd_var_run_t;
type lircd_initrc_exec_t, lircd_etc_t;
')
allow $1 lircd_t:process signal_perms;
ps_process_pattern($1, lircd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 lircd_t:process ptrace;
')
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 lircd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, lircd_etc_t)
files_search_pids($1)
admin_pattern($1, lircd_var_run_t)
dev_list_all_dev_nodes($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lircd_admin'($*)) dnl
')
## Tool for building alternate livecd for different os and policy versions.
########################################
##
## Execute a domain transition to run livecd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`livecd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `livecd_domtrans'($*)) dnl
gen_require(`
type livecd_t, livecd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, livecd_exec_t, livecd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `livecd_domtrans'($*)) dnl
')
########################################
##
## Execute livecd in the livecd
## domain, and allow the specified
## role the livecd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`livecd_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `livecd_run'($*)) dnl
gen_require(`
type livecd_t;
type livecd_exec_t;
attribute_role livecd_roles;
')
livecd_domtrans($1)
roleattribute $2 livecd_roles;
role_transition $2 livecd_exec_t system_r;
optional_policy(`
rpm_transition_script(livecd_t, $2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `livecd_run'($*)) dnl
')
########################################
##
## Dontaudit read/write to a livecd leaks
##
##
##
## Domain to not audit.
##
##
#
define(`livecd_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `livecd_dontaudit_leaks'($*)) dnl
gen_require(`
type livecd_t;
')
dontaudit $1 livecd_t:unix_dgram_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `livecd_dontaudit_leaks'($*)) dnl
')
########################################
##
## Read livecd temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`livecd_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `livecd_read_tmp_files'($*)) dnl
gen_require(`
type livecd_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `livecd_read_tmp_files'($*)) dnl
')
########################################
##
## Read and write livecd temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`livecd_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `livecd_rw_tmp_files'($*)) dnl
gen_require(`
type livecd_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `livecd_rw_tmp_files'($*)) dnl
')
########################################
##
## Read and write livecd semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`livecd_rw_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `livecd_rw_semaphores'($*)) dnl
gen_require(`
type livecd_t;
')
allow $1 livecd_t:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `livecd_rw_semaphores'($*)) dnl
')
## Intel LLDP Agent.
#######################################
##
## Transition to lldpad.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lldpad_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lldpad_domtrans'($*)) dnl
gen_require(`
type lldpad_t, lldpad_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, lldpad_exec_t, lldpad_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lldpad_domtrans'($*)) dnl
')
#######################################
##
## Send to lldpad with a unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`lldpad_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lldpad_dgram_send'($*)) dnl
gen_require(`
type lldpad_t, lldpad_var_run_t;
')
files_search_pids($1)
dgram_send_pattern($1, lldpad_var_run_t, lldpad_var_run_t, lldpad_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lldpad_dgram_send'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an lldpad environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`lldpad_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lldpad_admin'($*)) dnl
gen_require(`
type lldpad_t, lldpad_initrc_exec_t, lldpad_var_lib_t;
type lldpad_var_run_t;
')
allow $1 lldpad_t:process { signal_perms };
ps_process_pattern($1, lldpad_t)
tunable_policy(`deny_ptrace',`',`
allow $1 lldpad_t:process ptrace;
')
init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, lldpad_var_lib_t)
files_search_pids($1)
admin_pattern($1, lldpad_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lldpad_admin'($*)) dnl
')
########################################
##
## Allow relabel lldpad_tmpfs_t
##
##
##
## Domain allowed access.
##
##
#
define(`lldpad_relabel_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lldpad_relabel_tmpfs'($*)) dnl
gen_require(`
type lldpad_tmpfs_t;
')
allow $1 lldpad_tmpfs_t:file relabelfrom;
allow $1 lldpad_tmpfs_t:file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lldpad_relabel_tmpfs'($*)) dnl
')
## Load keyboard mappings.
########################################
##
## Execute the loadkeys program in
## the loadkeys domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`loadkeys_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `loadkeys_domtrans'($*)) dnl
gen_require(`
type loadkeys_t, loadkeys_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `loadkeys_domtrans'($*)) dnl
')
########################################
##
## Execute the loadkeys program in
## the loadkeys domain, and allow the
## specified role the loadkeys domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`loadkeys_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `loadkeys_run'($*)) dnl
gen_require(`
attribute_role loadkeys_roles;
')
loadkeys_domtrans($1)
roleattribute $2 loadkeys_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `loadkeys_run'($*)) dnl
')
########################################
##
## Execute the loadkeys in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`loadkeys_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `loadkeys_exec'($*)) dnl
gen_require(`
type loadkeys_exec_t;
')
corecmd_search_bin($1)
can_exec($1, loadkeys_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `loadkeys_exec'($*)) dnl
')
## Library for locking devices.
#######################################
##
## Create, read, write, and delete
## lockdev lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`lockdev_manage_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lockdev_manage_files'($*)) dnl
gen_require(`
type lockdev_lock_t;
')
files_search_var_lib($1)
manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lockdev_manage_files'($*)) dnl
')
########################################
##
## Role access for lockdev.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`lockdev_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lockdev_role'($*)) dnl
gen_require(`
attribute_role lockdev_roles;
type lockdev_t, lockdev_exec_t;
')
########################################
#
# Declarations
#
roleattribute $1 lockdev_roles;
########################################
#
# Policy
#
domtrans_pattern($2, lockdev_exec_t, lockdev_t)
allow $2 lockdev_t:process { ptrace signal_perms };
ps_process_pattern($2, lockdev_t)
allow lockdev_t $2:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lockdev_role'($*)) dnl
')
## Rotate and archive system logs
########################################
##
## Execute logrotate in the logrotate domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logrotate_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logrotate_domtrans'($*)) dnl
gen_require(`
type logrotate_t, logrotate_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, logrotate_exec_t, logrotate_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logrotate_domtrans'($*)) dnl
')
########################################
##
## Execute logrotate in the logrotate domain, and
## allow the specified role the logrotate domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`logrotate_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logrotate_run'($*)) dnl
gen_require(`
type logrotate_t;
')
logrotate_domtrans($1)
role $2 types logrotate_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logrotate_run'($*)) dnl
')
########################################
##
## Execute logrotate in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`logrotate_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logrotate_exec'($*)) dnl
gen_require(`
type logrotate_exec_t;
')
corecmd_search_bin($1)
can_exec($1, logrotate_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logrotate_exec'($*)) dnl
')
########################################
##
## Inherit and use logrotate file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`logrotate_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logrotate_use_fds'($*)) dnl
gen_require(`
type logrotate_t;
')
allow $1 logrotate_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logrotate_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit logrotate file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`logrotate_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logrotate_dontaudit_use_fds'($*)) dnl
gen_require(`
type logrotate_t;
')
dontaudit $1 logrotate_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logrotate_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Read a logrotate temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`logrotate_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logrotate_read_tmp_files'($*)) dnl
gen_require(`
type logrotate_tmp_t;
')
files_search_tmp($1)
allow $1 logrotate_tmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logrotate_read_tmp_files'($*)) dnl
')
## System log analyzer and reporter.
########################################
##
## Read logwatch temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`logwatch_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logwatch_read_tmp_files'($*)) dnl
gen_require(`
type logwatch_tmp_t;
')
files_search_tmp($1)
allow $1 logwatch_tmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logwatch_read_tmp_files'($*)) dnl
')
########################################
##
## Search logwatch cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`logwatch_search_cache_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logwatch_search_cache_dir'($*)) dnl
gen_require(`
type logwatch_cache_t;
')
files_search_var($1)
allow $1 logwatch_cache_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logwatch_search_cache_dir'($*)) dnl
')
#######################################
##
## Dontaudit read and write an leaked file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`logwatch_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logwatch_dontaudit_leaks'($*)) dnl
gen_require(`
type logwatch_t;
')
dontaudit $1 logwatch_t:fifo_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logwatch_dontaudit_leaks'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## svirt cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`logwatch_manage_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logwatch_manage_cache'($*)) dnl
gen_require(`
type logwatch_cache_t;
')
files_search_var($1)
manage_files_pattern($1, logwatch_cache_t, logwatch_cache_t)
manage_dirs_pattern($1, logwatch_cache_t, logwatch_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logwatch_manage_cache'($*)) dnl
')
## Line printer daemon
########################################
##
## Role access for lpd
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
##
#
define(`lpd_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_role'($*)) dnl
gen_require(`
attribute_role lpr_roles;
type lpr_t, lpr_exec_t, print_spool_t;
')
########################################
#
# Declarations
#
roleattribute $1 lpr_roles;
########################################
#
# Policy
#
# Transition from the user domain to the derived domain.
domtrans_pattern($2, lpr_exec_t, lpr_t)
dontaudit lpr_t $2:unix_stream_socket { read write };
ps_process_pattern($2, lpr_t)
allow $2 lpr_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 lpr_t:process ptrace;
')
optional_policy(`
cups_read_config($2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_role'($*)) dnl
')
########################################
##
## Execute lpd in the lpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lpd_domtrans_checkpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_domtrans_checkpc'($*)) dnl
gen_require(`
type checkpc_t, checkpc_exec_t;
')
domtrans_pattern($1, checkpc_exec_t, checkpc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_domtrans_checkpc'($*)) dnl
')
########################################
##
## Execute amrecover in the lpd domain, and
## allow the specified role the lpd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`lpd_run_checkpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_run_checkpc'($*)) dnl
gen_require(`
type checkpc_t;
')
lpd_domtrans_checkpc($1)
role $2 types checkpc_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_run_checkpc'($*)) dnl
')
########################################
##
## List the contents of the printer spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_list_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_list_spool'($*)) dnl
gen_require(`
type print_spool_t;
')
files_search_spool($1)
allow $1 print_spool_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_list_spool'($*)) dnl
')
########################################
##
## Read the printer spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_read_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_read_spool'($*)) dnl
gen_require(`
type print_spool_t;
')
files_search_spool($1)
read_files_pattern($1, print_spool_t, print_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_read_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete printer spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_manage_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_manage_spool'($*)) dnl
gen_require(`
type print_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, print_spool_t, print_spool_t)
manage_files_pattern($1, print_spool_t, print_spool_t)
manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_manage_spool'($*)) dnl
')
########################################
##
## Relabel from and to the spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_relabel_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_relabel_spool'($*)) dnl
gen_require(`
type print_spool_t;
')
files_search_spool($1)
allow $1 print_spool_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_relabel_spool'($*)) dnl
')
########################################
##
## List the contents of the printer spool directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lpd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_read_config'($*)) dnl
gen_require(`
type printconf_t;
')
allow $1 printconf_t:dir list_dir_perms;
read_files_pattern($1, printconf_t, printconf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_read_config'($*)) dnl
')
########################################
##
## Transition to a user lpr domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lpd_domtrans_lpr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_domtrans_lpr'($*)) dnl
gen_require(`
type lpr_t, lpr_exec_t;
')
domtrans_pattern($1, lpr_exec_t, lpr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_domtrans_lpr'($*)) dnl
')
########################################
##
## Execute lpr in the lpr domain, and
## allow the specified role the lpr domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`lpd_run_lpr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_run_lpr'($*)) dnl
gen_require(`
attribute_role lpr_roles;
')
lpd_domtrans_lpr($1)
roleattribute $2 lpr_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_run_lpr'($*)) dnl
')
########################################
##
## Allow the specified domain to execute lpr
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`lpd_exec_lpr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lpd_exec_lpr'($*)) dnl
gen_require(`
type lpr_exec_t;
')
can_exec($1, lpr_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lpd_exec_lpr'($*)) dnl
')
## libStorageMgmt plug-in daemon
########################################
##
## Execute TEMPLATE in the lsmd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lsmd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lsmd_domtrans'($*)) dnl
gen_require(`
type lsmd_t, lsmd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, lsmd_exec_t, lsmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lsmd_domtrans'($*)) dnl
')
########################################
##
## Read lsmd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`lsmd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lsmd_read_pid_files'($*)) dnl
gen_require(`
type lsmd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lsmd_read_pid_files'($*)) dnl
')
########################################
##
## Execute lsmd server in the lsmd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lsmd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lsmd_systemctl'($*)) dnl
gen_require(`
type lsmd_t;
type lsmd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 lsmd_unit_file_t:file read_file_perms;
allow $1 lsmd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, lsmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lsmd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an lsmd environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`lsmd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lsmd_admin'($*)) dnl
gen_require(`
type lsmd_t;
type lsmd_var_run_t;
type lsmd_unit_file_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
ps_process_pattern($1, lsmd_t)
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
lsmd_systemctl($1)
admin_pattern($1, lsmd_unit_file_t)
allow $1 lsmd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lsmd_admin'($*)) dnl
')
## LTTng 2.x central tracing registry session daemon.
########################################
##
## Execute lttng_sessiond_exec_t in the lttng_sessiond domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lttng_sessiond_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lttng_sessiond_domtrans'($*)) dnl
gen_require(`
type lttng_sessiond_t, lttng_sessiond_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, lttng_sessiond_exec_t, lttng_sessiond_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lttng_sessiond_domtrans'($*)) dnl
')
######################################
##
## Execute lttng_sessiond in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`lttng_sessiond_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lttng_sessiond_exec'($*)) dnl
gen_require(`
type lttng_sessiond_exec_t;
')
corecmd_search_bin($1)
can_exec($1, lttng_sessiond_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lttng_sessiond_exec'($*)) dnl
')
########################################
##
## Execute lttng_sessiond server in the lttng_sessiond domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lttng_sessiond_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lttng_sessiond_systemctl'($*)) dnl
gen_require(`
type lttng_sessiond_t;
type lttng_sessiond_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 lttng_sessiond_unit_file_t:file read_file_perms;
allow $1 lttng_sessiond_unit_file_t:service manage_service_perms;
ps_process_pattern($1, lttng_sessiond_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lttng_sessiond_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an lttng_sessiond environment
##
##
##
## Domain allowed access.
##
##
#
define(`lttng_sessiond_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lttng_sessiond_admin'($*)) dnl
gen_require(`
type lttng_sessiond_t;
type lttng_sessiond_unit_file_t;
')
allow $1 lttng_sessiond_t:process { signal_perms };
ps_process_pattern($1, lttng_sessiond_t)
tunable_policy(`deny_ptrace',`',`
allow $1 lttng_sessiond_t:process ptrace;
')
lttng_sessiond_systemctl($1)
admin_pattern($1, lttng_sessiond_unit_file_t)
allow $1 lttng_sessiond_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lttng_sessiond_admin'($*)) dnl
')
########################################
##
## Read and write lttng-tools shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`lttng_read_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lttng_read_shm'($*)) dnl
gen_require(`
type lttng_sessiond_tmpfs_t;
')
read_files_pattern($1, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lttng_read_shm'($*)) dnl
')
## Mailman is for managing electronic mail discussion and e-newsletter lists
#######################################
##
## The template to define a mailmain domain.
##
##
##
## This template creates a domain to be used for
## a new mailman daemon.
##
##
##
##
## The type of daemon to be used eg, cgi would give mailman_cgi_
##
##
#
define(`mailman_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_domain_template'($*)) dnl
########################################
#
# Declarations
#
gen_require(`
attribute mailman_domain;
')
type mailman_$1_t, mailman_domain;
domain_type(mailman_$1_t)
type mailman_$1_exec_t;
domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
role system_r types mailman_$1_t;
type mailman_$1_tmp_t;
files_tmp_file(mailman_$1_tmp_t)
####################################
#
# Policy
#
manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
kernel_read_system_state(mailman_$1_t)
corenet_all_recvfrom_unlabeled(mailman_$1_t)
corenet_all_recvfrom_netlabel(mailman_$1_t)
corenet_tcp_sendrecv_generic_if(mailman_$1_t)
corenet_udp_sendrecv_generic_if(mailman_$1_t)
corenet_raw_sendrecv_generic_if(mailman_$1_t)
corenet_tcp_sendrecv_generic_node(mailman_$1_t)
corenet_udp_sendrecv_generic_node(mailman_$1_t)
corenet_raw_sendrecv_generic_node(mailman_$1_t)
corenet_tcp_sendrecv_all_ports(mailman_$1_t)
corenet_udp_sendrecv_all_ports(mailman_$1_t)
corenet_tcp_bind_generic_node(mailman_$1_t)
corenet_udp_bind_generic_node(mailman_$1_t)
corenet_tcp_connect_smtp_port(mailman_$1_t)
corenet_sendrecv_smtp_client_packets(mailman_$1_t)
auth_use_nsswitch(mailman_$1_t)
logging_send_syslog_msg(mailman_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_domain_template'($*)) dnl
')
#######################################
##
## Execute mailman in the mailman domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mailman_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_domtrans'($*)) dnl
gen_require(`
type mailman_mail_exec_t, mailman_mail_t;
')
domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_domtrans'($*)) dnl
')
########################################
##
## Execute the mailman program in the mailman domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the mailman domain.
##
##
##
#
define(`mailman_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_run'($*)) dnl
gen_require(`
type mailman_mail_t;
')
mailman_domtrans($1)
role $2 types mailman_mail_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_run'($*)) dnl
')
#######################################
##
## Execute mailman CGI scripts in the
## mailman CGI domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mailman_domtrans_cgi',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_domtrans_cgi'($*)) dnl
gen_require(`
type mailman_cgi_exec_t, mailman_cgi_t;
')
domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_domtrans_cgi'($*)) dnl
')
#######################################
##
## Execute mailman in the caller domain.
##
##
##
## Domain allowd access.
##
##
#
define(`mailman_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_exec'($*)) dnl
gen_require(`
type mailman_mail_exec_t;
')
can_exec($1, mailman_mail_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_exec'($*)) dnl
')
#######################################
##
## Send generic signals to the mailman cgi domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_signal_cgi',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_signal_cgi'($*)) dnl
gen_require(`
type mailman_cgi_t;
')
allow $1 mailman_cgi_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_signal_cgi'($*)) dnl
')
########################################
##
## Send null signals to the mailman cgi domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_signull_cgi',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_signull_cgi'($*)) dnl
gen_require(`
type mailman_cgi_t;
')
allow $1 mailman_cgi_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_signull_cgi'($*)) dnl
')
#######################################
##
## Allow domain to search data directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_search_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_search_data'($*)) dnl
gen_require(`
type mailman_data_t;
')
allow $1 mailman_data_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_search_data'($*)) dnl
')
#######################################
##
## Allow domain to to read mailman data files.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_read_data_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_read_data_files'($*)) dnl
gen_require(`
type mailman_data_t;
')
list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_read_data_files'($*)) dnl
')
#######################################
##
## Allow domain to to create mailman data files
## and write the directory.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_manage_data_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_manage_data_files'($*)) dnl
gen_require(`
type mailman_data_t;
')
manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
manage_files_pattern($1, mailman_data_t, mailman_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_manage_data_files'($*)) dnl
')
#######################################
##
## List the contents of mailman data directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_list_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_list_data'($*)) dnl
gen_require(`
type mailman_data_t;
')
allow $1 mailman_data_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_list_data'($*)) dnl
')
#######################################
##
## Allow read acces to mailman data symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_read_data_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_read_data_symlinks'($*)) dnl
gen_require(`
type mailman_data_t;
')
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_read_data_symlinks'($*)) dnl
')
#######################################
##
## Read mailman logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_read_log'($*)) dnl
gen_require(`
type mailman_log_t;
')
read_files_pattern($1, mailman_log_t, mailman_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_read_log'($*)) dnl
')
#######################################
##
## Append to mailman logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_append_log'($*)) dnl
gen_require(`
type mailman_log_t;
')
append_files_pattern($1, mailman_log_t, mailman_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_append_log'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## mailman logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_manage_log'($*)) dnl
gen_require(`
type mailman_log_t;
')
manage_files_pattern($1, mailman_log_t, mailman_log_t)
manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_manage_log'($*)) dnl
')
#######################################
##
## Allow domain to read mailman archive files.
##
##
##
## Domain allowed access.
##
##
#
define(`mailman_read_archive',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_read_archive'($*)) dnl
gen_require(`
type mailman_archive_t;
')
allow $1 mailman_archive_t:dir list_dir_perms;
read_files_pattern($1, mailman_archive_t, mailman_archive_t)
read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_read_archive'($*)) dnl
')
#######################################
##
## Execute mailman_queue in the mailman_queue domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mailman_domtrans_queue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailman_domtrans_queue'($*)) dnl
gen_require(`
type mailman_queue_exec_t, mailman_queue_t;
')
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailman_domtrans_queue'($*)) dnl
')
## E-mail security and anti-spam package for e-mail gateway systems.
########################################
##
## Execute a domain transition to run
## MailScanner.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mailscanner_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailscanner_initrc_domtrans'($*)) dnl
gen_require(`
type mscan_initrc_exec_t;
')
init_labeled_script_domtrans($1, mscan_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailscanner_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an mailscanner environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`mailscanner_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mailscanner_admin'($*)) dnl
gen_require(`
type mscan_t, mscan_var_run_t, mscan_etc_t;
type mscan_initrc_exec_t;
')
mailscanner_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 mscan_initrc_exec_t system_r;
allow $2 system_r;
allow $1 mscan_t:process signal_perms;
ps_process_pattern($1, mscan_t)
tunable_policy(`deny_ptrace',`',`
allow $1 mscan_t:process ptrace;
')
admin_pattern($1, mscan_etc_t)
files_list_etc($1)
admin_pattern($1, mscan_var_run_t)
files_list_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mailscanner_admin'($*)) dnl
')
## A Unix manpage-to-HTML converter.
########################################
##
## Transition to man2html_script.
##
##
##
## Domain allowed to transition.
##
##
#
define(`man2html_script_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `man2html_script_domtrans'($*)) dnl
gen_require(`
type man2html_script_t, man2html_script_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, man2html_script_exec_t, man2html_script_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `man2html_script_domtrans'($*)) dnl
')
########################################
##
## Search man2html_script content directories.
##
##
##
## Domain allowed access.
##
##
#
define(`man2html_search_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `man2html_search_content'($*)) dnl
gen_require(`
type man2html_content_t;
type man2html_rw_content_t;
')
allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `man2html_search_content'($*)) dnl
')
########################################
##
## Read man2html cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`man2html_read_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `man2html_read_content_files'($*)) dnl
gen_require(`
type man2html_content_t;
type man2html_rw_content_t;
')
files_search_var($1)
allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms;
read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
read_files_pattern($1, man2html_content_t, man2html_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `man2html_read_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## man2html content files.
##
##
##
## Domain allowed access.
##
##
#
define(`man2html_manage_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `man2html_manage_content_files'($*)) dnl
gen_require(`
type man2html_content_t;
type man2html_rw_content_t;
')
files_search_var($1)
manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
manage_files_pattern($1, man2html_content_t, man2html_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `man2html_manage_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## man2html content dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`man2html_manage_content_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `man2html_manage_content_dirs'($*)) dnl
gen_require(`
type man2html_content_t;
type man2html_rw_content_t;
')
files_search_var($1)
manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t)
manage_dirs_pattern($1, man2html_content_t, man2html_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `man2html_manage_content_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an man2html environment
##
##
##
## Domain allowed access.
##
##
#
define(`man2html_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `man2html_admin'($*)) dnl
gen_require(`
type man2html_script_t;
type man2html_rw_content_t;
type man2html_content_t;
')
allow $1 man2html_script_t:process { ptrace signal_perms };
ps_process_pattern($1, man2html_script_t)
files_search_var($1)
admin_pattern($1, man2html_content_t)
admin_pattern($1, man2html_rw_content_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `man2html_admin'($*)) dnl
')
## policy for mandb
########################################
##
## Transition to mandb.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mandb_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_domtrans'($*)) dnl
gen_require(`
type mandb_t, mandb_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mandb_exec_t, mandb_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_domtrans'($*)) dnl
')
########################################
##
## Search mandb cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_search_cache'($*)) dnl
gen_require(`
type mandb_cache_t;
')
allow $1 mandb_cache_t:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_search_cache'($*)) dnl
')
########################################
##
## Read mandb cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_read_cache_files'($*)) dnl
gen_require(`
type mandb_cache_t;
')
files_search_var($1)
read_files_pattern($1, mandb_cache_t, mandb_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_read_cache_files'($*)) dnl
')
########################################
##
## Mmap mandb cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_map_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_map_cache_files'($*)) dnl
gen_require(`
type mandb_cache_t;
')
allow $1 mandb_cache_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_map_cache_files'($*)) dnl
')
########################################
##
## Relabel mandb cache files/directories
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_relabel_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_relabel_cache'($*)) dnl
gen_require(`
type mandb_cache_t;
')
allow $1 mandb_cache_t:dir relabel_dir_perms;
allow $1 mandb_cache_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_relabel_cache'($*)) dnl
')
########################################
##
## Set attributes on mandb cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_setattr_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_setattr_cache_dirs'($*)) dnl
gen_require(`
type mandb_cache_t;
')
files_search_var($1)
allow $1 mandb_cache_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_setattr_cache_dirs'($*)) dnl
')
########################################
##
## Delete mandb cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_delete_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_delete_cache'($*)) dnl
gen_require(`
type mandb_cache_t;
')
files_search_var($1)
allow $1 mandb_cache_t:dir list_dir_perms;
delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_delete_cache'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## mandb cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_manage_cache_files'($*)) dnl
gen_require(`
type mandb_cache_t;
')
files_search_var($1)
manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_manage_cache_files'($*)) dnl
')
########################################
##
## Manage mandb cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_manage_cache_dirs'($*)) dnl
gen_require(`
type mandb_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_manage_cache_dirs'($*)) dnl
')
########################################
##
## Create configuration files in user
## home directories with a named file
## type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_filetrans_named_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_filetrans_named_home_content'($*)) dnl
gen_require(`
type mandb_home_t;
')
userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_filetrans_named_home_content'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an mandb environment
##
##
##
## Domain allowed access.
##
##
#
define(`mandb_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mandb_admin'($*)) dnl
gen_require(`
type mandb_t;
type mandb_cache_t, mandb_lock_t;
')
allow $1 mandb_t:process { ptrace signal_perms };
ps_process_pattern($1, mandb_t)
files_search_var($1)
admin_pattern($1, mandb_cache_t)
files_search_locks($1)
admin_pattern($1, mandb_lock_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mandb_admin'($*)) dnl
')
## Linux hardware error daemon.
########################################
##
## Execute a domain transition to run mcelog.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mcelog_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcelog_domtrans'($*)) dnl
gen_require(`
type mcelog_t, mcelog_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcelog_domtrans'($*)) dnl
')
######################################
##
## Read mcelog logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mcelog_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcelog_read_log'($*)) dnl
gen_require(`
type mcelog_log_t;
')
logging_search_logs($1)
read_files_pattern($1, mcelog_log_t, mcelog_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcelog_read_log'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an mcelog environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`mcelog_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcelog_admin'($*)) dnl
gen_require(`
type mcelog_t, mcelog_initrc_exec_t, mcelog_log_t;
type mcelog_var_run_t, mcelog_etc_t;
')
allow $1 mcelog_t:process { ptrace signal_perms };
ps_process_pattern($1, mcelog_t)
init_labeled_script_domtrans($1, mcelog_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 mcelog_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mcelog_etc_t)
logging_search_logs($1)
admin_pattern($1, mcelog_log_t)
files_search_pids($1)
admin_pattern($1, mcelog_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcelog_admin'($*)) dnl
')
## Mediawiki policy
#######################################
##
## Allow the specified domain to read
## mediawiki tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`mediawiki_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mediawiki_read_tmp_files'($*)) dnl
gen_require(`
type mediawiki_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mediawiki_read_tmp_files'($*)) dnl
')
#######################################
##
## Delete mediawiki tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`mediawiki_delete_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mediawiki_delete_tmp_files'($*)) dnl
gen_require(`
type mediawiki_tmp_t;
')
delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mediawiki_delete_tmp_files'($*)) dnl
')
## high-performance memory object caching system
########################################
##
## Execute a domain transition to run memcached.
##
##
##
## Domain allowed to transition.
##
##
#
define(`memcached_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `memcached_domtrans'($*)) dnl
gen_require(`
type memcached_t;
type memcached_exec_t;
')
domtrans_pattern($1, memcached_exec_t, memcached_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `memcached_domtrans'($*)) dnl
')
########################################
##
## Read memcached PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`memcached_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `memcached_read_pid_files'($*)) dnl
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
allow $1 memcached_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `memcached_read_pid_files'($*)) dnl
')
########################################
##
## Manage memcached PID files
##
##
##
## Domain allowed access.
##
##
#
define(`memcached_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `memcached_manage_pid_files'($*)) dnl
gen_require(`
type memcached_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `memcached_manage_pid_files'($*)) dnl
')
########################################
##
## Connect to memcached over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`memcached_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `memcached_stream_connect'($*)) dnl
gen_require(`
type memcached_t, memcached_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `memcached_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an memcached environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the memcached domain.
##
##
##
#
define(`memcached_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `memcached_admin'($*)) dnl
gen_require(`
type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
allow $1 memcached_t:process signal_perms;
ps_process_pattern($1, memcached_t)
tunable_policy(`deny_ptrace',`',`
allow $1 memcached_t:process ptrace;
')
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, memcached_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `memcached_admin'($*)) dnl
')
## Milter mail filters
########################################
##
## Create a set of derived types for various
## mail filter applications using the milter interface.
##
##
##
## The name to be used for deriving type names.
##
##
#
define(`milter_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `milter_template'($*)) dnl
# attributes common to all milters
gen_require(`
attribute milter_data_type, milter_domains;
')
type $1_milter_t, milter_domains;
type $1_milter_exec_t;
init_daemon_domain($1_milter_t, $1_milter_exec_t)
role system_r types $1_milter_t;
# Type for the milter data (e.g. the socket used to communicate with the MTA)
type $1_milter_data_t, milter_data_type;
files_pid_file($1_milter_data_t)
# Allow communication with MTA over a unix-domain socket
manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
# Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
logging_send_syslog_msg($1_milter_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `milter_template'($*)) dnl
')
########################################
##
## MTA communication with milter sockets
##
##
##
## Domain allowed access.
##
##
#
define(`milter_stream_connect_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `milter_stream_connect_all'($*)) dnl
gen_require(`
attribute milter_data_type, milter_domains;
')
files_search_pids($1)
getattr_dirs_pattern($1, milter_data_type, milter_data_type)
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `milter_stream_connect_all'($*)) dnl
')
########################################
##
## Allow getattr of milter sockets
##
##
##
## Domain allowed access.
##
##
#
define(`milter_getattr_all_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `milter_getattr_all_sockets'($*)) dnl
gen_require(`
attribute milter_data_type;
')
getattr_dirs_pattern($1, milter_data_type, milter_data_type)
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `milter_getattr_all_sockets'($*)) dnl
')
########################################
##
## Allow setattr of milter dirs
##
##
##
## Domain allowed access.
##
##
#
define(`milter_setattr_all_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `milter_setattr_all_dirs'($*)) dnl
gen_require(`
attribute milter_data_type;
')
setattr_dirs_pattern($1, milter_data_type, milter_data_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `milter_setattr_all_dirs'($*)) dnl
')
########################################
##
## Manage spamassassin milter state
##
##
##
## Domain allowed access.
##
##
#
define(`milter_manage_spamass_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `milter_manage_spamass_state'($*)) dnl
gen_require(`
type spamass_milter_state_t;
')
files_search_var_lib($1)
manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `milter_manage_spamass_state'($*)) dnl
')
#######################################
##
## Delete dkim-milter PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`milter_delete_dkim_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `milter_delete_dkim_pid_files'($*)) dnl
gen_require(`
type dkim_milter_data_t;
')
files_search_pids($1)
delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `milter_delete_dkim_pid_files'($*)) dnl
')
## MiniDLNA lightweight DLNA/UPnP media server
########################################
##
## All of the rules required to
## administrate an minidlna environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`minidlna_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `minidlna_admin'($*)) dnl
gen_require(`
type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
type minidlna_conf_t, minidlna_log_t, minidlna_db_t;
')
allow $1 minidlna_t:process { ptrace signal_perms };
ps_process_pattern($1, minidlna_t)
minidlna_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 minidlna_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, minidlna_conf_t)
logging_search_logs($1)
admin_pattern($1, minidlna_log_t)
files_search_var_lib($1)
admin_pattern($1, minidlna_db_t)
files_search_pids($1)
admin_pattern($1, minidlna_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `minidlna_admin'($*)) dnl
')
########################################
##
## Execute minidlna init scripts in
## the initrc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`minidlna_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `minidlna_initrc_domtrans'($*)) dnl
gen_require(`
type minidlna_initrc_exec_t;
')
init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `minidlna_initrc_domtrans'($*)) dnl
')
## Daemon used by MiniUPnPc to speed up device discoveries.
########################################
##
## Read minissdpd configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`minissdpd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `minissdpd_read_config'($*)) dnl
gen_require(`
type minissdpd_conf_t;
')
files_search_etc($1)
allow $1 minissdpd_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `minissdpd_read_config'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an minissdpd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`minissdpd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `minissdpd_admin'($*)) dnl
gen_require(`
type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
type minissdpd_var_run_t;
')
allow $1 minissdpd_t:process { signal_perms };
ps_process_pattern($1, minissdpd_t)
init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 minissdpd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, minissdpd_conf_t)
files_search_pids($1)
admin_pattern($1, minissdpd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `minissdpd_admin'($*)) dnl
')
## Mobile IPv6 and NEMO Basic Support implementation
########################################
##
## Execute TEMPLATE in the mip6d domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mip6d_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mip6d_domtrans'($*)) dnl
gen_require(`
type mip6d_t, mip6d_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mip6d_exec_t, mip6d_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mip6d_domtrans'($*)) dnl
')
########################################
##
## Execute mip6d server in the mip6d domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mip6d_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mip6d_systemctl'($*)) dnl
gen_require(`
type mip6d_t;
type mip6d_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 mip6d_unit_file_t:file read_file_perms;
allow $1 mip6d_unit_file_t:service manage_service_perms;
ps_process_pattern($1, mip6d_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mip6d_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an mip6d environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`mip6d_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mip6d_admin'($*)) dnl
gen_require(`
type mip6d_t;
type mip6d_unit_file_t;
')
allow $1 mip6d_t:process { signal_perms };
ps_process_pattern($1, mip6d_t)
tunable_policy(`deny_ptrace',`',`
allow $1 mip6d_t:process ptrace;
')
mip6d_systemctl($1)
admin_pattern($1, mip6d_unit_file_t)
allow $1 mip6d_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mip6d_admin'($*)) dnl
')
## policy for mirrormanager
########################################
##
## Execute mirrormanager in the mirrormanager domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mirrormanager_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_domtrans'($*)) dnl
gen_require(`
type mirrormanager_t, mirrormanager_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_domtrans'($*)) dnl
')
########################################
##
## Read mirrormanager's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mirrormanager_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_read_log'($*)) dnl
gen_require(`
type mirrormanager_log_t;
')
logging_search_logs($1)
read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_read_log'($*)) dnl
')
########################################
##
## Append to mirrormanager log files.
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_append_log'($*)) dnl
gen_require(`
type mirrormanager_log_t;
')
logging_search_logs($1)
append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_append_log'($*)) dnl
')
########################################
##
## Manage mirrormanager log files
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_log'($*)) dnl
gen_require(`
type mirrormanager_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_manage_log'($*)) dnl
')
########################################
##
## Search mirrormanager lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_search_lib'($*)) dnl
gen_require(`
type mirrormanager_var_lib_t;
')
allow $1 mirrormanager_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_search_lib'($*)) dnl
')
########################################
##
## Read mirrormanager lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_read_lib_files'($*)) dnl
gen_require(`
type mirrormanager_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_read_lib_files'($*)) dnl
')
########################################
##
## Manage mirrormanager lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_lib_files'($*)) dnl
gen_require(`
type mirrormanager_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_manage_lib_files'($*)) dnl
')
########################################
##
## Manage mirrormanager lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_lib_dirs'($*)) dnl
gen_require(`
type mirrormanager_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read mirrormanager PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_read_pid_files'($*)) dnl
gen_require(`
type mirrormanager_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_read_pid_files'($*)) dnl
')
########################################
##
## Manage mirrormanager PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_pid_files'($*)) dnl
gen_require(`
type mirrormanager_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_manage_pid_files'($*)) dnl
')
########################################
##
## Manage mirrormanager PID sock files.
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_manage_pid_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_pid_sock_files'($*)) dnl
gen_require(`
type mirrormanager_var_run_t;
')
files_search_pids($1)
manage_sock_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_manage_pid_sock_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an mirrormanager environment
##
##
##
## Domain allowed access.
##
##
#
define(`mirrormanager_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mirrormanager_admin'($*)) dnl
gen_require(`
type mirrormanager_t;
type mirrormanager_log_t;
type mirrormanager_var_lib_t;
type mirrormanager_var_run_t;
')
allow $1 mirrormanager_t:process { signal_perms };
ps_process_pattern($1, mirrormanager_t)
tunable_policy(`deny_ptrace',`',`
allow $1 mirrormanager_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, mirrormanager_log_t)
files_search_var_lib($1)
admin_pattern($1, mirrormanager_var_lib_t)
files_search_pids($1)
admin_pattern($1, mirrormanager_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mirrormanager_admin'($*)) dnl
')
## policy for mock
########################################
##
## Execute a domain transition to run mock.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mock_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_domtrans'($*)) dnl
gen_require(`
type mock_t, mock_exec_t;
')
domtrans_pattern($1, mock_exec_t, mock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_domtrans'($*)) dnl
')
########################################
##
## Search mock lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_search_lib'($*)) dnl
gen_require(`
type mock_var_lib_t;
')
allow $1 mock_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_search_lib'($*)) dnl
')
########################################
##
## Read mock lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_read_lib_files'($*)) dnl
gen_require(`
type mock_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
read_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_read_lib_files'($*)) dnl
')
########################################
##
## Getattr on mock lib file,dir,sock_file ...
##
##
##
## Domain allowed access.
##
##
#
define(`mock_getattr_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_getattr_lib'($*)) dnl
gen_require(`
type mock_var_lib_t;
')
allow $1 mock_var_lib_t:dir_file_class_set getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_getattr_lib'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## mock lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_manage_lib_files'($*)) dnl
gen_require(`
type mock_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_manage_lib_files'($*)) dnl
')
########################################
##
## Manage mock lib dirs files.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_manage_lib_dirs'($*)) dnl
gen_require(`
type mock_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_manage_lib_dirs'($*)) dnl
')
#########################################
##
## Manage mock lib symlinks.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_manage_lib_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_manage_lib_symlinks'($*)) dnl
gen_require(`
type mock_var_lib_t;
')
files_search_var_lib($1)
manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_manage_lib_symlinks'($*)) dnl
')
########################################
##
## Manage mock lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_manage_lib_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_manage_lib_chr_files'($*)) dnl
gen_require(`
type mock_var_lib_t;
')
files_search_var_lib($1)
manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_manage_lib_chr_files'($*)) dnl
')
########################################
##
## Manage mock lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_dontaudit_write_lib_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_dontaudit_write_lib_chr_files'($*)) dnl
gen_require(`
type mock_var_lib_t;
')
dontaudit $1 mock_var_lib_t:chr_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_dontaudit_write_lib_chr_files'($*)) dnl
')
#######################################
##
## Dontaudit read and write an leaked file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`mock_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_dontaudit_leaks'($*)) dnl
gen_require(`
type mock_tmp_t;
')
dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_dontaudit_leaks'($*)) dnl
')
########################################
##
## Execute mock in the mock domain, and
## allow the specified role the mock domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the mock domain.
##
##
##
#
define(`mock_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_run'($*)) dnl
gen_require(`
type mock_t;
type mock_build_t;
')
mock_domtrans($1)
role $2 types mock_t;
role $2 types mock_build_t;
mount_run(mock_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_run'($*)) dnl
')
########################################
##
## Role access for mock
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
##
#
define(`mock_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_role'($*)) dnl
gen_require(`
type mock_t;
')
role $1 types mock_t;
mock_run($2, $1)
ps_process_pattern($2, mock_t)
allow $2 mock_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 mock_t:process ptrace;
')
optional_policy(`
mock_read_lib_files($2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_role'($*)) dnl
')
#######################################
##
## Send a generic signal to mock.
##
##
##
## Domain allowed access.
##
##
#
define(`mock_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_signal'($*)) dnl
gen_require(`
type mock_t;
')
allow $1 mock_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_signal'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an mock environment
##
##
##
## Domain allowed access.
##
##
#
define(`mock_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mock_admin'($*)) dnl
gen_require(`
type mock_t, mock_var_lib_t;
type mock_build_t, mock_etc_t, mock_tmp_t;
')
allow $1 mock_t:process signal_perms;
ps_process_pattern($1, mock_t)
tunable_policy(`deny_ptrace',`',`
allow $1 mock_t:process ptrace;
allow $1 mock_build_t:process ptrace;
')
allow $1 mock_build_t:process signal_perms;
ps_process_pattern($1, mock_build_t)
files_list_var_lib($1)
admin_pattern($1, mock_var_lib_t)
files_list_tmp($1)
admin_pattern($1, mock_tmp_t)
files_search_etc($1)
admin_pattern($1, mock_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mock_admin'($*)) dnl
')
## Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.
########################################
##
## Execute a domain transition to run modemmanager.
##
##
##
## Domain allowed to transition.
##
##
#
define(`modemmanager_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modemmanager_domtrans'($*)) dnl
gen_require(`
type modemmanager_t, modemmanager_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, modemmanager_exec_t, modemmanager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modemmanager_domtrans'($*)) dnl
')
########################################
##
## Execute modemmanager server in the modemmanager domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modemmanager_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modemmanager_systemctl'($*)) dnl
gen_require(`
type modemmanager_t;
type modemmanager_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 modemmanager_unit_file_t:file read_file_perms;
allow $1 modemmanager_unit_file_t:service manage_service_perms;
ps_process_pattern($1, modemmanager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modemmanager_systemctl'($*)) dnl
')
########################################
##
## Send and receive messages from
## modemmanager over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`modemmanager_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modemmanager_dbus_chat'($*)) dnl
gen_require(`
type modemmanager_t;
class dbus send_msg;
')
allow $1 modemmanager_t:dbus send_msg;
allow modemmanager_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modemmanager_dbus_chat'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an modemmanager environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`modemmanager_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modemmanager_admin'($*)) dnl
gen_require(`
type modemmanager_t;
type modemmanager_unit_file_t;
')
allow $1 modemmanager_t:process { ptrace signal_perms };
ps_process_pattern($1, modemmanager_t)
modemmanager_systemctl($1)
admin_pattern($1, modemmanager_unit_file_t)
allow $1 modemmanager_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modemmanager_admin'($*)) dnl
')
## MojoMojo Wiki.
########################################
##
## All of the rules required to
## administrate an mojomojo environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
#
define(`mojomojo_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mojomojo_admin'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
apache_admin($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mojomojo_admin'($*)) dnl
')
## policy for mon_statd
########################################
##
## Execute mon_statd in the mon_statd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mon_statd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mon_statd_domtrans'($*)) dnl
gen_require(`
type mon_statd_t, mon_statd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mon_statd_exec_t, mon_statd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mon_statd_domtrans'($*)) dnl
')
########################################
##
## Execute mon_procd in the mon_procd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mon_procd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mon_procd_domtrans'($*)) dnl
gen_require(`
type mon_procd_t, mon_procd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mon_procd_exec_t, mon_procd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mon_procd_domtrans'($*)) dnl
')
## Scalable, high-performance, open source NoSQL database.
########################################
##
## All of the rules required to
## administrate an mongodb environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`mongodb_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mongodb_admin'($*)) dnl
gen_require(`
type mongod_t, mongod_initrc_exec_t, mongod_log_t;
type mongod_var_lib_t, mongod_var_run_t;
')
allow $1 mongod_t:process { ptrace signal_perms };
ps_process_pattern($1, mongod_t)
init_labeled_script_domtrans($1, mongod_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 mongod_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, mongod_log_t)
files_search_var_lib($1)
admin_pattern($1, mongod_var_lib_t)
files_search_pids($1)
admin_pattern($1, mongod_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mongodb_admin'($*)) dnl
')
## Run .NET server and client applications on Linux.
#######################################
##
## The role template for the mono module.
##
##
##
## This template creates a derived domains which are used
## for mono applications.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`mono_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mono_role_template'($*)) dnl
gen_require(`
attribute mono_domain;
type mono_exec_t;
')
########################################
#
# Declarations
#
type $1_mono_t, mono_domain;
domain_type($1_mono_t)
domain_entry_file($1_mono_t, mono_exec_t)
role $2 types $1_mono_t;
domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
########################################
#
# Policy
#
domtrans_pattern($3, mono_exec_t, $1_mono_t)
allow $3 $1_mono_t:process { ptrace noatsecure signal_perms };
ps_process_pattern($2, $1_mono_t)
corecmd_bin_domtrans($1_mono_t, $3)
userdom_manage_user_tmpfs_files($1_mono_t)
optional_policy(`
fs_dontaudit_rw_tmpfs_files($1_mono_t)
xserver_role($1_r, $1_mono_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mono_role_template'($*)) dnl
')
########################################
##
## Execute mono in the mono domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mono_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mono_domtrans'($*)) dnl
gen_require(`
type mono_t, mono_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mono_domtrans'($*)) dnl
')
########################################
##
## Execute mono in the mono domain, and
## allow the specified role the mono domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`mono_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mono_run'($*)) dnl
gen_require(`
attribute_role mono_roles;
')
mono_domtrans($1)
roleattribute $2 mono_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mono_run'($*)) dnl
')
########################################
##
## Execute mono in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mono_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mono_exec'($*)) dnl
gen_require(`
type mono_exec_t;
')
corecmd_search_bin($1)
can_exec($1, mono_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mono_exec'($*)) dnl
')
########################################
##
## Read and write mono shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`mono_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mono_rw_shm'($*)) dnl
gen_require(`
type mono_t;
')
allow $1 mono_t:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mono_rw_shm'($*)) dnl
')
## Monopoly daemon.
########################################
##
## All of the rules required to
## administrate an monop environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`monop_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `monop_admin'($*)) dnl
gen_require(`
type monopd_t, monopd_initrc_exec_t, monopd_share_t;
type monopd_etc_t, monopd_var_run_t;
')
allow $1 monopd_t:process { ptrace signal_perms };
ps_process_pattern($1, monopd_t)
init_labeled_script_domtrans($1, monopd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 monopd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, monopd_etc_t)
files_search_pids($1)
admin_pattern($1, monopd_var_run_t)
files_search_usr($1)
admin_pattern($1, monopd_share_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `monop_admin'($*)) dnl
')
## Detect motion using a video4linux device
########################################
##
## Execute motion in the motion domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`motion_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_domtrans'($*)) dnl
gen_require(`
type motion_t, motion_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, motion_exec_t, motion_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_domtrans'($*)) dnl
')
########################################
##
## Read motion's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`motion_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_read_log'($*)) dnl
gen_require(`
type motion_log_t;
')
logging_search_logs($1)
read_files_pattern($1, motion_log_t, motion_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_read_log'($*)) dnl
')
########################################
##
## Append to motion log files.
##
##
##
## Domain allowed access.
##
##
#
define(`motion_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_append_log'($*)) dnl
gen_require(`
type motion_log_t;
')
logging_search_logs($1)
append_files_pattern($1, motion_log_t, motion_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_append_log'($*)) dnl
')
########################################
##
## Manage motion log files
##
##
##
## Domain allowed access.
##
##
#
define(`motion_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_manage_log'($*)) dnl
gen_require(`
type motion_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, motion_log_t, motion_log_t)
manage_files_pattern($1, motion_log_t, motion_log_t)
manage_lnk_files_pattern($1, motion_log_t, motion_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_manage_log'($*)) dnl
')
########################################
##
## Manage motion pid files
##
##
##
## Domain allowed access.
##
##
#
define(`motion_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_manage_pid'($*)) dnl
gen_require(`
type motion_var_run_t;
')
manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t)
manage_files_pattern($1, motion_var_run_t, motion_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_manage_pid'($*)) dnl
')
########################################
##
## Manage motion data files
##
##
##
## Domain allowed access.
##
##
#
define(`motion_manage_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_manage_data'($*)) dnl
gen_require(`
type motion_data_t;
')
manage_dirs_pattern($1, motion_data_t, motion_data_t)
manage_files_pattern($1, motion_data_t, motion_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_manage_data'($*)) dnl
')
########################################
##
## Execute motion server in the motion domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`motion_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_systemctl'($*)) dnl
gen_require(`
type motion_t;
type motion_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 motion_unit_file_t:file read_file_perms;
allow $1 motion_unit_file_t:service manage_service_perms;
ps_process_pattern($1, motion_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_systemctl'($*)) dnl
')
########################################
##
## Manage all motion files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`motion_manage_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_manage_all_files'($*)) dnl
motion_manage_log($1)
motion_manage_pid($1)
motion_manage_data($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_manage_all_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an motion environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`motion_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `motion_admin'($*)) dnl
gen_require(`
type motion_t;
type motion_log_t;
type motion_unit_file_t;
')
allow $1 motion_t:process { signal_perms };
ps_process_pattern($1, motion_t)
tunable_policy(`deny_ptrace',`',`
allow $1 motion_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, motion_log_t)
motion_systemctl($1)
admin_pattern($1, motion_unit_file_t)
allow $1 motion_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `motion_admin'($*)) dnl
')
## Policy for Mozilla and related web browsers
########################################
##
## Role access for mozilla
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`mozilla_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_role'($*)) dnl
gen_require(`
type mozilla_t, mozilla_exec_t, mozilla_home_t;
attribute_role mozilla_roles;
')
roleattribute $1 mozilla_roles;
domain_auto_trans($2, mozilla_exec_t, mozilla_t)
# Unrestricted inheritance from the caller.
allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
allow mozilla_t $2:fd use;
allow mozilla_t $2:process { sigchld signull };
allow mozilla_t $2:unix_stream_socket connectto;
# Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
allow $2 mozilla_t:process signal_perms;
allow $2 mozilla_t:fd use;
allow $2 mozilla_t:shm { associate getattr };
allow $2 mozilla_t:shm { unix_read unix_write };
allow $2 mozilla_t:unix_stream_socket connectto;
# X access, Home files
manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
#should be remove then with adding of roleattribute
mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
userdom_manage_tmp_role($1, mozilla_t)
optional_policy(`
nsplugin_role($1, mozilla_t)
')
optional_policy(`
pulseaudio_role($1, mozilla_t)
pulseaudio_filetrans_admin_home_content(mozilla_t)
pulseaudio_filetrans_home_content(mozilla_t)
')
mozilla_filetrans_home_content($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_role'($*)) dnl
')
########################################
##
## Read mozilla home directory content
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_read_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_read_user_home_files'($*)) dnl
gen_require(`
type mozilla_home_t;
')
allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms;
allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_read_user_home_files'($*)) dnl
')
########################################
##
## Write mozilla home directory content
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_write_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_write_user_home_files'($*)) dnl
gen_require(`
type mozilla_home_t;
')
write_files_pattern($1, mozilla_home_t, mozilla_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_write_user_home_files'($*)) dnl
')
########################################
##
## Dontaudit attempts to read/write mozilla home directory content
##
##
##
## Domain to not audit.
##
##
#
define(`mozilla_dontaudit_rw_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_dontaudit_rw_user_home_files'($*)) dnl
gen_require(`
type mozilla_home_t;
')
dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_dontaudit_rw_user_home_files'($*)) dnl
')
########################################
##
## Dontaudit attempts to write mozilla home directory content
##
##
##
## Domain to not audit.
##
##
#
define(`mozilla_dontaudit_manage_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_dontaudit_manage_user_home_files'($*)) dnl
gen_require(`
type mozilla_home_t;
')
dontaudit $1 mozilla_home_t:dir manage_dir_perms;
dontaudit $1 mozilla_home_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_dontaudit_manage_user_home_files'($*)) dnl
')
########################################
##
## Execute mozilla home directory content.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_exec_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_exec_user_home_files'($*)) dnl
gen_require(`
type mozilla_home_t;
')
can_exec($1, mozilla_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_exec_user_home_files'($*)) dnl
')
########################################
##
## Execmod mozilla home directory content.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_execmod_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_execmod_user_home_files'($*)) dnl
gen_require(`
type mozilla_home_t;
')
allow $1 mozilla_home_t:file execmod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_execmod_user_home_files'($*)) dnl
')
########################################
##
## Run mozilla in the mozilla domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mozilla_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_domtrans'($*)) dnl
gen_require(`
type mozilla_t, mozilla_exec_t;
')
domtrans_pattern($1, mozilla_exec_t, mozilla_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_domtrans'($*)) dnl
')
########################################
##
## Execute a mozilla_exec_t in the specified domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`mozilla_domtrans_spec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_domtrans_spec'($*)) dnl
gen_require(`
type mozilla_exec_t;
')
domain_entry_file($2, mozilla_exec_t)
domtrans_pattern($1, mozilla_exec_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_domtrans_spec'($*)) dnl
')
########################################
##
## Execute a domain transition to run mozilla_plugin.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_domtrans_plugin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_domtrans_plugin'($*)) dnl
gen_require(`
type mozilla_plugin_t, mozilla_plugin_exec_t;
type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
type mozilla_plugin_rw_t;
class dbus send_msg;
')
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
allow mozilla_plugin_t $1:process signull;
dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
dontaudit mozilla_plugin_t $1:process signal;
allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
allow $1 mozilla_plugin_t:fd use;
allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
allow mozilla_plugin_t $1:sem create_sem_perms;
allow $1 mozilla_plugin_t:sem rw_sem_perms;
allow $1 mozilla_plugin_t:shm rw_shm_perms;
allow $1 mozilla_plugin_t:fifo_file rw_fifo_file_perms;
ps_process_pattern($1, mozilla_plugin_t)
ps_process_pattern(mozilla_plugin_t, $1)
allow $1 mozilla_plugin_t:process { signal_perms noatsecure };
list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
can_exec($1, mozilla_plugin_rw_t)
allow $1 mozilla_plugin_t:dbus send_msg;
allow mozilla_plugin_t $1:dbus send_msg;
allow mozilla_plugin_t $1:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_domtrans_plugin'($*)) dnl
')
########################################
##
## Allow caller to transition to mozilla_plugin_t with NoNewPrivileges
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_nnp_domtrans_plugin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_nnp_domtrans_plugin'($*)) dnl
gen_require(`
type mozilla_plugin_t;
')
allow $1 mozilla_plugin_t:process2 nnp_transition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_nnp_domtrans_plugin'($*)) dnl
')
########################################
##
## Execute mozilla_plugin in the mozilla_plugin domain, and
## allow the specified role the mozilla_plugin domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the mozilla_plugin domain.
##
##
#
define(`mozilla_run_plugin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_run_plugin'($*)) dnl
gen_require(`
type mozilla_plugin_t;
attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
')
mozilla_domtrans_plugin($1)
roleattribute $2 mozilla_plugin_roles;
roleattribute $2 mozilla_plugin_config_roles;
tunable_policy(`deny_ptrace',`',`
allow $1 mozilla_plugin_t:process ptrace;
')
optional_policy(`
lpd_run_lpr(mozilla_plugin_t, $2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_run_plugin'($*)) dnl
')
#######################################
##
## Execute qemu unconfined programs in the role.
##
##
##
## The role to allow the mozilla_plugin domain.
##
##
##
#
define(`mozilla_role_plugin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_role_plugin'($*)) dnl
gen_require(`
attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
')
roleattribute $1 mozilla_plugin_roles;
roleattribute $1 mozilla_plugin_config_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_role_plugin'($*)) dnl
')
########################################
##
## Send and receive messages from
## mozilla over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_dbus_chat'($*)) dnl
gen_require(`
type mozilla_t;
class dbus send_msg;
')
allow $1 mozilla_t:dbus send_msg;
allow mozilla_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_dbus_chat'($*)) dnl
')
########################################
##
## read/write mozilla per user tcp_socket
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_rw_tcp_sockets'($*)) dnl
gen_require(`
type mozilla_t;
')
allow $1 mozilla_t:tcp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_rw_tcp_sockets'($*)) dnl
')
#######################################
##
## Read mozilla_plugin tmpfs files
##
##
##
## Domain allowed access
##
##
#
define(`mozilla_plugin_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_read_tmpfs_files'($*)) dnl
gen_require(`
type mozilla_plugin_tmpfs_t;
')
allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_read_tmpfs_files'($*)) dnl
')
#######################################
##
## Read/Write mozilla_plugin tmpfs files
##
##
##
## Domain allowed access
##
##
#
define(`mozilla_plugin_rw_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_rw_tmpfs_files'($*)) dnl
gen_require(`
type mozilla_plugin_tmpfs_t;
')
rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_rw_tmpfs_files'($*)) dnl
')
########################################
##
## Delete mozilla_plugin tmpfs files
##
##
##
## Domain allowed access
##
##
#
define(`mozilla_plugin_delete_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_delete_tmpfs_files'($*)) dnl
gen_require(`
type mozilla_plugin_tmpfs_t;
')
allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_delete_tmpfs_files'($*)) dnl
')
#######################################
##
## Dontaudit generict ipc read/write to a mozilla_plugin
##
##
##
## Domain to not audit.
##
##
#
define(`mozilla_plugin_dontaudit_rw_sem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_dontaudit_rw_sem'($*)) dnl
gen_require(`
type mozilla_plugin_t;
')
dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_dontaudit_rw_sem'($*)) dnl
')
#######################################
##
## Allow generict ipc read/write to a mozilla_plugin
##
##
##
## Domain to not audit.
##
##
#
define(`mozilla_plugin_rw_sem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_rw_sem'($*)) dnl
gen_require(`
type mozilla_plugin_t;
')
allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_rw_sem'($*)) dnl
')
########################################
##
## Dontaudit read/write to a mozilla_plugin leaks
##
##
##
## Domain to not audit.
##
##
#
define(`mozilla_plugin_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_dontaudit_leaks'($*)) dnl
gen_require(`
type mozilla_plugin_t;
')
dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_dontaudit_leaks'($*)) dnl
')
#######################################
##
## Dontaudit read/write to a mozilla_plugin tmp files.
##
##
##
## Domain to not audit.
##
##
#
define(`mozilla_plugin_dontaudit_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_dontaudit_rw_tmp_files'($*)) dnl
gen_require(`
type mozilla_plugin_tmp_t;
')
dontaudit $1 mozilla_plugin_tmp_t:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_dontaudit_rw_tmp_files'($*)) dnl
')
#######################################
##
## Allow read/write to a mozilla_plugin tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_plugin_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_rw_tmp_files'($*)) dnl
gen_require(`
type mozilla_plugin_tmp_t;
')
dontaudit $1 mozilla_plugin_tmp_t:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_rw_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## mozilla_plugin rw files.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_plugin_manage_rw_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_manage_rw_files'($*)) dnl
gen_require(`
type mozilla_plugin_rw_t;
')
allow $1 mozilla_plugin_rw_t:file manage_file_perms;
allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_manage_rw_files'($*)) dnl
')
########################################
##
## read mozilla_plugin rw files.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_plugin_read_rw_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_read_rw_files'($*)) dnl
gen_require(`
type mozilla_plugin_rw_t;
')
read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_read_rw_files'($*)) dnl
')
########################################
##
## Create mozilla content in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_filetrans_home_content'($*)) dnl
gen_require(`
type mozilla_home_t, mozilla_plugin_rw_t;
')
files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "mozilla.pdf")
userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
optional_policy(`
gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_filetrans_home_content'($*)) dnl
')
########################################
##
## Allow the domain to read mozilla_plugin state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`mozilla_plugin_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mozilla_plugin_read_state'($*)) dnl
gen_require(`
type mozilla_plugin_t;
')
kernel_search_proc($1)
ps_process_pattern($1, mozilla_plugin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mozilla_plugin_read_state'($*)) dnl
')
## Music Player Daemon.
########################################
##
## Role access for mpd.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`mpd_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_role'($*)) dnl
refpolicywarn(`$0($*) has been deprecated')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_role'($*)) dnl
')
########################################
##
## Execute a domain transition to run mpd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mpd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_domtrans'($*)) dnl
gen_require(`
type mpd_t, mpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mpd_exec_t, mpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_domtrans'($*)) dnl
')
########################################
##
## Execute mpd server in the mpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mpd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_initrc_domtrans'($*)) dnl
gen_require(`
type mpd_initrc_exec_t;
')
init_labeled_script_domtrans($1, mpd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_initrc_domtrans'($*)) dnl
')
#######################################
##
## Read mpd data files.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_read_data_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_read_data_files'($*)) dnl
gen_require(`
type mpd_data_t;
')
mpd_search_lib($1)
read_files_pattern($1, mpd_data_t, mpd_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_read_data_files'($*)) dnl
')
######################################
##
## Create, read, write, and delete
## mpd data files.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_manage_data_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_manage_data_files'($*)) dnl
gen_require(`
type mpd_data_t;
')
mpd_search_lib($1)
manage_files_pattern($1, mpd_data_t, mpd_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_manage_data_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## mpd user data content.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_manage_user_data_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_manage_user_data_content'($*)) dnl
gen_require(`
type mpd_user_data_t;
')
userdom_search_user_home_dirs($1)
allow $1 mpd_user_data_t:dir manage_dir_perms;
allow $1 mpd_user_data_t:file manage_file_perms;
allow $1 mpd_user_data_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_manage_user_data_content'($*)) dnl
')
########################################
##
## Relabel mpd user data content.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_relabel_user_data_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_relabel_user_data_content'($*)) dnl
gen_require(`
type mpd_user_data_t;
')
userdom_search_user_home_dirs($1)
allow $1 mpd_user_data_t:dir relabel_dir_perms;
allow $1 mpd_user_data_t:file relabel_file_perms;
allow $1 mpd_user_data_t:lnk_file relabel_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_relabel_user_data_content'($*)) dnl
')
########################################
##
## Create objects in user home
## directories with the mpd user data type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`mpd_home_filetrans_user_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_home_filetrans_user_data'($*)) dnl
gen_require(`
type mpd_user_data_t;
')
userdom_user_home_dir_filetrans($1, mpd_user_data_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_home_filetrans_user_data'($*)) dnl
')
#######################################
##
## Read mpd tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_read_tmpfs_files'($*)) dnl
gen_require(`
type mpd_tmpfs_t;
')
fs_search_tmpfs($1)
read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_read_tmpfs_files'($*)) dnl
')
###################################
##
## Create, read, write, and delete
## mpd tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_manage_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_manage_tmpfs_files'($*)) dnl
gen_require(`
type mpd_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_manage_tmpfs_files'($*)) dnl
')
########################################
##
## Search mpd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_search_lib'($*)) dnl
gen_require(`
type mpd_var_lib_t;
')
files_search_var_lib($1)
allow $1 mpd_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_search_lib'($*)) dnl
')
########################################
##
## Read mpd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_read_lib_files'($*)) dnl
gen_require(`
type mpd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## mpd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_manage_lib_files'($*)) dnl
gen_require(`
type mpd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_manage_lib_files'($*)) dnl
')
#######################################
##
## Create specified objects in mpd
## lib directories with a private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`mpd_var_lib_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_var_lib_filetrans'($*)) dnl
gen_require(`
type mpd_var_lib_t;
')
files_search_var_lib($1)
filetrans_pattern($1, mpd_var_lib_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_var_lib_filetrans'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## mpd lib dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_manage_lib_dirs'($*)) dnl
gen_require(`
type mpd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_manage_lib_dirs'($*)) dnl
')
########################################
##
## Connect to mpd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`mpd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_stream_connect'($*)) dnl
gen_require(`
type mpd_t, mpd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an mpd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`mpd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mpd_admin'($*)) dnl
gen_require(`
type mpd_t, mpd_initrc_exec_t, mpd_etc_t;
type mpd_data_t, mpd_log_t, mpd_var_lib_t;
type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
')
allow $1 mpd_t:process signal_perms;
ps_process_pattern($1, mpd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 mpd_t:process ptrace;
')
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mpd_etc_t)
files_search_var_lib($1)
admin_pattern($1, { mpd_data_t mpd_user_data_t mpd_var_lib_t })
logging_search_logs($1)
admin_pattern($1, mpd_log_t)
files_search_tmp($1)
admin_pattern($1, mpd_tmp_t)
fs_search_tmpfs($1)
admin_pattern($1, mpd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mpd_admin'($*)) dnl
')
## Mplayer media player and encoder.
########################################
##
## Role access for mplayer
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`mplayer_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mplayer_role'($*)) dnl
gen_require(`
attribute_role mencoder_roles, mplayer_roles;
type mencoder_t, mencoder_exec_t, mplayer_home_t;
type mplayer_t, mplayer_exec_t, mplayer_tmpfs_t;
')
########################################
#
# Declarations
#
roleattribute $1 mencoder_roles;
roleattribute $1 mplayer_roles;
########################################
#
# Policy
#
domtrans_pattern($2, mencoder_exec_t, mencoder_t)
domtrans_pattern($2, mplayer_exec_t, mplayer_t)
allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
ps_process_pattern($2, { mplayer_t mencoder_t })
allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 mplayer_home_t:file { manage_file_perms relabel_file_perms };
allow $2 mplayer_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
userdom_user_home_dir_filetrans($2, mplayer_home_t, dir, ".mplayer")
allow $2 mplayer_tmpfs_t:file { manage_file_perms relabel_file_perms };
allow $2 mplayer_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 mplayer_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $2 mplayer_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mplayer_role'($*)) dnl
')
########################################
##
## Run mplayer in mplayer domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mplayer_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mplayer_domtrans'($*)) dnl
gen_require(`
type mplayer_t, mplayer_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mplayer_exec_t, mplayer_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mplayer_domtrans'($*)) dnl
')
########################################
##
## Execute mplayer in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
#
define(`mplayer_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mplayer_exec'($*)) dnl
gen_require(`
type mplayer_exec_t;
')
corecmd_search_bin($1)
can_exec($1, mplayer_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mplayer_exec'($*)) dnl
')
########################################
##
## Read mplayer user home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`mplayer_read_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mplayer_read_user_home_files'($*)) dnl
gen_require(`
type mplayer_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, mplayer_home_t, mplayer_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mplayer_read_user_home_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## generic mplayer home content.
##
##
##
## Domain allowed access.
##
##
#
define(`mplayer_manage_generic_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mplayer_manage_generic_home_content'($*)) dnl
gen_require(`
type mplayer_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 mplayer_home_t:dir manage_dir_perms;
allow $1 mplayer_home_t:file manage_file_perms;
allow $1 mplayer_home_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mplayer_manage_generic_home_content'($*)) dnl
')
########################################
##
## Create specified objects in user home
## directories with the generic mplayer
## home type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`mplayer_home_filetrans_mplayer_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mplayer_home_filetrans_mplayer_home'($*)) dnl
gen_require(`
type mplayer_home_t;
')
userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mplayer_home_filetrans_mplayer_home'($*)) dnl
')
########################################
##
## Create specified objects in user home
## directories with the generic mplayer
## home type.
##
##
##
## Domain allowed access.
##
##
#
define(`mplayer_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mplayer_filetrans_home_content'($*)) dnl
gen_require(`
type mplayer_home_t;
')
userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mplayer_filetrans_home_content'($*)) dnl
')
## Network traffic graphing.
########################################
##
## Read mrtg lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`mrtg_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mrtg_read_lib_files'($*)) dnl
gen_require(`
type mrtg_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mrtg_read_lib_files'($*)) dnl
')
########################################
##
## Create and append mrtg log files.
##
##
##
## Domain allowed access.
##
##
#
define(`mrtg_append_create_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mrtg_append_create_logs'($*)) dnl
gen_require(`
type mrtg_log_t;
')
logging_search_logs($1)
append_files_pattern($1, mrtg_log_t, mrtg_log_t)
create_files_pattern($1, mrtg_log_t, mrtg_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mrtg_append_create_logs'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an mrtg environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`mrtg_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mrtg_admin'($*)) dnl
gen_require(`
type mrtg_t, mrtg_var_run_t, mrtg_initrc_exec_t;
type mrtg_var_lib_t, mrtg_lock_t, mrtg_log_t;
type mrtg_etc_t;
')
allow $1 mrtg_t:process { ptrace signal_perms };
ps_process_pattern($1, mrtg_t)
init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 mrtg_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, mrtg_etc_t)
files_search_locks($1)
admin_pattern($1, mrtg_lock_t)
logging_search_logs($1)
admin_pattern($1, mrtg_log_t)
files_search_pids($1)
admin_pattern($1, mrtg_var_run_t)
files_search_var_lib($1)
admin_pattern($1, mrtg_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mrtg_admin'($*)) dnl
')
## Policy common to all email tranfer agents.
########################################
##
## MTA stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_stub'($*)) dnl
gen_require(`
type sendmail_exec_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_stub'($*)) dnl
')
#######################################
##
## Basic mail transfer agent domain template.
##
##
##
## This template creates a derived domain which is
## a email transfer agent, which sends mail on
## behalf of the user.
##
##
## This is the basic types and rules, common
## to the system agent and user agents.
##
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`mta_base_mail_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_base_mail_template'($*)) dnl
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
')
##############################
#
# $1_mail_t declarations
#
type $1_mail_t, user_mail_domain;
application_domain($1_mail_t, sendmail_exec_t)
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
kernel_read_system_state($1_mail_t)
corenet_all_recvfrom_netlabel($1_mail_t)
auth_use_nsswitch($1_mail_t)
logging_send_syslog_msg($1_mail_t)
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_base_mail_template'($*)) dnl
')
########################################
##
## Role access for mta
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`mta_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_role'($*)) dnl
gen_require(`
attribute mta_user_agent;
type user_mail_t, sendmail_exec_t;
')
role $1 types { user_mail_t mta_user_agent };
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
allow $2 user_mail_t:process signal;
optional_policy(`
exim_run($2, $1)
')
optional_policy(`
mailman_run(mta_user_agent, $1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_role'($*)) dnl
')
########################################
##
## Make the specified domain usable for a mail server.
##
##
##
## Type to be used as a mail server domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`mta_mailserver',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_mailserver'($*)) dnl
gen_require(`
attribute mailserver_domain;
')
init_daemon_domain($1, $2)
typeattribute $1 mailserver_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_mailserver'($*)) dnl
')
########################################
##
## Make the specified type a MTA executable file.
##
##
##
## Type to be used as a mail client.
##
##
#
define(`mta_agent_executable',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_agent_executable'($*)) dnl
gen_require(`
attribute mta_exec_type;
')
typeattribute $1 mta_exec_type;
application_executable_file($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_agent_executable'($*)) dnl
')
######################################
##
## Dontaudit read and write an leaked file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`mta_dontaudit_leaks_system_mail',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_leaks_system_mail'($*)) dnl
gen_require(`
type system_mail_t;
')
dontaudit $1 system_mail_t:fifo_file write;
dontaudit $1 system_mail_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_leaks_system_mail'($*)) dnl
')
########################################
##
## Make the specified type by a system MTA.
##
##
##
## Type to be used as a mail client.
##
##
#
define(`mta_system_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_system_content'($*)) dnl
gen_require(`
attribute mailcontent_type;
')
typeattribute $1 mailcontent_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_system_content'($*)) dnl
')
########################################
##
## Modified mailserver interface for
## sendmail daemon use.
##
##
##
## A modified MTA mail server interface for
## the sendmail program. It's design does
## not fit well with policy, and using the
## regular interface causes a type_transition
## conflict if direct running of init scripts
## is enabled.
##
##
## This interface should most likely only be used
## by the sendmail policy.
##
##
##
##
## The type to be used for the mail server.
##
##
#
define(`mta_sendmail_mailserver',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_sendmail_mailserver'($*)) dnl
gen_require(`
attribute mailserver_domain;
type sendmail_exec_t;
')
init_system_domain($1, sendmail_exec_t)
typeattribute $1 mailserver_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_sendmail_mailserver'($*)) dnl
')
#######################################
##
## Make a type a mailserver type used
## for sending mail.
##
##
##
## Mail server domain type used for sending mail.
##
##
#
define(`mta_mailserver_sender',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_mailserver_sender'($*)) dnl
gen_require(`
attribute mailserver_sender;
')
typeattribute $1 mailserver_sender;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_mailserver_sender'($*)) dnl
')
#######################################
##
## Make a type a mailserver type used
## for delivering mail to local users.
##
##
##
## Mail server domain type used for delivering mail.
##
##
#
define(`mta_mailserver_delivery',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_mailserver_delivery'($*)) dnl
gen_require(`
attribute mailserver_delivery;
')
typeattribute $1 mailserver_delivery;
userdom_home_manager($1)
optional_policy(`
mta_rw_delivery_tcp_sockets($1)
')
userdom_filetrans_home_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_mailserver_delivery'($*)) dnl
')
#######################################
##
## Make a type a mailserver type used
## for sending mail on behalf of local
## users to the local mail spool.
##
##
##
## Mail server domain type used for sending local mail.
##
##
#
define(`mta_mailserver_user_agent',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_mailserver_user_agent'($*)) dnl
gen_require(`
attribute mta_user_agent;
')
typeattribute $1 mta_user_agent;
optional_policy(`
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_mailserver_user_agent'($*)) dnl
')
########################################
##
## Send mail from the system.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mta_send_mail',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_send_mail'($*)) dnl
gen_require(`
attribute mta_user_agent;
type system_mail_t;
attribute mta_exec_type;
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
corecmd_read_bin_symlinks($1)
domtrans_pattern($1, mta_exec_type, system_mail_t)
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_send_mail'($*)) dnl
')
########################################
##
## Execute send mail in a specified domain.
##
##
##
## Execute send mail in a specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Domain to transition to.
##
##
#
define(`mta_sendmail_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_sendmail_domtrans'($*)) dnl
gen_require(`
attribute mta_exec_type;
attribute mta_user_agent;
')
files_search_usr($1)
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
corecmd_read_bin_symlinks($1)
allow $2 mta_exec_type:file entrypoint;
domtrans_pattern($1, mta_exec_type, $2)
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_sendmail_domtrans'($*)) dnl
')
########################################
##
## Send system mail client a signal
##
##
##
## Domain allowed access.
##
##
#
define(`mta_signal_system_mail',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_signal_system_mail'($*)) dnl
gen_require(`
type system_mail_t;
')
allow $1 system_mail_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_signal_system_mail'($*)) dnl
')
########################################
##
## Allow role to access system_mail_t.
##
##
##
## Role allowed access.
##
##
#
define(`mta_role_access_system_mail',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_role_access_system_mail'($*)) dnl
gen_require(`
type system_mail_t;
')
role $1 types system_mail_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_role_access_system_mail'($*)) dnl
')
########################################
##
## Send all user mail client a signal
##
##
##
## Domain allowed access.
##
##
#
define(`mta_signal_user_agent',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_signal_user_agent'($*)) dnl
gen_require(`
attribute mta_user_agent;
')
allow $1 mta_user_agent:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_signal_user_agent'($*)) dnl
')
########################################
##
## Send all user mail client a kill signal
##
##
##
## Domain allowed access.
##
##
#
define(`mta_kill_user_agent',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_kill_user_agent'($*)) dnl
gen_require(`
attribute mta_user_agent;
')
allow $1 mta_user_agent:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_kill_user_agent'($*)) dnl
')
########################################
##
## Send system mail client a kill signal
##
##
##
## Domain allowed access.
##
##
#
define(`mta_kill_system_mail',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_kill_system_mail'($*)) dnl
gen_require(`
type system_mail_t;
')
allow $1 system_mail_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_kill_system_mail'($*)) dnl
')
########################################
##
## Execute sendmail in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_sendmail_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_sendmail_exec'($*)) dnl
gen_require(`
type sendmail_exec_t;
')
can_exec($1, sendmail_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_sendmail_exec'($*)) dnl
')
########################################
##
## Check whether sendmail executable
## files are executable.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_sendmail_access_check',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_sendmail_access_check'($*)) dnl
gen_require(`
type sendmail_exec_t;
')
corecmd_search_bin($1)
allow $1 sendmail_exec_t:file { getattr_file_perms execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_sendmail_access_check'($*)) dnl
')
########################################
##
## Read mail server configuration.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mta_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_read_config'($*)) dnl
gen_require(`
type etc_mail_t;
')
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
read_files_pattern($1, etc_mail_t, etc_mail_t)
read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_read_config'($*)) dnl
')
########################################
##
## write mail server configuration.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mta_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_write_config'($*)) dnl
gen_require(`
type etc_mail_t;
')
write_files_pattern($1, etc_mail_t, etc_mail_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_write_config'($*)) dnl
')
########################################
##
## Manage mail server configuration.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mta_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_manage_config'($*)) dnl
gen_require(`
type etc_mail_t;
')
manage_files_pattern($1, etc_mail_t, etc_mail_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_manage_config'($*)) dnl
')
########################################
##
## Read mail address aliases.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_read_aliases',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_read_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_read_aliases'($*)) dnl
')
########################################
##
## Mmap mail address aliases.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_map_aliases',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_map_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
allow $1 etc_aliases_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_map_aliases'($*)) dnl
')
########################################
##
## Create, read, write, and delete mail address aliases.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_manage_aliases',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_manage_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
mta_filetrans_named_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_manage_aliases'($*)) dnl
')
########################################
##
## Type transition files created in /etc
## to the mail address aliases type.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`mta_etc_filetrans_aliases',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_etc_filetrans_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
files_etc_filetrans($1, etc_aliases_t, file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_etc_filetrans_aliases'($*)) dnl
')
########################################
##
## Read and write mail aliases.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mta_rw_aliases',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_rw_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_rw_aliases'($*)) dnl
')
#######################################
##
## Do not audit attempts to read and write TCP
## sockets of mail delivery domains.
##
##
##
## Domain to not audit.
##
##
#
define(`mta_dontaudit_rw_delivery_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_rw_delivery_tcp_sockets'($*)) dnl
gen_require(`
attribute mailserver_delivery;
')
dontaudit $1 mailserver_delivery:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_rw_delivery_tcp_sockets'($*)) dnl
')
######################################
##
## Allow attempts to read and write TCP
## sockets of mail delivery domains.
##
##
##
## Domain to not audit.
##
##
#
define(`mta_rw_delivery_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_rw_delivery_tcp_sockets'($*)) dnl
gen_require(`
attribute mailserver_delivery;
')
allow $1 mailserver_delivery:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_rw_delivery_tcp_sockets'($*)) dnl
')
#######################################
##
## Connect to all mail servers over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`mta_tcp_connect_all_mailservers',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_tcp_connect_all_mailservers'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_tcp_connect_all_mailservers'($*)) dnl
')
#######################################
##
## Do not audit attempts to read a symlink
## in the mail spool.
##
##
##
## Domain to not audit.
##
##
#
define(`mta_dontaudit_read_spool_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_read_spool_symlinks'($*)) dnl
gen_require(`
type mail_spool_t;
')
dontaudit $1 mail_spool_t:lnk_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_read_spool_symlinks'($*)) dnl
')
########################################
##
## Get the attributes of mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_getattr_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_getattr_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
getattr_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_getattr_spool'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of mail spool files.
##
##
##
## Domain to not audit.
##
##
#
define(`mta_dontaudit_getattr_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_getattr_spool_files'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
dontaudit $1 mail_spool_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_getattr_spool_files'($*)) dnl
')
#######################################
##
## Create private objects in the
## mail spool directory.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`mta_spool_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_spool_filetrans'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
filetrans_pattern($1, mail_spool_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_spool_filetrans'($*)) dnl
')
#######################################
##
## Read the mail spool.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_read_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_read_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
read_files_pattern($1, mail_spool_t, mail_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_read_spool'($*)) dnl
')
########################################
##
## Read and write the mail spool.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_rw_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_rw_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr_file_perms;
manage_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_rw_spool'($*)) dnl
')
#######################################
##
## Create, read, and write the mail spool.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_append_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_append_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1, mail_spool_t, mail_spool_t)
write_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_append_spool'($*)) dnl
')
#######################################
##
## Delete from the mail spool.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_delete_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_delete_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
delete_files_pattern($1, mail_spool_t, mail_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_delete_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_manage_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_manage_spool'($*)) dnl
gen_require(`
type mail_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
manage_files_pattern($1, mail_spool_t, mail_spool_t)
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
allow $1 mail_spool_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_manage_spool'($*)) dnl
')
########################################
##
## Search mail queue dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_search_queue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_search_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
files_search_spool($1)
allow $1 mqueue_spool_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_search_queue'($*)) dnl
')
#######################################
##
## List the mail queue.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_list_queue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_list_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
allow $1 mqueue_spool_t:dir list_dir_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_list_queue'($*)) dnl
')
#######################################
##
## Read the mail queue.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_read_queue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_read_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_read_queue'($*)) dnl
')
#######################################
##
## Do not audit attempts to read and
## write the mail queue.
##
##
##
## Domain to not audit.
##
##
#
define(`mta_dontaudit_rw_queue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_dontaudit_rw_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
dontaudit $1 mqueue_spool_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_dontaudit_rw_queue'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## mail queue files.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_manage_queue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_manage_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_manage_queue'($*)) dnl
')
#######################################
##
## Create private objects in the
## mqueue spool directory.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`mta_spool_filetrans_queue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_spool_filetrans_queue'($*)) dnl
gen_require(`
type mqueue_spool_t;
')
files_search_spool($1)
filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_spool_filetrans_queue'($*)) dnl
')
#######################################
##
## Read sendmail binary.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for postfix
define(`mta_read_sendmail_bin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_read_sendmail_bin'($*)) dnl
gen_require(`
type sendmail_exec_t;
')
allow $1 sendmail_exec_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_read_sendmail_bin'($*)) dnl
')
#######################################
##
## Read and write unix domain stream sockets
## of user mail domains.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_rw_user_mail_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_rw_user_mail_stream_sockets'($*)) dnl
gen_require(`
attribute user_mail_domain;
')
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_rw_user_mail_stream_sockets'($*)) dnl
')
########################################
##
## Type transition files created in calling dir
## to the mail address aliases type.
##
##
##
## Domain allowed access.
##
##
##
##
## Directory to transition on.
##
##
#
define(`mta_filetrans_aliases',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_filetrans_aliases'($*)) dnl
gen_require(`
type etc_aliases_t;
')
filetrans_pattern($1, $2, etc_aliases_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_filetrans_aliases'($*)) dnl
')
######################################
##
## ALlow domain to append mail content in the homedir
##
##
##
## Domain allowed access.
##
##
#
define(`mta_append_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_append_home'($*)) dnl
gen_require(`
type mail_home_t;
')
userdom_search_user_home_dirs($1)
append_files_pattern($1, mail_home_t, mail_home_t)
ifdef(`distro_redhat',`
userdom_search_admin_dir($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_append_home'($*)) dnl
')
######################################
##
## ALlow domain to read mail content in the homedir
##
##
##
## Domain allowed access.
##
##
#
define(`mta_read_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_read_home'($*)) dnl
gen_require(`
type mail_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, mail_home_t, mail_home_t)
ifdef(`distro_redhat',`
userdom_search_admin_dir($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_read_home'($*)) dnl
')
####################################
##
## ALlow domain to mmap mail content in the homedir
##
##
##
## Domain allowed access.
##
##
#
define(`mta_mmap_home_rw',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_mmap_home_rw'($*)) dnl
gen_require(`
type mail_home_rw_t;
')
allow $1 mail_home_rw_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_mmap_home_rw'($*)) dnl
')
####################################
##
## ALlow domain to read mail content in the homedir
##
##
##
## Domain allowed access.
##
##
#
define(`mta_read_home_rw',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_read_home_rw'($*)) dnl
gen_require(`
type mail_home_rw_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
list_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
ifdef(`distro_redhat',`
userdom_search_admin_dir($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_read_home_rw'($*)) dnl
')
####################################
##
## Allow domain to manage mail content in the homedir
##
##
##
## Domain allowed access.
##
##
#
define(`mta_manage_home_rw',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_manage_home_rw'($*)) dnl
gen_require(`
type mail_home_rw_t;
')
userdom_search_user_home_dirs($1)
userdom_search_admin_dir($1)
manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
ifdef(`distro_redhat',`
userdom_search_admin_dir($1)
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_manage_home_rw'($*)) dnl
')
########################################
##
## create mail content in the in the /root directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`mta_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_filetrans_admin_home_content'($*)) dnl
gen_require(`
type mail_home_t;
type mail_home_rw_t;
')
userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".esmtprc")
userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_filetrans_admin_home_content'($*)) dnl
')
########################################
##
## Transition to mta named home content
##
##
##
## Domain allowed access.
##
##
#
define(`mta_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_filetrans_home_content'($*)) dnl
gen_require(`
type mail_home_t;
type mail_home_rw_t;
')
userdom_user_home_dir_filetrans($1, mail_home_t, file, ".esmtprc")
userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_filetrans_home_content'($*)) dnl
')
########################################
##
## Transition to mta named content
##
##
##
## Domain allowed access.
##
##
#
define(`mta_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mta_filetrans_named_content'($*)) dnl
gen_require(`
type etc_aliases_t;
type etc_mail_t;
')
#filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
mta_etc_filetrans_aliases($1, "aliases")
mta_etc_filetrans_aliases($1, "aliases.db")
mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
mta_etc_filetrans_aliases($1, "__db.aliases.db")
mta_etc_filetrans_aliases($1, "virtusertable.db")
mta_etc_filetrans_aliases($1, "access.db")
mta_etc_filetrans_aliases($1, "domaintable.db")
filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "virtusertable.db")
filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "access.db")
filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "domaintable.db")
filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "mailertable.db")
filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "aliasesdb-stamp")
mta_filetrans_home_content($1)
mta_filetrans_admin_home_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mta_filetrans_named_content'($*)) dnl
')
## Munin network-wide load graphing (formerly LRRD)
########################################
##
## Create a set of derived types for various
## munin plugins,
##
##
##
## The name to be used for deriving type names.
##
##
#
define(`munin_plugin_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_plugin_template'($*)) dnl
gen_require(`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t;
')
type $1_munin_plugin_t, munin_plugin_domain;
type $1_munin_plugin_exec_t;
typealias $1_munin_plugin_t alias munin_$1_plugin_t;
typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t)
role system_r types $1_munin_plugin_t;
type $1_munin_plugin_tmp_t, munin_plugin_tmp_content;
typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t;
files_tmp_file($1_munin_plugin_tmp_t)
########################################
#
# Policy
#
# automatic transition rules from munin domain
# to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
kernel_read_system_state($1_munin_plugin_t)
corenet_all_recvfrom_unlabeled($1_munin_plugin_t)
corenet_all_recvfrom_netlabel($1_munin_plugin_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_plugin_template'($*)) dnl
')
########################################
##
## Connect to munin over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`munin_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_stream_connect'($*)) dnl
gen_require(`
type munin_var_run_t, munin_t;
')
files_search_pids($1)
stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_stream_connect'($*)) dnl
')
#######################################
##
## Read munin configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`munin_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_read_config'($*)) dnl
gen_require(`
type munin_etc_t;
')
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_read_config'($*)) dnl
')
#######################################
##
## Read munin library files.
##
##
##
## Domain allowed access.
##
##
#
define(`munin_read_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_read_var_lib_files'($*)) dnl
gen_require(`
type munin_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_read_var_lib_files'($*)) dnl
')
#######################################
##
## Manage munin library files.
##
##
##
## Domain allowed access.
##
##
#
define(`munin_manage_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_manage_var_lib_files'($*)) dnl
gen_require(`
type munin_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
manage_dirs_pattern($1, munin_var_lib_t, munin_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_manage_var_lib_files'($*)) dnl
')
#######################################
##
## Append munin library files.
##
##
##
## Domain allowed access.
##
##
#
define(`munin_append_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_append_var_lib_files'($*)) dnl
gen_require(`
type munin_var_lib_t;
')
files_search_var_lib($1)
append_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_append_var_lib_files'($*)) dnl
')
######################################
##
## dontaudit read and write an leaked file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`munin_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_dontaudit_leaks'($*)) dnl
gen_require(`
type munin_t;
')
dontaudit $1 munin_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_dontaudit_leaks'($*)) dnl
')
#######################################
##
## Append to the munin log.
##
##
##
## Domain allowed access.
##
##
##
#
define(`munin_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_append_log'($*)) dnl
gen_require(`
type munin_log_t;
')
logging_search_logs($1)
allow $1 munin_log_t:dir list_dir_perms;
append_files_pattern($1, munin_log_t, munin_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_append_log'($*)) dnl
')
#######################################
##
## Search munin library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`munin_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_search_lib'($*)) dnl
gen_require(`
type munin_var_lib_t;
')
allow $1 munin_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_search_lib'($*)) dnl
')
#######################################
##
## Do not audit attempts to search
## munin library directories.
##
##
##
## Domain to not audit.
##
##
#
define(`munin_dontaudit_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_dontaudit_search_lib'($*)) dnl
gen_require(`
type munin_var_lib_t;
')
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_dontaudit_search_lib'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an munin environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the munin domain.
##
##
##
#
define(`munin_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `munin_admin'($*)) dnl
gen_require(`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t, munin_etc_t, munin_tmp_t;
type munin_log_t, munin_var_lib_t, munin_var_run_t;
type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
')
allow $1 munin_t:process signal_perms;
ps_process_pattern($1, munin_t)
tunable_policy(`deny_ptrace',`',`
allow $1 munin_t:process ptrace;
')
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 munin_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content })
logging_list_logs($1)
admin_pattern($1, munin_log_t)
files_list_etc($1)
admin_pattern($1, munin_etc_t)
files_list_var_lib($1)
admin_pattern($1, { munin_var_lib_t munin_plugin_state_t })
files_list_pids($1)
admin_pattern($1, munin_var_run_t)
admin_pattern($1, munin_content_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `munin_admin'($*)) dnl
')
## Policy for MySQL
######################################
##
## Execute MySQL in the mysql domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mysql_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_domtrans'($*)) dnl
gen_require(`
type mysqld_t, mysqld_exec_t;
')
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_domtrans'($*)) dnl
')
######################################
##
## Execute MySQL in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_exec'($*)) dnl
gen_require(`
type mysqld_exec_t;
')
can_exec($1, mysqld_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_exec'($*)) dnl
')
########################################
##
## Send a generic signal to MySQL.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_signal'($*)) dnl
gen_require(`
type mysqld_t;
')
allow $1 mysqld_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_signal'($*)) dnl
')
#######################################
##
## Send a null signal to mysql.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_signull'($*)) dnl
gen_require(`
type mysqld_t;
')
allow $1 mysqld_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_signull'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to postgresql with a tcp socket.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_tcp_connect'($*)) dnl
gen_require(`
type mysqld_t;
')
corenet_tcp_recvfrom_labeled($1, mysqld_t)
corenet_tcp_sendrecv_mysqld_port($1)
corenet_tcp_connect_mysqld_port($1)
corenet_sendrecv_mysqld_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_tcp_connect'($*)) dnl
')
########################################
##
## Connect to MySQL using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mysql_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_stream_connect'($*)) dnl
gen_require(`
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
')
files_search_pids($1)
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_stream_connect'($*)) dnl
')
########################################
##
## Read MySQL configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mysql_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_read_config'($*)) dnl
gen_require(`
type mysqld_etc_t;
')
allow $1 mysqld_etc_t:dir list_dir_perms;
allow $1 mysqld_etc_t:file read_file_perms;
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_read_config'($*)) dnl
')
########################################
##
## Search the directories that contain MySQL
## database storage.
##
##
##
## Domain allowed access.
##
##
#
# cjp: "_dir" in the name is added to clarify that this
# is not searching the database itself.
define(`mysql_search_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_search_db'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_search_db'($*)) dnl
')
########################################
##
## List the directories that contain MySQL
## database storage.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_list_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_list_db'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_list_db'($*)) dnl
')
########################################
##
## Read and write to the MySQL database directory.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_rw_db_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_rw_db_dirs'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_rw_db_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete MySQL database directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_manage_db_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_manage_db_dirs'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_manage_db_dirs'($*)) dnl
')
#######################################
##
## Append to the MySQL database directory.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_append_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_append_db_files'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
append_files_pattern($1, mysqld_db_t, mysqld_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_append_db_files'($*)) dnl
')
#######################################
##
## Read and write to the MySQL database directory.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_read_db_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_read_db_lnk_files'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_read_db_lnk_files'($*)) dnl
')
#######################################
##
## Read and write to the MySQL database directory.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_rw_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_rw_db_files'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_rw_db_files'($*)) dnl
')
#######################################
##
## Create, read, write, and delete MySQL database files.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_manage_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_manage_db_files'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_manage_db_files'($*)) dnl
')
########################################
##
## Read and write to the MySQL database
## named socket.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_rw_db_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_rw_db_sockets'($*)) dnl
gen_require(`
type mysqld_db_t;
')
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search_dir_perms;
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_rw_db_sockets'($*)) dnl
')
########################################
##
## Allow the specified domain to append to MySQL log files.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_append_log'($*)) dnl
gen_require(`
type mysqld_log_t;
')
logging_search_logs($1)
allow $1 mysqld_log_t:dir list_dir_perms;
append_files_pattern($1, mysqld_log_t, mysqld_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_append_log'($*)) dnl
')
########################################
##
## Do not audit attempts to append to the MySQL logs.
##
##
##
## Domain to not audit.
##
##
#
define(`mysql_dontaudit_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_dontaudit_append_log'($*)) dnl
gen_require(`
type mysqld_log_t;
')
dontaudit $1 mysqld_log_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_dontaudit_append_log'($*)) dnl
')
########################################
##
## Allow the specified domain to read MySQL log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mysql_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_read_log'($*)) dnl
gen_require(`
type mysqld_log_t;
')
logging_search_logs($1)
allow $1 mysqld_log_t:dir list_dir_perms;
read_files_pattern($1, mysqld_log_t, mysqld_log_t)
read_lnk_files_pattern($1, mysqld_log_t, mysqld_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_read_log'($*)) dnl
')
########################################
##
## dontaudit attempts to read MySQL log files.
##
##
##
## Domain to not audit.
##
##
##
#
define(`mysql_dontaudit_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_dontaudit_read_log'($*)) dnl
gen_require(`
type mysqld_log_t;
')
dontaudit $1 mysqld_log_t:file read_file_perms;
dontaudit $1 mysqld_log_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_dontaudit_read_log'($*)) dnl
')
########################################
##
## Write to the MySQL log.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_write_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_write_log'($*)) dnl
gen_require(`
type mysqld_log_t;
')
logging_search_logs($1)
allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_write_log'($*)) dnl
')
########################################
##
## dontaudit attempts to write to the MySQL log files.
##
##
##
## Domain to not audit.
##
##
##
#
define(`mysql_dontaudit_write_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_dontaudit_write_log'($*)) dnl
gen_require(`
type mysqld_log_t;
')
dontaudit $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_dontaudit_write_log'($*)) dnl
')
########################################
##
## dontaudit attempts to read/write to the MySQL db files.
##
##
##
## Domain to not audit.
##
##
##
#
define(`mysql_dontaudit_rw_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_dontaudit_rw_db'($*)) dnl
gen_require(`
type mysqld_db_t;
')
dontaudit $1 mysqld_db_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_dontaudit_rw_db'($*)) dnl
')
######################################
##
## Execute MySQL safe script in the mysql safe domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mysql_domtrans_mysql_safe',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_domtrans_mysql_safe'($*)) dnl
gen_require(`
type mysqld_safe_t, mysqld_safe_exec_t;
')
domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_domtrans_mysql_safe'($*)) dnl
')
######################################
##
## Execute MySQL_safe in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_safe_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_safe_exec'($*)) dnl
gen_require(`
type mysqld_safe_exec_t;
')
can_exec($1, mysqld_safe_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_safe_exec'($*)) dnl
')
#####################################
##
## Read MySQL PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_read_pid_files'($*)) dnl
gen_require(`
type mysqld_var_run_t;
')
mysql_search_pid_files($1)
read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_read_pid_files'($*)) dnl
')
#####################################
##
## Search MySQL PID files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mysql_search_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_search_pid_files'($*)) dnl
gen_require(`
type mysqld_var_run_t;
')
search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_search_pid_files'($*)) dnl
')
########################################
##
## Execute mysqld server in the mysqld domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mysql_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_systemctl'($*)) dnl
gen_require(`
type mysqld_unit_file_t;
type mysqld_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 mysqld_unit_file_t:file read_file_perms;
allow $1 mysqld_unit_file_t:service manage_service_perms;
ps_process_pattern($1, mysqld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_systemctl'($*)) dnl
')
########################################
##
## read mysqld homedir content (.k5login)
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_read_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_read_home_content'($*)) dnl
gen_require(`
type mysqld_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, mysqld_home_t, mysqld_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_read_home_content'($*)) dnl
')
########################################
##
## Transition to mysqld named content
##
##
##
## Domain allowed access.
##
##
#
define(`mysql_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_filetrans_named_content'($*)) dnl
gen_require(`
type mysqld_home_t;
type mysqld_var_run_t;
')
userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
files_pid_filetrans($1, mysqld_var_run_t, {dir}, "mysqld")
files_pid_filetrans($1, mysqld_var_run_t, {dir}, "mysql")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_filetrans_named_content'($*)) dnl
')
########################################
##
## All of the rules required to administrate an mysql environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the mysql domain.
##
##
##
#
define(`mysql_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mysql_admin'($*)) dnl
gen_require(`
type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
type mysqld_etc_t;
type mysqld_home_t;
type mysqld_unit_file_t;
')
allow $1 mysqld_t:process signal_perms;
ps_process_pattern($1, mysqld_t)
tunable_policy(`deny_ptrace',`',`
allow $1 mysqld_t:process ptrace;
')
init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, mysqld_var_run_t)
admin_pattern($1, mysqld_db_t)
files_list_etc($1)
admin_pattern($1, mysqld_etc_t)
logging_list_logs($1)
admin_pattern($1, mysqld_log_t)
files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
userdom_search_user_home_dirs($1)
files_list_root($1)
admin_pattern($1, mysqld_home_t)
mysql_systemctl($1)
admin_pattern($1, mysqld_unit_file_t)
allow $1 mysqld_unit_file_t:service all_service_perms;
mysql_stream_connect($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mysql_admin'($*)) dnl
')
## policy for mythtv_script
########################################
##
## Execute TEMPLATE in the mythtv_script domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mythtv_script_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mythtv_script_domtrans'($*)) dnl
gen_require(`
type mythtv_script_t, mythtv_script_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mythtv_script_domtrans'($*)) dnl
')
#######################################
##
## read mythtv libs.
##
##
##
## Domain allowed access.
##
##
#
define(`mythtv_read_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mythtv_read_lib'($*)) dnl
gen_require(`
type mythtv_var_lib_t;
')
read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
files_list_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mythtv_read_lib'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## mythtv lib content.
##
##
##
## Domain allowed access.
##
##
#
define(`mythtv_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mythtv_manage_lib'($*)) dnl
gen_require(`
type mythtv_var_lib_t;
')
manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
files_list_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mythtv_manage_lib'($*)) dnl
')
#######################################
##
## read mythtv logs.
##
##
##
## Domain allowed access.
##
##
#
define(`mythtv_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mythtv_read_log'($*)) dnl
gen_require(`
type mythtv_var_log_t;
')
read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mythtv_read_log'($*)) dnl
')
#######################################
##
## Append mythtv log files.
##
##
##
## Domain allowed access.
##
##
#
define(`mythtv_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mythtv_append_log'($*)) dnl
gen_require(`
type mythtv_var_log_t;
')
append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mythtv_append_log'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## mythtv log content.
##
##
##
## Domain allowed access.
##
##
#
define(`mythtv_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mythtv_manage_log'($*)) dnl
gen_require(`
type mythtv_var_log_t;
')
manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mythtv_manage_log'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an mythtv environment.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mythtv_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mythtv_admin'($*)) dnl
gen_require(`
type mythtv_script_t, mythtv_var_lib_t;
type mythtv_var_log_t;
')
allow $1 mythtv_script_t:process signal_perms;
ps_process_pattern($1, mythtv_script_t)
tunable_policy(`deny_ptrace',`',`
allow $1 mythtv_script_t:process ptrace;
')
logging_list_logs($1)
admin_pattern($1, mythtv_var_log_t)
files_list_var_lib($1)
admin_pattern($1, mythtv_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mythtv_admin'($*)) dnl
')
## New monitoring suite that aims to be faster and more stable, while giving you a clearer view of the state of your network.
########################################
##
## Execute naemon in the naemon domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`naemon_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_domtrans'($*)) dnl
gen_require(`
type naemon_t, naemon_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, naemon_exec_t, naemon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_domtrans'($*)) dnl
')
########################################
##
## Execute naemon server in the naemon domain.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_initrc_domtrans'($*)) dnl
gen_require(`
type naemon_initrc_exec_t;
')
init_labeled_script_domtrans($1, naemon_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_initrc_domtrans'($*)) dnl
')
########################################
##
## Search naemon cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_search_cache'($*)) dnl
gen_require(`
type naemon_cache_t;
')
allow $1 naemon_cache_t:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_search_cache'($*)) dnl
')
########################################
##
## Read naemon cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_read_cache_files'($*)) dnl
gen_require(`
type naemon_cache_t;
')
files_search_var($1)
read_files_pattern($1, naemon_cache_t, naemon_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_read_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## naemon cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_manage_cache_files'($*)) dnl
gen_require(`
type naemon_cache_t;
')
files_search_var($1)
manage_files_pattern($1, naemon_cache_t, naemon_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_manage_cache_files'($*)) dnl
')
########################################
##
## Manage naemon cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_manage_cache_dirs'($*)) dnl
gen_require(`
type naemon_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, naemon_cache_t, naemon_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_manage_cache_dirs'($*)) dnl
')
########################################
##
## Read naemon's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`naemon_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_read_log'($*)) dnl
gen_require(`
type naemon_log_t;
')
logging_search_logs($1)
read_files_pattern($1, naemon_log_t, naemon_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_read_log'($*)) dnl
')
########################################
##
## Append to naemon log files.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_append_log'($*)) dnl
gen_require(`
type naemon_log_t;
')
logging_search_logs($1)
append_files_pattern($1, naemon_log_t, naemon_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_append_log'($*)) dnl
')
########################################
##
## Manage naemon log files
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_manage_log'($*)) dnl
gen_require(`
type naemon_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, naemon_log_t, naemon_log_t)
manage_files_pattern($1, naemon_log_t, naemon_log_t)
manage_lnk_files_pattern($1, naemon_log_t, naemon_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_manage_log'($*)) dnl
')
########################################
##
## Search naemon lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_search_lib'($*)) dnl
gen_require(`
type naemon_var_lib_t;
')
allow $1 naemon_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_search_lib'($*)) dnl
')
########################################
##
## Read naemon lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_read_lib_files'($*)) dnl
gen_require(`
type naemon_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_read_lib_files'($*)) dnl
')
########################################
##
## Manage naemon lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_manage_lib_files'($*)) dnl
gen_require(`
type naemon_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_manage_lib_files'($*)) dnl
')
########################################
##
## Manage naemon lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`naemon_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_manage_lib_dirs'($*)) dnl
gen_require(`
type naemon_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, naemon_var_lib_t, naemon_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_manage_lib_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an naemon environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`naemon_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `naemon_admin'($*)) dnl
gen_require(`
type naemon_t;
type naemon_initrc_exec_t;
type naemon_cache_t;
type naemon_log_t;
type naemon_var_lib_t;
')
allow $1 naemon_t:process { signal_perms };
ps_process_pattern($1, naemon_t)
tunable_policy(`deny_ptrace',`',`
allow $1 naemon_t:process ptrace;
')
naemon_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 naemon_initrc_exec_t system_r;
allow $2 system_r;
files_search_var($1)
admin_pattern($1, naemon_cache_t)
logging_search_logs($1)
admin_pattern($1, naemon_log_t)
files_search_var_lib($1)
admin_pattern($1, naemon_var_lib_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `naemon_admin'($*)) dnl
')
## Net Saint / NAGIOS - network monitoring server
########################################
##
## Create a set of derived types for various
## nagios plugins,
##
##
##
## The name to be used for deriving type names.
##
##
#
define(`nagios_plugin_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_plugin_template'($*)) dnl
gen_require(`
attribute nagios_plugin_domain;
type nagios_t, nrpe_t;
')
type nagios_$1_plugin_t, nagios_plugin_domain;
type nagios_$1_plugin_exec_t;
application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
role system_r types nagios_$1_plugin_t;
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
kernel_read_system_state(nagios_$1_plugin_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_plugin_template'($*)) dnl
')
########################################
##
## Execute the nagios unconfined plugins with
## a domain transition.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_domtrans_unconfined_plugins',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_domtrans_unconfined_plugins'($*)) dnl
gen_require(`
type nagios_unconfined_plugin_t;
type nagios_unconfined_plugin_exec_t;
')
domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_domtrans_unconfined_plugins'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write nagios
## unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`nagios_dontaudit_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type nagios_t;
')
dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_dontaudit_rw_pipes'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## nagios configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`nagios_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_read_config'($*)) dnl
gen_require(`
type nagios_etc_t;
')
allow $1 nagios_etc_t:dir list_dir_perms;
allow $1 nagios_etc_t:file read_file_perms;
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_read_config'($*)) dnl
')
######################################
##
## Read nagios lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_read_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_read_lib'($*)) dnl
gen_require(`
type nagios_var_lib_t;
')
files_search_var($1)
list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_read_lib'($*)) dnl
')
######################################
##
## Read nagios logs.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_read_log'($*)) dnl
gen_require(`
type nagios_log_t;
')
logging_search_logs($1)
read_files_pattern($1, nagios_log_t, nagios_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_read_log'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write nagios logs.
##
##
##
## Domain to not audit.
##
##
#
define(`nagios_dontaudit_rw_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_rw_log'($*)) dnl
gen_require(`
type nagios_log_t;
')
dontaudit $1 nagios_log_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_dontaudit_rw_log'($*)) dnl
')
########################################
##
## Search nagios spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_search_spool'($*)) dnl
gen_require(`
type nagios_spool_t;
')
allow $1 nagios_spool_t:dir search_dir_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_search_spool'($*)) dnl
')
########################################
##
## Append nagios spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_append_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_append_spool'($*)) dnl
gen_require(`
type nagios_spool_t;
')
allow $1 nagios_spool_t:file append_file_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_append_spool'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## nagios temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_read_tmp_files'($*)) dnl
gen_require(`
type nagios_tmp_t;
')
allow $1 nagios_tmp_t:file read_file_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_read_tmp_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## nagios temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_rw_inerited_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_rw_inerited_tmp_files'($*)) dnl
gen_require(`
type nagios_tmp_t;
')
allow $1 nagios_tmp_t:file rw_inherited_file_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_rw_inerited_tmp_files'($*)) dnl
')
########################################
##
## Execute the nagios NRPE with
## a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nagios_domtrans_nrpe',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_domtrans_nrpe'($*)) dnl
gen_require(`
type nrpe_t, nrpe_exec_t;
')
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_domtrans_nrpe'($*)) dnl
')
######################################
##
## Do not audit attempts to write nrpe daemon unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_dontaudit_write_pipes_nrpe',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_write_pipes_nrpe'($*)) dnl
gen_require(`
type nrpe_t;
')
dontaudit $1 nrpe_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_dontaudit_write_pipes_nrpe'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an nagios environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the nagios domain.
##
##
##
#
define(`nagios_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_admin'($*)) dnl
gen_require(`
type nagios_t, nrpe_t, nagios_initrc_exec_t;
type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
allow $1 nagios_t:process signal_perms;
ps_process_pattern($1, nagios_t)
tunable_policy(`deny_ptrace',`',`
allow $1 nagios_t:process ptrace;
')
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 nagios_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, nagios_tmp_t)
logging_list_logs($1)
admin_pattern($1, nagios_log_t)
files_list_etc($1)
admin_pattern($1, nagios_etc_t)
files_list_spool($1)
admin_pattern($1, nagios_spool_t)
files_list_pids($1)
admin_pattern($1, nagios_var_run_t)
admin_pattern($1, nrpe_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_admin'($*)) dnl
')
########################################
##
## Send a null signal to nagios_unconfined_plugin.
##
##
##
## Domain allowed access.
##
##
#
define(`nagios_unconfined_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nagios_unconfined_signull'($*)) dnl
gen_require(`
type nagios_unconfined_plugin_t;
')
allow $1 nagios_unconfined_plugin_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nagios_unconfined_signull'($*)) dnl
')
## policy for namespace
########################################
##
## Execute a domain transition to run namespace_init.
##
##
##
## Domain allowed access.
##
##
#
define(`namespace_init_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `namespace_init_domtrans'($*)) dnl
gen_require(`
type namespace_init_t, namespace_init_exec_t;
')
domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `namespace_init_domtrans'($*)) dnl
')
########################################
##
## Execute namespace_init in the namespace_init domain, and
## allow the specified role the namespace_init domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the namespace_init domain.
##
##
#
define(`namespace_init_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `namespace_init_run'($*)) dnl
gen_require(`
type namespace_init_t;
')
namespace_init_domtrans($1)
role $2 types namespace_init_t;
seutil_run_setfiles(namespace_init_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `namespace_init_run'($*)) dnl
')
## Cross-platform network configuration library.
########################################
##
## Execute a domain transition to run ncftool.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ncftool_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ncftool_domtrans'($*)) dnl
gen_require(`
type ncftool_t, ncftool_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ncftool_exec_t, ncftool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ncftool_domtrans'($*)) dnl
')
########################################
##
## Execute ncftool in the ncftool
## domain, and allow the specified
## role the ncftool domain.
##
##
##
## Domain allowed access
##
##
##
##
## Role allowed access.
##
##
#
define(`ncftool_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ncftool_run'($*)) dnl
gen_require(`
type ncftool_t;
attribute_role ncftool_roles;
')
ncftool_domtrans($1)
roleattribute $2 ncftool_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ncftool_run'($*)) dnl
')
## Network scanning daemon.
########################################
##
## Connect to nessus over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nessus_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nessus_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nessus_tcp_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an nessus environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`nessus_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nessus_admin'($*)) dnl
gen_require(`
type nessusd_t, nessusd_db_t, nessusd_initrc_exec_t;
type nessusd_etc_t, nessusd_log_t, nessusd_var_run_t;
')
allow $1 nessusd_t:process { ptrace signal_perms };
ps_process_pattern($1, nessusd_t)
init_labeled_script_domtrans($1, nessusd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 nessusd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, nessusd_log_t)
files_search_etc($1)
admin_pattern($1, nessusd_etc_t)
files_search_pids($1)
admin_pattern($1, nessusd_var_run_t)
files_search_var_lib($1)
admin_pattern($1, nessusd_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nessus_admin'($*)) dnl
')
## Manager for dynamically switching between networks.
########################################
##
## Read and write NetworkManager UDP sockets.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for named.
define(`networkmanager_rw_udp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_rw_udp_sockets'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:udp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_rw_udp_sockets'($*)) dnl
')
########################################
##
## Read and write NetworkManager packet sockets.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for named.
define(`networkmanager_rw_packet_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_rw_packet_sockets'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:packet_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_rw_packet_sockets'($*)) dnl
')
#######################################
##
## Allow caller to relabel tun_socket
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_attach_tun_iface',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_attach_tun_iface'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_attach_tun_iface'($*)) dnl
')
########################################
##
## Read and write NetworkManager netlink
## routing sockets.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for named.
define(`networkmanager_rw_routing_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_rw_routing_sockets'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:netlink_route_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_rw_routing_sockets'($*)) dnl
')
########################################
##
## Read networkmanager unnamed pipes
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_read_pipes'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_read_pipes'($*)) dnl
')
########################################
##
## Execute NetworkManager with a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`networkmanager_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_domtrans'($*)) dnl
gen_require(`
type NetworkManager_t, NetworkManager_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_domtrans'($*)) dnl
')
#######################################
##
## Execute NetworkManager scripts with an automatic domain transition to initrc.
##
##
##
## Domain allowed to transition.
##
##
#
define(`networkmanager_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_initrc_domtrans'($*)) dnl
gen_require(`
type NetworkManager_initrc_exec_t;
')
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute NetworkManager server in the NetworkManager domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`networkmanager_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_systemctl'($*)) dnl
gen_require(`
type NetworkManager_unit_file_t;
type NetworkManager_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 NetworkManager_unit_file_t:file read_file_perms;
allow $1 NetworkManager_unit_file_t:service manage_service_perms;
ps_process_pattern($1, NetworkManager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_systemctl'($*)) dnl
')
########################################
##
## Send and receive messages from
## NetworkManager over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_dbus_chat'($*)) dnl
gen_require(`
type NetworkManager_t;
class dbus send_msg;
')
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_dbus_chat'($*)) dnl
')
#######################################
##
## Read metworkmanager process state files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_read_state'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:dir search_dir_perms;
allow $1 NetworkManager_t:file read_file_perms;
allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_read_state'($*)) dnl
')
########################################
##
## Do not audit attempts to send and
## receive messages from NetworkManager
## over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`networkmanager_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type NetworkManager_t;
class dbus send_msg;
')
dontaudit $1 NetworkManager_t:dbus send_msg;
dontaudit NetworkManager_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## Send a generic signal to NetworkManager
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_signal'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_signal'($*)) dnl
')
########################################
##
## Create, read, and write
## networkmanager library files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_manage_lib_files'($*)) dnl
gen_require(`
type NetworkManager_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
allow $1 NetworkManager_var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_manage_lib_files'($*)) dnl
')
########################################
##
## Read networkmanager lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_read_lib_files'($*)) dnl
gen_require(`
type NetworkManager_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
allow $1 NetworkManager_var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_read_lib_files'($*)) dnl
')
#######################################
##
## Read NetworkManager conf files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_read_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_read_conf'($*)) dnl
gen_require(`
type NetworkManager_etc_t;
type NetworkManager_etc_rw_t;
')
allow $1 NetworkManager_etc_t:dir list_dir_perms;
read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_read_conf'($*)) dnl
')
########################################
##
## Read NetworkManager PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_read_pid_files'($*)) dnl
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_read_pid_files'($*)) dnl
')
########################################
##
## Manage NetworkManager PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_manage_pid_files'($*)) dnl
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_manage_pid_files'($*)) dnl
')
########################################
##
## Manage NetworkManager PID sock files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_manage_pid_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_manage_pid_sock_files'($*)) dnl
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_manage_pid_sock_files'($*)) dnl
')
########################################
##
## Watch NetworkManager PID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_watch_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_watch_pid_dirs'($*)) dnl
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
watch_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_watch_pid_dirs'($*)) dnl
')
########################################
##
## Create objects in /etc with a private
## type using a type_transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Object classes to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`networkmanager_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_pid_filetrans'($*)) dnl
gen_require(`
type NetworkManager_var_run_t;
')
filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_pid_filetrans'($*)) dnl
')
####################################
##
## Connect to networkmanager over
## a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_stream_connect'($*)) dnl
gen_require(`
type NetworkManager_t, NetworkManager_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_stream_connect'($*)) dnl
')
########################################
##
## Delete NetworkManager PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_delete_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_delete_pid_files'($*)) dnl
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_delete_pid_files'($*)) dnl
')
########################################
##
## Execute NetworkManager in the NetworkManager domain, and
## allow the specified role the NetworkManager domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`networkmanager_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_run'($*)) dnl
gen_require(`
type NetworkManager_t, NetworkManager_exec_t;
')
networkmanager_domtrans($1)
role $2 types NetworkManager_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_run'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## to Network Manager log files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_append_log'($*)) dnl
gen_require(`
type NetworkManager_log_t;
')
logging_search_logs($1)
allow $1 NetworkManager_log_t:dir list_dir_perms;
append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
allow $1 NetworkManager_log_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_append_log'($*)) dnl
')
#######################################
##
## Allow the specified domain to manage
## to Network Manager lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_manage_lib'($*)) dnl
gen_require(`
type NetworkManager_var_lib_t;
')
manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
allow $1 NetworkManager_var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_manage_lib'($*)) dnl
')
#######################################
##
## Read the process state (/proc/pid) of NetworkManager.
##
##
##
## Domain allowed access.
##
##
#
define(`NetworkManager_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `NetworkManager_read_state'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:dir search_dir_perms;
allow $1 NetworkManager_t:file read_file_perms;
allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `NetworkManager_read_state'($*)) dnl
')
#######################################
##
## Send to NetworkManager with a unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_dgram_send'($*)) dnl
gen_require(`
type NetworkManager_t, NetworkManager_var_run_t;
')
files_search_pids($1)
dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_dgram_send'($*)) dnl
')
########################################
##
## Send sigchld to networkmanager.
##
##
##
## Domain allowed access.
##
##
#
#
define(`networkmanager_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_sigchld'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_sigchld'($*)) dnl
')
########################################
##
## Send signull to networkmanager.
##
##
##
## Domain allowed access.
##
##
#
#
define(`networkmanager_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_signull'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_signull'($*)) dnl
')
########################################
##
## Send sigkill to networkmanager.
##
##
##
## Domain allowed access.
##
##
#
#
define(`networkmanager_sigkill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_sigkill'($*)) dnl
gen_require(`
type NetworkManager_t;
')
allow $1 NetworkManager_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_sigkill'($*)) dnl
')
########################################
##
## Transition to networkmanager named content
##
##
##
## Domain allowed access.
##
##
#
define(`networkmanager_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `networkmanager_filetrans_named_content'($*)) dnl
gen_require(`
type NetworkManager_var_run_t;
type NetworkManager_var_lib_t;
')
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth0.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth1.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth2.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth3.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth4.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth5.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth6.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth7.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth8.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth9.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd")
files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `networkmanager_filetrans_named_content'($*)) dnl
')
## Respond to IPv6 Node Information Queries
########################################
##
## Execute ninfod in the ninfod domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ninfod_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ninfod_domtrans'($*)) dnl
gen_require(`
type ninfod_t, ninfod_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ninfod_exec_t, ninfod_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ninfod_domtrans'($*)) dnl
')
########################################
##
## Execute ninfod server in the ninfod domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ninfod_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ninfod_systemctl'($*)) dnl
gen_require(`
type ninfod_t;
type ninfod_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 ninfod_unit_file_t:file read_file_perms;
allow $1 ninfod_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ninfod_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ninfod_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ninfod environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`ninfod_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ninfod_admin'($*)) dnl
gen_require(`
type ninfod_t;
type ninfod_unit_file_t;
')
allow $1 ninfod_t:process { signal_perms };
ps_process_pattern($1, ninfod_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ninfod_t:process ptrace;
')
ninfod_systemctl($1)
admin_pattern($1, ninfod_unit_file_t)
allow $1 ninfod_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ninfod_admin'($*)) dnl
')
## Policy for NIS (YP) servers and clients
########################################
##
## Use the ypbind service to access NIS services
## unconditionally.
##
##
##
## Use the ypbind service to access NIS services
## unconditionally.
##
##
## This interface was added because of apache and
## spamassassin, to fix a nested conditionals problem.
## When that support is added, this should be removed,
## and the regular interface should be used.
##
##
##
##
## Domain allowed access.
##
##
#
define(`nis_use_ypbind_uncond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_use_ypbind_uncond'($*)) dnl
gen_require(`
type var_yp_t;
')
dontaudit $1 self:capability net_bind_service;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir list_dir_perms;
allow $1 var_yp_t:lnk_file read_lnk_file_perms;
allow $1 var_yp_t:file read_file_perms;
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_bind_generic_node($1)
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
sysnet_read_config($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_use_ypbind_uncond'($*)) dnl
')
########################################
##
## Use the ypbind service to access NIS services.
##
##
##
## Allow the specified domain to use the ypbind service
## to access Network Information Service (NIS) services.
## Information that can be retreived from NIS includes
## usernames, passwords, home directories, and groups.
## If the network is configured to have a single sign-on
## using NIS, it is likely that any program that does
## authentication will need this access.
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`nis_use_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_use_ypbind'($*)) dnl
tunable_policy(`nis_enabled',`
nis_use_ypbind_uncond($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_use_ypbind'($*)) dnl
')
########################################
##
## Use the nis to authenticate passwords
##
##
##
## Domain allowed access.
##
##
##
#
define(`nis_authenticate',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_authenticate'($*)) dnl
tunable_policy(`nis_enabled',`
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_authenticate'($*)) dnl
')
########################################
##
## Execute ypbind in the ypbind domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nis_domtrans_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_domtrans_ypbind'($*)) dnl
gen_require(`
type ypbind_t, ypbind_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ypbind_exec_t, ypbind_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_domtrans_ypbind'($*)) dnl
')
#######################################
##
## Execute ypbind in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nis_exec_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_exec_ypbind'($*)) dnl
gen_require(`
type ypbind_t, ypbind_exec_t;
')
can_exec($1, ypbind_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_exec_ypbind'($*)) dnl
')
########################################
##
## Execute ypbind in the ypbind domain, and
## allow the specified role the ypbind domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`nis_run_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_run_ypbind'($*)) dnl
gen_require(`
type ypbind_t;
')
nis_domtrans_ypbind($1)
role $2 types ypbind_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_run_ypbind'($*)) dnl
')
########################################
##
## Send generic signals to ypbind.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_signal_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_signal_ypbind'($*)) dnl
gen_require(`
type ypbind_t;
')
allow $1 ypbind_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_signal_ypbind'($*)) dnl
')
########################################
##
## List the contents of the NIS data directory.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_list_var_yp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_list_var_yp'($*)) dnl
gen_require(`
type var_yp_t;
')
files_search_var($1)
allow $1 var_yp_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_list_var_yp'($*)) dnl
')
########################################
##
## Send UDP network traffic to NIS clients. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nis_udp_send_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_udp_send_ypbind'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_udp_send_ypbind'($*)) dnl
')
########################################
##
## Connect to ypbind over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nis_tcp_connect_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_tcp_connect_ypbind'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_tcp_connect_ypbind'($*)) dnl
')
########################################
##
## Read ypbind pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_read_ypbind_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_read_ypbind_pid'($*)) dnl
gen_require(`
type ypbind_var_run_t;
')
files_search_pids($1)
allow $1 ypbind_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_read_ypbind_pid'($*)) dnl
')
########################################
##
## Delete ypbind pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_delete_ypbind_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_delete_ypbind_pid'($*)) dnl
gen_require(`
type ypbind_t;
')
# TODO: add delete pid from dir call to files
allow $1 ypbind_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_delete_ypbind_pid'($*)) dnl
')
########################################
##
## Read ypserv configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`nis_read_ypserv_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_read_ypserv_config'($*)) dnl
gen_require(`
type ypserv_conf_t;
')
files_search_etc($1)
allow $1 ypserv_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_read_ypserv_config'($*)) dnl
')
########################################
##
## Execute ypxfr in the ypxfr domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nis_domtrans_ypxfr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_domtrans_ypxfr'($*)) dnl
gen_require(`
type ypxfr_t, ypxfr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ypxfr_exec_t, ypxfr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_domtrans_ypxfr'($*)) dnl
')
########################################
##
## Execute nis server in the nis domain.
##
##
##
## Domain allowed to transition.
##
##
#
#
define(`nis_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_initrc_domtrans'($*)) dnl
gen_require(`
type nis_initrc_exec_t;
')
init_labeled_script_domtrans($1, nis_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute nis server in the nis domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nis_initrc_domtrans_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_initrc_domtrans_ypbind'($*)) dnl
gen_require(`
type ypbind_initrc_exec_t;
')
init_labeled_script_domtrans($1, ypbind_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_initrc_domtrans_ypbind'($*)) dnl
')
########################################
##
## Execute ypbind server in the ypbind domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nis_systemctl_ypbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_systemctl_ypbind'($*)) dnl
gen_require(`
type ypbind_unit_file_t;
type ypbind_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 ypbind_unit_file_t:file read_file_perms;
allow $1 ypbind_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ypbind_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_systemctl_ypbind'($*)) dnl
')
########################################
##
## Execute ypbind server in the ypbind domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nis_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_systemctl'($*)) dnl
gen_require(`
type nis_unit_file_t, ypbind_unit_file_t;
type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 nis_unit_file_t:file read_file_perms;
allow $1 nis_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ypbind_t)
ps_process_pattern($1, yppasswdd_t)
ps_process_pattern($1, ypserv_t)
ps_process_pattern($1, ypxfr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an nis environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`nis_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nis_admin'($*)) dnl
gen_require(`
type ypbind_t, yppasswdd_t, ypserv_t;
type ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
type ypserv_tmp_t;
type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
type nis_unit_file_t;
type ypbind_unit_file_t;
')
allow $1 ypbind_t:process signal_perms;
ps_process_pattern($1, ypbind_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ypbind_t:process ptrace;
allow $1 yppasswdd_t:process ptrace;
allow $1 ypserv_t:process ptrace;
allow $1 ypxfr_t:process ptrace;
')
allow $1 yppasswdd_t:process signal_perms;
ps_process_pattern($1, yppasswdd_t)
allow $1 ypserv_t:process signal_perms;
ps_process_pattern($1, ypserv_t)
allow $1 ypxfr_t:process signal_perms;
ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
nis_initrc_domtrans_ypbind($1)
domain_system_change_exemption($1)
role_transition $2 nis_initrc_exec_t system_r;
role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
nis_systemctl_ypbind($1)
admin_pattern($1, ypbind_unit_file_t)
allow $1 ypbind_unit_file_t:service all_service_perms;
admin_pattern($1, yppasswdd_var_run_t)
files_list_etc($1)
admin_pattern($1, ypserv_conf_t)
admin_pattern($1, ypserv_var_run_t)
admin_pattern($1, ypserv_tmp_t)
nis_systemctl($1)
admin_pattern($1, nis_unit_file_t)
allow $1 nis_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nis_admin'($*)) dnl
')
## openstack-nova
######################################
##
## Manage nova lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`nova_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nova_manage_lib_files'($*)) dnl
gen_require(`
type nova_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nova_manage_lib_files'($*)) dnl
')
#######################################
##
## Creates types and rules for a basic
## openstack-nova systemd daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`nova_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nova_domain_template'($*)) dnl
gen_require(`
type nova_t;
type nova_exec_t;
type nova_unit_file_t;
type nova_tmp_t;
')
typealias nova_t alias nova_$1_t;
typealias nova_exec_t alias nova_$1_exec_t;
typealias nova_unit_file_t alias nova_$1_unit_file_t;
typealias nova_tmp_t alias nova_$1_tmp_t;
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nova_domain_template'($*)) dnl
')
## Name service cache daemon
########################################
##
## Send generic signals to NSCD.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_signal'($*)) dnl
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_signal'($*)) dnl
')
########################################
##
## Send NSCD the kill signal.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_kill'($*)) dnl
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_kill'($*)) dnl
')
########################################
##
## Send signulls to NSCD.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_signull'($*)) dnl
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_signull'($*)) dnl
')
########################################
##
## Execute NSCD in the nscd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nscd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_domtrans'($*)) dnl
gen_require(`
type nscd_t, nscd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, nscd_exec_t, nscd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to execute nscd
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_exec'($*)) dnl
gen_require(`
type nscd_exec_t;
')
can_exec($1, nscd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_exec'($*)) dnl
')
########################################
##
## Use NSCD services by connecting using
## a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_socket_use',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_socket_use'($*)) dnl
gen_require(`
type nscd_t, nscd_var_run_t;
class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
allow $1 nscd_t:unix_stream_socket { connectto create_socket_perms };
dontaudit $1 nscd_var_run_t:file read_file_perms;
allow $1 nscd_var_run_t:file map;
ps_process_pattern(nscd_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_socket_use'($*)) dnl
')
########################################
##
## Use nscd services
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_use',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_use'($*)) dnl
nscd_socket_use($1)
tunable_policy(`nscd_use_shm',`
nscd_shm_use($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_use'($*)) dnl
')
########################################
##
## Do not audit attempts to write nscd sock files
##
##
##
## Domain to not audit.
##
##
#
define(`nscd_dontaudit_write_sock_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_dontaudit_write_sock_file'($*)) dnl
gen_require(`
type nscd_t, nscd_var_run_t;
')
dontaudit $1 nscd_t:sock_file write;
dontaudit $1 nscd_var_run_t:sock_file write;
dontaudit $1 nscd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_dontaudit_write_sock_file'($*)) dnl
')
########################################
##
## Use NSCD services by mapping the database from
## an inherited NSCD file descriptor.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_shm_use',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_shm_use'($*)) dnl
gen_require(`
type nscd_t, nscd_var_run_t;
class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv shmemnetgrp getnetgrp };
')
allow $1 nscd_var_run_t:dir list_dir_perms;
allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv shmemnetgrp};
# Receive fd from nscd and map the backing file with read access.
allow $1 nscd_t:fd use;
# cjp: these were originally inherited from the
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
# dg: This may not be required.
allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
files_search_pids($1)
allow $1 nscd_t:nscd { getpwd getgrp gethost getserv getnetgrp };
dontaudit $1 nscd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_shm_use'($*)) dnl
')
########################################
##
## Do not audit attempts to search the NSCD pid directory.
##
##
##
## Domain to not audit.
##
##
#
define(`nscd_dontaudit_search_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_dontaudit_search_pid'($*)) dnl
gen_require(`
type nscd_var_run_t;
')
dontaudit $1 nscd_var_run_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_dontaudit_search_pid'($*)) dnl
')
########################################
##
## Do not audit attempts to read the NSCD pid directory.
##
##
##
## Domain to not audit.
##
##
#
define(`nscd_dontaudit_read_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_dontaudit_read_pid'($*)) dnl
gen_require(`
type nscd_var_run_t;
')
dontaudit $1 nscd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_dontaudit_read_pid'($*)) dnl
')
########################################
##
## Read NSCD pid file.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_read_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_read_pid'($*)) dnl
gen_require(`
type nscd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, nscd_var_run_t, nscd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_read_pid'($*)) dnl
')
########################################
##
## Unconfined access to NSCD services.
##
##
##
## Domain allowed access.
##
##
#
define(`nscd_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_unconfined'($*)) dnl
gen_require(`
type nscd_t;
class nscd all_nscd_perms;
')
allow $1 nscd_t:nscd *;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_unconfined'($*)) dnl
')
########################################
##
## Execute nscd in the nscd domain, and
## allow the specified role the nscd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`nscd_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_run'($*)) dnl
gen_require(`
type nscd_t;
')
nscd_domtrans($1)
role $2 types nscd_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_run'($*)) dnl
')
########################################
##
## Execute the nscd server init script.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nscd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_initrc_domtrans'($*)) dnl
gen_require(`
type nscd_initrc_exec_t;
')
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute nscd server in the nscd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nscd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_systemctl'($*)) dnl
gen_require(`
type nscd_unit_file_t;
type nscd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 nscd_unit_file_t:file read_file_perms;
allow $1 nscd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, nscd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an nscd environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the nscd domain.
##
##
##
#
define(`nscd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nscd_admin'($*)) dnl
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
type nscd_unit_file_t;
')
allow $1 nscd_t:process signal_perms;
ps_process_pattern($1, nscd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 nscd_t:process ptrace;
')
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 nscd_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, nscd_log_t)
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
nscd_systemctl($1)
admin_pattern($1, nscd_unit_file_t)
allow $1 nscd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nscd_admin'($*)) dnl
')
## Authoritative only name server
########################################
##
## Read NSD pid file.
##
##
##
## Domain allowed access.
##
##
#
define(`nsd_read_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nsd_read_pid'($*)) dnl
gen_require(`
type nsd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nsd_read_pid'($*)) dnl
')
########################################
##
## Send and receive datagrams from NSD. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nsd_udp_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nsd_udp_chat'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nsd_udp_chat'($*)) dnl
')
########################################
##
## Connect to NSD over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`nsd_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nsd_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nsd_tcp_connect'($*)) dnl
')
## nslcd - local LDAP name service daemon.
########################################
##
## Execute a domain transition to run nslcd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nslcd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nslcd_domtrans'($*)) dnl
gen_require(`
type nslcd_t, nslcd_exec_t;
')
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nslcd_domtrans'($*)) dnl
')
########################################
##
## Execute nslcd server in the nslcd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nslcd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nslcd_initrc_domtrans'($*)) dnl
gen_require(`
type nslcd_initrc_exec_t;
')
init_labeled_script_domtrans($1, nslcd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nslcd_initrc_domtrans'($*)) dnl
')
########################################
##
## Read nslcd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`nslcd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nslcd_read_pid_files'($*)) dnl
gen_require(`
type nslcd_var_run_t;
')
files_search_pids($1)
allow $1 nslcd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nslcd_read_pid_files'($*)) dnl
')
########################################
##
## Dontaudit write to nslcd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`nslcd_dontaudit_write_ock_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nslcd_dontaudit_write_ock_file'($*)) dnl
gen_require(`
type nslcd_var_run_t;
')
dontaudit $1 nslcd_var_run_t:sock_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nslcd_dontaudit_write_ock_file'($*)) dnl
')
########################################
##
## Connect to nslcd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`nslcd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nslcd_stream_connect'($*)) dnl
gen_require(`
type nslcd_t, nslcd_var_run_t;
')
stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nslcd_stream_connect'($*)) dnl
')
#######################################
##
## Do not audit attempts to write nslcd sock files
##
##
##
## Domain to not audit.
##
##
#
define(`nslcd_dontaudit_write_sock_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nslcd_dontaudit_write_sock_file'($*)) dnl
gen_require(`
type nslcd_t, nslcd_var_run_t;
')
dontaudit $1 nslcd_t:sock_file write;
dontaudit $1 nslcd_var_run_t:sock_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nslcd_dontaudit_write_sock_file'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an nslcd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`nslcd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nslcd_admin'($*)) dnl
gen_require(`
type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t;
type nslcd_conf_t;
')
ps_process_pattern($1, nslcd_t)
allow $1 nslcd_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $1 nslcd_t:process ptrace;
')
# Allow nslcd_t to restart the apache service
nslcd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, nslcd_conf_t)
files_list_pids($1)
admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nslcd_admin'($*)) dnl
')
## A network traffic probe similar to the UNIX top command.
########################################
##
## All of the rules required to
## administrate an ntop environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ntop_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntop_admin'($*)) dnl
gen_require(`
type ntop_t, ntop_etc_t, ntop_var_run_t;
type ntop_initrc_exec_t, ntop_var_lib_t;
')
allow $1 ntop_t:process { ptrace signal_perms };
ps_process_pattern($1, ntop_t)
init_labeled_script_domtrans($1, ntop_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ntop_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, ntop_etc_t)
files_search_var_lib($1)
admin_pattern($1, ntop_var_lib_t)
files_list_pids($1)
admin_pattern($1, ntop_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntop_admin'($*)) dnl
')
## Network time protocol daemon
########################################
##
## NTP stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`ntp_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_stub'($*)) dnl
gen_require(`
type ntpd_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_stub'($*)) dnl
')
########################################
##
## Execute ntp server in the ntpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ntp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_domtrans'($*)) dnl
gen_require(`
type ntpd_t, ntpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ntpd_exec_t, ntpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_domtrans'($*)) dnl
')
########################################
##
## Execute ntp server in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ntp_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_exec'($*)) dnl
gen_require(`
type ntpd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ntpd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_exec'($*)) dnl
')
########################################
##
## Execute ntp in the ntp domain, and
## allow the specified role the ntp domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ntp_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_run'($*)) dnl
gen_require(`
type ntpd_t;
')
ntp_domtrans($1)
role $2 types ntpd_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_run'($*)) dnl
')
########################################
##
## Execute ntp server in the ntpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ntp_domtrans_ntpdate',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_domtrans_ntpdate'($*)) dnl
gen_require(`
type ntpd_t, ntpdate_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_domtrans_ntpdate'($*)) dnl
')
########################################
##
## Execute ntp server in the ntpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ntp_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_initrc_domtrans'($*)) dnl
gen_require(`
type ntpd_initrc_exec_t;
')
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_initrc_domtrans'($*)) dnl
')
#####################################
##
## Allow domain to read ntpd systemd unit files.
##
##
##
## Domain allowed access.
##
##
#
define(`ntp_read_unit_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_read_unit_file'($*)) dnl
gen_require(`
type ntpd_unit_file_t;
')
files_search_var_lib($1)
allow $1 ntpd_unit_file_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_read_unit_file'($*)) dnl
')
########################################
##
## Execute ntpd server in the ntpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ntp_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_systemctl'($*)) dnl
gen_require(`
type ntpd_unit_file_t;
type ntpd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 ntpd_unit_file_t:file read_file_perms;
allow $1 ntpd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ntpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_systemctl'($*)) dnl
')
########################################
##
## Send a generic signal to ntpd
##
##
##
## Domain allowed access.
##
##
#
define(`ntp_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_signal'($*)) dnl
gen_require(`
type ntpd_t;
')
allow $1 ntpd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_signal'($*)) dnl
')
########################################
##
## Read ntp drift files.
##
##
##
## Domain allowed access.
##
##
#
define(`ntp_read_drift_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_read_drift_files'($*)) dnl
gen_require(`
type ntp_drift_t;
')
files_search_var_lib($1)
read_files_pattern($1, ntp_drift_t, ntp_drift_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_read_drift_files'($*)) dnl
')
########################################
##
## Read and write ntpd shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`ntp_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_rw_shm'($*)) dnl
gen_require(`
type ntpd_t, ntpd_tmpfs_t;
')
allow $1 ntpd_t:shm rw_shm_perms;
list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_rw_shm'($*)) dnl
')
########################################
##
## Allow the domain to read ntpd state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`ntp_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_read_state'($*)) dnl
gen_require(`
type ntpd_t;
')
kernel_search_proc($1)
ps_process_pattern($1, ntpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_read_state'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ntp environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the ntp domain.
##
##
##
#
define(`ntp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_admin'($*)) dnl
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t;
type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
type ntpd_unit_file_t;
')
allow $1 ntpd_t:process signal_perms;
ps_process_pattern($1, ntpd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ntpd_t:process ptrace;
')
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ntpd_key_t)
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
files_list_tmp($1)
admin_pattern($1, ntpd_tmp_t)
files_list_var_lib($1)
admin_pattern($1, ntp_drift_t)
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
ntp_systemctl($1)
admin_pattern($1, ntpd_unit_file_t)
allow $1 ntpd_unit_file_t:service all_service_perms;
ntp_filetrans_named_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_admin'($*)) dnl
')
########################################
##
## Transition content labels to ntp named content
##
##
##
## Domain allowed access.
##
##
#
define(`ntp_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_filetrans_named_content'($*)) dnl
gen_require(`
type ntp_conf_t;
type ntp_drift_t;
')
files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_filetrans_named_content'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## ntp log content.
##
##
##
## Domain allowed access.
##
##
#
define(`ntp_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ntp_manage_log'($*)) dnl
gen_require(`
type ntpd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, ntpd_log_t, ntpd_log_t)
manage_files_pattern($1, ntpd_log_t, ntpd_log_t)
manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ntp_manage_log'($*)) dnl
')
## policy for numad
########################################
##
## Transition to numad.
##
##
##
## Domain allowed to transition.
##
##
#
define(`numad_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `numad_domtrans'($*)) dnl
gen_require(`
type numad_t, numad_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, numad_exec_t, numad_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `numad_domtrans'($*)) dnl
')
########################################
##
## Execute numad server in the numad domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`numad_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `numad_systemctl'($*)) dnl
gen_require(`
type numad_t;
type numad_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 numad_unit_file_t:file read_file_perms;
allow $1 numad_unit_file_t:service all_service_perms;
ps_process_pattern($1, numad_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `numad_systemctl'($*)) dnl
')
########################################
##
## Send and receive messages from
## numad over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`numad_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `numad_dbus_chat'($*)) dnl
gen_require(`
type numad_t;
class dbus send_msg;
')
allow $1 numad_t:dbus send_msg;
allow numad_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `numad_dbus_chat'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an numad environment
##
##
##
## Domain allowed access.
##
##
#
define(`numad_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `numad_admin'($*)) dnl
gen_require(`
type numad_t;
type numad_unit_file_t;
')
allow $1 numad_t:process { ptrace signal_perms };
ps_process_pattern($1, numad_t)
numad_systemctl($1)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `numad_admin'($*)) dnl
')
## nut - Network UPS Tools
#######################################
##
## Creates types and rules for a basic
## Network UPS Tools systemd daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`nut_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nut_domain_template'($*)) dnl
gen_require(`
attribute nut_domain;
')
type nut_$1_t, nut_domain;
type nut_$1_exec_t;
init_daemon_domain(nut_$1_t, nut_$1_exec_t)
type nut_$1_tmp_t;
files_tmp_file(nut_$1_tmp_t)
manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t)
files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir })
auth_use_nsswitch(nut_$1_t)
logging_send_syslog_msg(nut_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nut_domain_template'($*)) dnl
')
#######################################
##
## Execute swift server in the swift domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nut_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nut_systemctl'($*)) dnl
gen_require(`
type nut_t;
type nut_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 nut_unit_file_t:file read_file_perms;
allow $1 nut_unit_file_t:service manage_service_perms;
ps_process_pattern($1, nut_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nut_systemctl'($*)) dnl
')
## NX remote desktop.
########################################
##
## Transition to nx server.
##
##
##
## Domain allowed to transition.
##
##
#
define(`nx_spec_domtrans_server',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nx_spec_domtrans_server'($*)) dnl
gen_require(`
type nx_server_t, nx_server_exec_t;
')
corecmd_search_bin($1)
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nx_spec_domtrans_server'($*)) dnl
')
########################################
##
## Read nx home directory content.
##
##
##
## Domain allowed access.
##
##
#
define(`nx_read_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nx_read_home_files'($*)) dnl
gen_require(`
type nx_server_home_ssh_t, nx_server_var_lib_t;
')
files_search_var_lib($1)
allow $1 nx_server_var_lib_t:dir search_dir_perms;
read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nx_read_home_files'($*)) dnl
')
########################################
##
## Search nx lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`nx_search_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nx_search_var_lib'($*)) dnl
gen_require(`
type nx_server_var_lib_t;
')
files_search_var_lib($1)
allow $1 nx_server_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nx_search_var_lib'($*)) dnl
')
########################################
##
## Create specified objects in nx lib
## directories with a private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`nx_var_lib_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nx_var_lib_filetrans'($*)) dnl
gen_require(`
type nx_server_var_lib_t;
')
filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nx_var_lib_filetrans'($*)) dnl
')
########################################
##
## Transition to nx named content
##
##
##
## Domain allowed access.
##
##
#
define(`nx_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `nx_filetrans_named_content'($*)) dnl
gen_require(`
type nx_server_home_ssh_t, nx_server_var_lib_t;
')
filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `nx_filetrans_named_content'($*)) dnl
')
## Open AntiVirus scannerdaemon and signature update.
########################################
##
## Execute oav_update in the oav_update domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`oav_domtrans_update',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oav_domtrans_update'($*)) dnl
gen_require(`
type oav_update_t, oav_update_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, oav_update_exec_t, oav_update_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oav_domtrans_update'($*)) dnl
')
########################################
##
## Execute oav_update in the oav update
## domain, and allow the specified role
## the oav_update domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`oav_run_update',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oav_run_update'($*)) dnl
gen_require(`
attribute_role oav_update_roles;
')
oav_domtrans_update($1)
roleattribute $2 oav_update_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oav_run_update'($*)) dnl
')
## D-Bus service providing high-level OBEX client and server side functionality.
########################################
##
## Transition to obex.
##
##
##
## Domain allowed to transition.
##
##
#
define(`obex_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `obex_domtrans'($*)) dnl
gen_require(`
type obex_t, obex_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, obex_exec_t, obex_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `obex_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## obex over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`obex_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `obex_dbus_chat'($*)) dnl
gen_require(`
type obex_t;
class dbus send_msg;
')
allow $1 obex_t:dbus send_msg;
allow obex_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `obex_dbus_chat'($*)) dnl
')
#######################################
##
## Role access for obex domains
## that executes via dbus-session
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
##
##
## User domain prefix to be used.
##
##
#
define(`obex_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `obex_role'($*)) dnl
gen_require(`
attribute_role obex_roles;
type obex_t, obex_exec_t;
')
########################################
#
# Declarations
#
roleattribute $1 obex_roles;
########################################
#
# Policy
#
allow $2 obex_t:process signal_perms;
ps_process_pattern($2, obex_t)
dbus_session_domain($3, obex_exec_t, obex_t)
obex_dbus_chat($2)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `obex_role'($*)) dnl
')
##
## Oddjob provides a mechanism by which unprivileged applications can
## request that specified privileged operations be performed on their
## behalf.
##
########################################
##
## Execute a domain transition to run oddjob.
##
##
##
## Domain allowed to transition.
##
##
#
define(`oddjob_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_domtrans'($*)) dnl
gen_require(`
type oddjob_t, oddjob_exec_t;
')
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_domtrans'($*)) dnl
')
#####################################
##
## Do not audit attempts to read and write
## oddjob fifo file.
##
##
##
## Domain to not audit.
##
##
#
define(`oddjob_dontaudit_rw_fifo_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_dontaudit_rw_fifo_file'($*)) dnl
gen_require(`
type oddjob_t;
')
dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_dontaudit_rw_fifo_file'($*)) dnl
')
########################################
##
## Make the specified program domain accessable
## from the oddjob.
##
##
##
## The type of the process to transition to.
##
##
##
##
## The type of the file used as an entrypoint to this domain.
##
##
#
define(`oddjob_system_entry',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_system_entry'($*)) dnl
gen_require(`
type oddjob_t;
')
domtrans_pattern(oddjob_t, $2, $1)
domain_user_exemption_target($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_system_entry'($*)) dnl
')
########################################
##
## Send and receive messages from
## oddjob over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`oddjob_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_dbus_chat'($*)) dnl
gen_require(`
type oddjob_t;
class dbus send_msg;
')
allow $1 oddjob_t:dbus send_msg;
allow oddjob_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_dbus_chat'($*)) dnl
')
######################################
##
## Send a SIGCHLD signal to oddjob.
##
##
##
## Domain allowed access.
##
##
#
define(`oddjob_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_sigchld'($*)) dnl
gen_require(`
type oddjob_t;
')
allow $1 oddjob_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_sigchld'($*)) dnl
')
########################################
##
## Execute a domain transition to run oddjob_mkhomedir.
##
##
##
## Domain allowed to transition.
##
##
#
define(`oddjob_domtrans_mkhomedir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_domtrans_mkhomedir'($*)) dnl
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_domtrans_mkhomedir'($*)) dnl
')
########################################
##
## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`oddjob_run_mkhomedir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_run_mkhomedir'($*)) dnl
gen_require(`
type oddjob_mkhomedir_t;
')
oddjob_domtrans_mkhomedir($1)
role $2 types oddjob_mkhomedir_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_run_mkhomedir'($*)) dnl
')
########################################
##
## Execute the oddjob program in the oddjob domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`oddjob_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_run'($*)) dnl
gen_require(`
type oddjob_t;
')
oddjob_domtrans($1)
role $2 types oddjob_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_run'($*)) dnl
')
#######################################
##
## Execute oddjob in the oddjob domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`oddjob_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_systemctl'($*)) dnl
gen_require(`
type oddjob_unit_file_t;
type oddjob_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 oddjob_unit_file_t:file read_file_perms;
allow $1 oddjob_unit_file_t:service manage_service_perms;
ps_process_pattern($1, oddjob_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_systemctl'($*)) dnl
')
########################################
##
## Create a domain which can be started by init,
## with a range transition.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
##
## Range for the domain.
##
##
#
define(`oddjob_ranged_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_ranged_domain'($*)) dnl
gen_require(`
type oddjob_t;
')
oddjob_system_entry($1, $2)
ifdef(`enable_mcs',`
range_transition oddjob_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition oddjob_t $2:process $3;
mls_rangetrans_target($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_ranged_domain'($*)) dnl
')
########################################
##
## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain
##
##
##
## Domain allowed access.
##
##
##
#
define(`oddjob_mkhomedir_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oddjob_mkhomedir_entrypoint'($*)) dnl
gen_require(`
type oddjob_mkhomedir_exec_t;
')
allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oddjob_mkhomedir_entrypoint'($*)) dnl
')
## An ident daemon with IP masq/NAT support and the ability to specify responses.
########################################
##
## Role access for oident.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`oident_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oident_role'($*)) dnl
refpolicywarn(`$0($*) has been deprecated')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oident_role'($*)) dnl
')
########################################
##
## Read oidentd user home content.
##
##
##
## Domain allowed access.
##
##
#
define(`oident_read_user_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oident_read_user_content'($*)) dnl
gen_require(`
type oidentd_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 oidentd_home_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oident_read_user_content'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## oidentd user home content.
##
##
##
## Domain allowed access.
##
##
#
define(`oident_manage_user_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oident_manage_user_content'($*)) dnl
gen_require(`
type oidentd_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 oidentd_home_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oident_manage_user_content'($*)) dnl
')
########################################
##
## Relabel oidentd user home content.
##
##
##
## Domain allowed access.
##
##
#
define(`oident_relabel_user_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oident_relabel_user_content'($*)) dnl
gen_require(`
type oidentd_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 oidentd_home_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oident_relabel_user_content'($*)) dnl
')
########################################
##
## Create objects in user home
## directories with the oidentd home type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`oident_home_filetrans_oidentd_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oident_home_filetrans_oidentd_home'($*)) dnl
gen_require(`
type oidentd_home_t;
')
userdom_user_home_dir_filetrans($1, oidentd_home_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oident_home_filetrans_oidentd_home'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an oident environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`oident_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oident_admin'($*)) dnl
gen_require(`
type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
')
allow $1 oidentd_t:process { ptrace signal_perms };
ps_process_pattern($1, oidentd_t)
init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 oidentd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, oidentd_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oident_admin'($*)) dnl
')
## Policy for opafm
## Open Certificate Authority.
########################################
##
## Execute the openca with
## a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openca_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openca_domtrans'($*)) dnl
gen_require(`
type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
')
files_search_usr($1)
allow $1 openca_usr_share_t:dir search_dir_perms;
domtrans_pattern($1, openca_ca_exec_t, openca_ca_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openca_domtrans'($*)) dnl
')
########################################
##
## Send generic signals to openca.
##
##
##
## Domain allowed access.
##
##
#
define(`openca_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openca_signal'($*)) dnl
gen_require(`
type openca_ca_t;
')
allow $1 openca_ca_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openca_signal'($*)) dnl
')
########################################
##
## Send stop signals to openca.
##
##
##
## Domain allowed access.
##
##
#
define(`openca_sigstop',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openca_sigstop'($*)) dnl
gen_require(`
type openca_ca_t;
')
allow $1 openca_ca_t:process sigstop;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openca_sigstop'($*)) dnl
')
########################################
##
## Send kill signals to openca.
##
##
##
## Domain allowed access.
##
##
#
define(`openca_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openca_kill'($*)) dnl
gen_require(`
type openca_ca_t;
')
allow $1 openca_ca_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openca_kill'($*)) dnl
')
## Service for handling smart card readers.
########################################
##
## Send null signals to openct.
##
##
##
## Domain allowed access.
##
##
#
define(`openct_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openct_signull'($*)) dnl
gen_require(`
type openct_t;
')
allow $1 openct_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openct_signull'($*)) dnl
')
########################################
##
## Execute openct in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`openct_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openct_exec'($*)) dnl
gen_require(`
type openct_t, openct_exec_t;
')
corecmd_search_bin($1)
can_exec($1, openct_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openct_exec'($*)) dnl
')
########################################
##
## Execute a domain transition to run openct.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openct_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openct_domtrans'($*)) dnl
gen_require(`
type openct_t, openct_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, openct_exec_t, openct_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openct_domtrans'($*)) dnl
')
########################################
##
## Read openct pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`openct_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openct_read_pid_files'($*)) dnl
gen_require(`
type openct_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, openct_var_run_t, openct_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openct_read_pid_files'($*)) dnl
')
########################################
##
## Connect to openct over an unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`openct_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openct_stream_connect'($*)) dnl
gen_require(`
type openct_t, openct_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openct_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an openct environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`openct_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openct_admin'($*)) dnl
gen_require(`
type openct_t, openct_initrc_exec_t, openct_var_run_t;
')
allow $1 openct_t:process { ptrace signal_perms };
ps_process_pattern($1, openct_t)
init_labeled_script_domtrans($1, openct_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 openct_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, openct_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openct_admin'($*)) dnl
')
## policy for opendnssec
########################################
##
## Execute opendnssec_exec_t in the opendnssec domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`opendnssec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_domtrans'($*)) dnl
gen_require(`
type opendnssec_t, opendnssec_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, opendnssec_exec_t, opendnssec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_domtrans'($*)) dnl
')
######################################
##
## Execute opendnssec in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`opendnssec_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_exec'($*)) dnl
gen_require(`
type opendnssec_exec_t;
')
corecmd_search_bin($1)
can_exec($1, opendnssec_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_exec'($*)) dnl
')
########################################
##
## Read the opendnssec configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`opendnssec_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_read_config'($*)) dnl
gen_require(`
type opendnssec_conf_t;
')
files_search_etc($1)
allow $1 opendnssec_conf_t:dir list_dir_perms;
allow $1 opendnssec_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_read_config'($*)) dnl
')
########################################
##
## Read the opendnssec configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`opendnssec_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_manage_config'($*)) dnl
gen_require(`
type opendnssec_conf_t;
')
files_search_etc($1)
allow $1 opendnssec_conf_t:dir manage_dir_perms;
allow $1 opendnssec_conf_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_manage_config'($*)) dnl
')
########################################
##
## Allow the specified domain to
## read and write opendnssec /var files.
##
##
##
## Domain allowed access.
##
##
#
define(`opendnssec_manage_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_manage_var_files'($*)) dnl
gen_require(`
type opendnssec_var_t;
')
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, opendnssec_var_t, opendnssec_var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_manage_var_files'($*)) dnl
')
########################################
##
## Read opendnssec PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`opendnssec_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_read_pid_files'($*)) dnl
gen_require(`
type opendnssec_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_read_pid_files'($*)) dnl
')
########################################
##
## Execute opendnssec server in the opendnssec domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`opendnssec_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_systemctl'($*)) dnl
gen_require(`
type opendnssec_t;
type opendnssec_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 opendnssec_unit_file_t:file read_file_perms;
allow $1 opendnssec_unit_file_t:service manage_service_perms;
ps_process_pattern($1, opendnssec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an opendnssec environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`opendnssec_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_admin'($*)) dnl
gen_require(`
type opendnssec_t;
type opendnssec_var_run_t;
type opendnssec_unit_file_t;
')
allow $1 opendnssec_t:process { signal_perms };
ps_process_pattern($1, opendnssec_t)
tunable_policy(`deny_ptrace',`',`
allow $1 opendnssec_t:process ptrace;
')
files_search_pids($1)
admin_pattern($1, opendnssec_var_run_t)
opendnssec_systemctl($1)
admin_pattern($1, opendnssec_unit_file_t)
allow $1 opendnssec_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_admin'($*)) dnl
')
########################################
##
## Transition to quota named content
##
##
##
## Domain allowed access.
##
##
#
define(`opendnssec_filetrans_etc_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_filetrans_etc_content'($*)) dnl
gen_require(`
type opendnssec_conf_t;
')
files_etc_filetrans($1, opendnssec_conf_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_filetrans_etc_content'($*)) dnl
')
########################################
##
## Connect to opendnssec over an unix
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`opendnssec_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opendnssec_stream_connect'($*)) dnl
gen_require(`
type opendnssec_t, opendnssec_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t, opendnssec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opendnssec_stream_connect'($*)) dnl
')
## Fortinet compatible SSL VPN daemons.
########################################
##
## Transition to openfortivpn.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openfortivpn_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openfortivpn_domtrans'($*)) dnl
gen_require(`
type openfortivpn_t, openfortivpn_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, openfortivpn_exec_t, openfortivpn_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openfortivpn_domtrans'($*)) dnl
')
########################################
##
## Allow send a signal to openfortivpn.
##
##
##
## Domain allowed access.
##
##
#
define(`openfortivpn_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openfortivpn_signal'($*)) dnl
gen_require(`
type openfortivpn_t;
')
allow $1 openfortivpn_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openfortivpn_signal'($*)) dnl
')
########################################
##
## Allow send signull to openfortivpn.
##
##
##
## Domain allowed access.
##
##
#
define(`openfortivpn_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openfortivpn_signull'($*)) dnl
gen_require(`
type openfortivpn_t;
')
allow $1 openfortivpn_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openfortivpn_signull'($*)) dnl
')
########################################
##
## Allow send sigkill to openfortivpn.
##
##
##
## Domain allowed access.
##
##
#
define(`openfortivpn_sigkill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openfortivpn_sigkill'($*)) dnl
gen_require(`
type openfortivpn_t;
')
allow $1 openfortivpn_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openfortivpn_sigkill'($*)) dnl
')
########################################
##
## Send and receive messages from
## openfortivpn over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`openfortivpn_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openfortivpn_dbus_chat'($*)) dnl
gen_require(`
type openfortivpn_t;
class dbus send_msg;
')
allow $1 openfortivpn_t:dbus send_msg;
allow openfortivpn_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openfortivpn_dbus_chat'($*)) dnl
')
########################################
##
## Read from and write to the openfortivpn devpts.
##
##
##
## Domain allowed access.
##
##
#
define(`openfortivpn_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openfortivpn_use_ptys'($*)) dnl
gen_require(`
type openfortivpn_devpts_t;
')
allow $1 openfortivpn_devpts_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openfortivpn_use_ptys'($*)) dnl
')
## policy for openhpid
########################################
##
## Transition to openhpid.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openhpid_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openhpid_domtrans'($*)) dnl
gen_require(`
type openhpid_t, openhpid_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, openhpid_exec_t, openhpid_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openhpid_domtrans'($*)) dnl
')
########################################
##
## Execute openhpid server in the openhpid domain.
##
##
##
## Domain allowed access.
##
##
#
define(`openhpid_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openhpid_initrc_domtrans'($*)) dnl
gen_require(`
type openhpid_initrc_exec_t;
')
init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openhpid_initrc_domtrans'($*)) dnl
')
########################################
##
## Search openhpid lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`openhpid_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openhpid_search_lib'($*)) dnl
gen_require(`
type openhpid_var_lib_t;
')
allow $1 openhpid_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openhpid_search_lib'($*)) dnl
')
########################################
##
## Read openhpid lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openhpid_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openhpid_read_lib_files'($*)) dnl
gen_require(`
type openhpid_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openhpid_read_lib_files'($*)) dnl
')
########################################
##
## Manage openhpid lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openhpid_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openhpid_manage_lib_files'($*)) dnl
gen_require(`
type openhpid_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openhpid_manage_lib_files'($*)) dnl
')
########################################
##
## Manage openhpid lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`openhpid_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openhpid_manage_lib_dirs'($*)) dnl
gen_require(`
type openhpid_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openhpid_manage_lib_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an openhpid environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`openhpid_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openhpid_admin'($*)) dnl
gen_require(`
type openhpid_t;
type openhpid_initrc_exec_t;
type openhpid_var_lib_t;
')
allow $1 openhpid_t:process { ptrace signal_perms };
ps_process_pattern($1, openhpid_t)
openhpid_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 openhpid_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, openhpid_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openhpid_admin'($*)) dnl
')
##
## policy for openshift
########################################
##
## Execute openshift server in the openshift domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`openshift_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_initrc_domtrans'($*)) dnl
gen_require(`
type openshift_initrc_t;
type openshift_initrc_exec_t;
')
domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_initrc_domtrans'($*)) dnl
')
#######################################
##
## Execute openshift server in the openshift domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## Role access to this domain.
##
##
#
define(`openshift_initrc_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_initrc_run'($*)) dnl
gen_require(`
type openshift_initrc_t;
type openshift_initrc_exec_t;
')
openshift_initrc_domtrans($1)
role $2 types openshift_initrc_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_initrc_run'($*)) dnl
')
########################################
##
## Send a null signal to openshift init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_initrc_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_initrc_signull'($*)) dnl
gen_require(`
type openshift_initrc_t;
')
allow $1 openshift_initrc_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_initrc_signull'($*)) dnl
')
#######################################
##
## Send a signal to openshift init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_initrc_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_initrc_signal'($*)) dnl
gen_require(`
type openshift_initrc_t;
')
allow $1 openshift_initrc_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_initrc_signal'($*)) dnl
')
########################################
##
## Search openshift cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_search_cache'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_search_cache'($*)) dnl
')
########################################
##
## Read openshift cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_read_cache_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_read_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## openshift cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_manage_cache_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_manage_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## openshift cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_manage_cache_dirs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_manage_cache_dirs'($*)) dnl
')
########################################
##
## Allow the specified domain to read openshift's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`openshift_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_read_log'($*)) dnl
gen_require(`
type openshift_log_t;
')
logging_search_logs($1)
read_files_pattern($1, openshift_log_t, openshift_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## openshift log files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openshift_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_append_log'($*)) dnl
gen_require(`
type openshift_log_t;
')
logging_search_logs($1)
append_files_pattern($1, openshift_log_t, openshift_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_append_log'($*)) dnl
')
########################################
##
## Allow domain to manage openshift log files
##
##
##
## Domain to not audit.
##
##
#
define(`openshift_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_manage_log'($*)) dnl
gen_require(`
type openshift_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
manage_files_pattern($1, openshift_log_t, openshift_log_t)
manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_manage_log'($*)) dnl
')
########################################
##
## Search openshift lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_search_lib'($*)) dnl
gen_require(`
type openshift_var_lib_t;
')
search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_search_lib'($*)) dnl
')
########################################
##
## Getattr openshift lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_getattr_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_getattr_lib'($*)) dnl
gen_require(`
type openshift_var_lib_t;
')
getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_getattr_lib'($*)) dnl
')
########################################
##
## Read openshift lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_read_lib_files'($*)) dnl
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_read_lib_files'($*)) dnl
')
########################################
##
## Read openshift lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_append_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_append_lib_files'($*)) dnl
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_append_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## openshift lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_manage_lib_files'($*)) dnl
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_manage_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## openshift lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_manage_lib_dirs'($*)) dnl
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_manage_lib_dirs'($*)) dnl
')
########################################
##
## Manage openshift lib content.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_manage_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_manage_content'($*)) dnl
gen_require(`
attribute openshift_file_type;
')
files_search_var_lib($1)
manage_dirs_pattern($1, openshift_file_type, openshift_file_type)
manage_files_pattern($1, openshift_file_type, openshift_file_type)
manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type)
manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_manage_content'($*)) dnl
')
########################################
##
## Relabel openshift library files
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_relabelfrom_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_relabelfrom_lib'($*)) dnl
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_relabelfrom_lib'($*)) dnl
')
#######################################
##
## Create private objects in the
## mail lib directory.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`openshift_lib_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_lib_filetrans'($*)) dnl
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_lib_filetrans'($*)) dnl
')
########################################
##
## Read openshift PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_read_pid_files'($*)) dnl
gen_require(`
type openshift_var_run_t;
')
files_search_pids($1)
allow $1 openshift_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an openshift environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`openshift_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_admin'($*)) dnl
gen_require(`
attribute openshift_domain;
type openshift_initrc_exec_t;
type openshift_log_t;
type openshift_var_lib_t;
type openshift_var_run_t;
')
allow $1 openshift_domain:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $1 openshift_domain:process ptrace;
')
ps_process_pattern($1, openshift_domain)
openshift_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 openshift_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, openshift_log_t)
files_search_var_lib($1)
admin_pattern($1, openshift_var_lib_t)
files_search_pids($1)
admin_pattern($1, openshift_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_admin'($*)) dnl
')
########################################
##
## Make the specified type usable as a openshift domain.
##
##
##
## The prefix of the domain (e.g., openshift
## is the prefix for openshift_t).
##
##
#
define(`openshift_service_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_service_domain_template'($*)) dnl
gen_require(`
attribute openshift_domain;
attribute openshift_user_domain;
')
type $1_t;
typeattribute $1_t openshift_domain, openshift_user_domain;
domain_type($1_t)
role system_r types $1_t;
mcs_constrained($1_t)
domain_user_exemption_target($1_t)
auth_use_nsswitch($1_t)
domain_subj_id_change_exemption($1_t)
domain_obj_id_change_exemption($1_t)
domain_dyntrans_type($1_t)
kernel_read_system_state($1_t)
logging_send_syslog_msg($1_t)
type $1_app_t;
typeattribute $1_app_t openshift_domain;
domain_type($1_app_t)
role system_r types $1_app_t;
mcs_constrained($1_app_t)
domain_user_exemption_target($1_app_t)
domain_obj_id_change_exemption($1_app_t)
domain_dyntrans_type($1_app_t)
auth_use_nsswitch($1_app_t)
kernel_read_system_state($1_app_t)
logging_send_syslog_msg($1_app_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_service_domain_template'($*)) dnl
')
########################################
##
## Make the specified type usable as a openshift domain.
##
##
##
## Type to be used as a openshift domain type.
##
##
#
define(`openshift_net_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_net_type'($*)) dnl
gen_require(`
attribute openshift_net_domain;
')
typeattribute $1 openshift_net_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_net_type'($*)) dnl
')
########################################
##
## Read and write inherited openshift files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_rw_inherited_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_rw_inherited_content'($*)) dnl
gen_require(`
attribute openshift_file_type;
')
allow $1 openshift_file_type:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_rw_inherited_content'($*)) dnl
')
########################################
##
## Manage openshift tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_manage_tmp_files'($*)) dnl
gen_require(`
type openshift_tmp_t;
')
manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_manage_tmp_files'($*)) dnl
')
########################################
##
## Manage openshift tmp sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_manage_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_manage_tmp_sockets'($*)) dnl
gen_require(`
type openshift_tmp_t;
')
manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_manage_tmp_sockets'($*)) dnl
')
########################################
##
## Mounton openshift tmp directory.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_mounton_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_mounton_tmp'($*)) dnl
gen_require(`
type openshift_tmp_t;
')
allow $1 openshift_tmp_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_mounton_tmp'($*)) dnl
')
########################################
##
## Dontaudit Read and write inherited script fifo files.
##
##
##
## Domain allowed access.
##
##
#
define(`openshift_dontaudit_rw_inherited_fifo_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_dontaudit_rw_inherited_fifo_files'($*)) dnl
gen_require(`
type openshift_initrc_t;
type openshift_t;
')
dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_dontaudit_rw_inherited_fifo_files'($*)) dnl
')
########################################
##
## Allow calling app to transition to an openshift domain
##
##
##
## Domain allowed access
##
##
##
#
define(`openshift_transition',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_transition'($*)) dnl
gen_require(`
attribute openshift_user_domain;
')
allow $1 openshift_user_domain:process transition;
dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
allow openshift_user_domain $1:fd use;
allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
allow openshift_user_domain $1:process sigchld;
dontaudit $1 openshift_user_domain:socket_class_set { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_transition'($*)) dnl
')
########################################
##
## Allow calling app to transition to an openshift domain
##
##
##
## Domain allowed access
##
##
##
#
define(`openshift_dyntransition',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_dyntransition'($*)) dnl
gen_require(`
attribute openshift_domain;
attribute openshift_user_domain;
')
allow $1 openshift_user_domain:process dyntransition;
dontaudit openshift_user_domain $1:key view;
allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
allow $1 openshift_user_domain:process { rlimitinh signal };
dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_dyntransition'($*)) dnl
')
########################################
##
## Execute openshift in the openshift domain, and
## allow the specified role the openshift domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`openshift_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openshift_run'($*)) dnl
gen_require(`
type openshift_initrc_exec_t;
')
openshift_initrc_domtrans($1)
role_transition $2 openshift_initrc_exec_t system_r;
openshift_transition($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openshift_run'($*)) dnl
')
## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB
########################################
##
## Execute opensm in the opensm domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`opensm_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_domtrans'($*)) dnl
gen_require(`
type opensm_t, opensm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, opensm_exec_t, opensm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_domtrans'($*)) dnl
')
########################################
##
## Search opensm cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`opensm_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_search_cache'($*)) dnl
gen_require(`
type opensm_cache_t;
')
allow $1 opensm_cache_t:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_search_cache'($*)) dnl
')
########################################
##
## Read opensm cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`opensm_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_read_cache_files'($*)) dnl
gen_require(`
type opensm_cache_t;
')
files_search_var($1)
read_files_pattern($1, opensm_cache_t, opensm_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_read_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## opensm cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`opensm_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_manage_cache_files'($*)) dnl
gen_require(`
type opensm_cache_t;
')
files_search_var($1)
manage_files_pattern($1, opensm_cache_t, opensm_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_manage_cache_files'($*)) dnl
')
########################################
##
## Manage opensm cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`opensm_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_manage_cache_dirs'($*)) dnl
gen_require(`
type opensm_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_manage_cache_dirs'($*)) dnl
')
########################################
##
## Read opensm's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`opensm_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_read_log'($*)) dnl
gen_require(`
type opensm_log_t;
')
logging_search_logs($1)
read_files_pattern($1, opensm_log_t, opensm_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_read_log'($*)) dnl
')
########################################
##
## Append to opensm log files.
##
##
##
## Domain allowed access.
##
##
#
define(`opensm_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_append_log'($*)) dnl
gen_require(`
type opensm_log_t;
')
logging_search_logs($1)
append_files_pattern($1, opensm_log_t, opensm_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_append_log'($*)) dnl
')
########################################
##
## Manage opensm log files
##
##
##
## Domain allowed access.
##
##
#
define(`opensm_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_manage_log'($*)) dnl
gen_require(`
type opensm_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, opensm_log_t, opensm_log_t)
manage_files_pattern($1, opensm_log_t, opensm_log_t)
manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_manage_log'($*)) dnl
')
########################################
##
## Execute opensm server in the opensm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`opensm_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_systemctl'($*)) dnl
gen_require(`
type opensm_t;
type opensm_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 opensm_unit_file_t:file read_file_perms;
allow $1 opensm_unit_file_t:service manage_service_perms;
ps_process_pattern($1, opensm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an opensm environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`opensm_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `opensm_admin'($*)) dnl
gen_require(`
type opensm_t;
type opensm_cache_t;
type opensm_log_t;
type opensm_unit_file_t;
')
allow $1 opensm_t:process { signal_perms };
ps_process_pattern($1, opensm_t)
tunable_policy(`deny_ptrace',`',`
allow $1 opensm_t:process ptrace;
')
files_search_var($1)
admin_pattern($1, opensm_cache_t)
logging_search_logs($1)
admin_pattern($1, opensm_log_t)
opensm_systemctl($1)
admin_pattern($1, opensm_unit_file_t)
allow $1 opensm_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `opensm_admin'($*)) dnl
')
## full-featured SSL VPN solution.
########################################
##
## Execute openvpn clients in the
## openvpn domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openvpn_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_domtrans'($*)) dnl
gen_require(`
type openvpn_t, openvpn_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, openvpn_exec_t, openvpn_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_domtrans'($*)) dnl
')
########################################
##
## Execute openvpn clients in the
## caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openvpn_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_exec'($*)) dnl
gen_require(`
type openvpn_exec_t;
')
can_exec($1, openvpn_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_exec'($*)) dnl
')
########################################
##
## Execute openvpn clients in the
## openvpn domain, and allow the
## specified role the openvpn domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`openvpn_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_run'($*)) dnl
gen_require(`
attribute_role openvpn_roles;
')
openvpn_domtrans($1)
roleattribute $2 openvpn_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_run'($*)) dnl
')
########################################
##
## Send kill signals to openvpn.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_kill'($*)) dnl
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_kill'($*)) dnl
')
########################################
##
## Send generic signals to openvpn.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_signal'($*)) dnl
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_signal'($*)) dnl
')
########################################
##
## Send null signals to openvpn.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_signull'($*)) dnl
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_signull'($*)) dnl
')
########################################
##
## Read openvpn configuration content.
##
##
##
## Domain allowed access.
##
##
##
#
define(`openvpn_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_read_config'($*)) dnl
gen_require(`
type openvpn_etc_t;
')
files_search_etc($1)
allow $1 openvpn_etc_t:dir list_dir_perms;
allow $1 openvpn_etc_t:file read_file_perms;
allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_read_config'($*)) dnl
')
####################################
##
## Connect to openvpn over
## a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_stream_connect'($*)) dnl
gen_require(`
type openvpn_t, openvpn_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_stream_connect'($*)) dnl
')
########################################
##
## Search openvpn lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_search_lib'($*)) dnl
gen_require(`
type openvpn_var_lib_t;
')
allow $1 openvpn_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_search_lib'($*)) dnl
')
########################################
##
## Read and write to sopenvpn_image devices.
##
##
##
## Domain allowed access.
##
##
#
define(`openvpn_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_noatsecure'($*)) dnl
gen_require(`
type openvpn_t;
')
allow $1 openvpn_t:process { rlimitinh siginh noatsecure };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_noatsecure'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an openvpn environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`openvpn_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvpn_admin'($*)) dnl
gen_require(`
type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t;
type openvpn_status_t;
')
allow $1 openvpn_t:process signal_perms;
ps_process_pattern($1, openvpn_t)
tunable_policy(`deny_ptrace',`',`
allow $1 openvpn_t:process ptrace;
')
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t })
logging_list_logs($1)
admin_pattern($1, { openvpn_status_t openvpn_var_log_t })
files_list_pids($1)
admin_pattern($1, openvpn_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvpn_admin'($*)) dnl
')
## policy for openvswitch
########################################
##
## Execute TEMPLATE in the openvswitch domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openvswitch_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_domtrans'($*)) dnl
gen_require(`
type openvswitch_t, openvswitch_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_domtrans'($*)) dnl
')
########################################
##
## Read openvswitch's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`openvswitch_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_read_log'($*)) dnl
gen_require(`
type openvswitch_log_t;
')
logging_search_logs($1)
read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_read_log'($*)) dnl
')
########################################
##
## Append to openvswitch log files.
##
##
##
## Domain allowed access.
##
##
#
define(`openvswitch_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_append_log'($*)) dnl
gen_require(`
type openvswitch_log_t;
')
logging_search_logs($1)
append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_append_log'($*)) dnl
')
########################################
##
## Manage openvswitch log files
##
##
##
## Domain allowed access.
##
##
#
define(`openvswitch_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_manage_log'($*)) dnl
gen_require(`
type openvswitch_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_manage_log'($*)) dnl
')
########################################
##
## Search openvswitch lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`openvswitch_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_search_lib'($*)) dnl
gen_require(`
type openvswitch_var_lib_t;
')
allow $1 openvswitch_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_search_lib'($*)) dnl
')
########################################
##
## Read openvswitch lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openvswitch_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_read_lib_files'($*)) dnl
gen_require(`
type openvswitch_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_read_lib_files'($*)) dnl
')
########################################
##
## Manage openvswitch lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`openvswitch_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_manage_lib_files'($*)) dnl
gen_require(`
type openvswitch_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_manage_lib_files'($*)) dnl
')
########################################
##
## Manage openvswitch lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`openvswitch_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_manage_lib_dirs'($*)) dnl
gen_require(`
type openvswitch_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read openvswitch PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`openvswitch_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_read_pid_files'($*)) dnl
gen_require(`
type openvswitch_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_read_pid_files'($*)) dnl
')
########################################
##
## Allow stream connect to openvswitch.
##
##
##
## Domain allowed access.
##
##
#
define(`openvswitch_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_stream_connect'($*)) dnl
gen_require(`
type openvswitch_t, openvswitch_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_stream_connect'($*)) dnl
')
########################################
##
## Execute openvswitch server in the openvswitch domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openvswitch_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_systemctl'($*)) dnl
gen_require(`
type openvswitch_t;
type openvswitch_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 openvswitch_unit_file_t:file read_file_perms;
allow $1 openvswitch_unit_file_t:service manage_service_perms;
ps_process_pattern($1, openvswitch_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an openvswitch environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`openvswitch_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openvswitch_admin'($*)) dnl
gen_require(`
type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
')
allow $1 openvswitch_t:process { ptrace signal_perms };
ps_process_pattern($1, openvswitch_t)
logging_search_logs($1)
admin_pattern($1, openvswitch_rw_t)
logging_search_logs($1)
admin_pattern($1, openvswitch_log_t)
files_search_var_lib($1)
admin_pattern($1, openvswitch_var_lib_t)
files_search_pids($1)
admin_pattern($1, openvswitch_var_run_t)
openvswitch_systemctl($1)
admin_pattern($1, openvswitch_unit_file_t)
allow $1 openvswitch_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openvswitch_admin'($*)) dnl
')
## WS-Management Server
########################################
##
## Execute openwsman in the openwsman domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openwsman_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openwsman_domtrans'($*)) dnl
gen_require(`
type openwsman_t, openwsman_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, openwsman_exec_t, openwsman_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openwsman_domtrans'($*)) dnl
')
########################################
##
## Execute openwsman server in the openwsman domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`openwsman_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openwsman_systemctl'($*)) dnl
gen_require(`
type openwsman_t;
type openwsman_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 openwsman_unit_file_t:file read_file_perms;
allow $1 openwsman_unit_file_t:service manage_service_perms;
ps_process_pattern($1, openwsman_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openwsman_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an openwsman environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`openwsman_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `openwsman_admin'($*)) dnl
gen_require(`
type openwsman_t;
type openwsman_unit_file_t;
')
allow $1 openwsman_t:process { signal_perms };
ps_process_pattern($1, openwsman_t)
tunable_policy(`deny_ptrace',`',`
allow $1 openwsman_t:process ptrace;
')
openwsman_systemctl($1)
admin_pattern($1, openwsman_unit_file_t)
allow $1 openwsman_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `openwsman_admin'($*)) dnl
')
## policy for oracleasm
########################################
##
## Transition to oracleasm.
##
##
##
## Domain allowed to transition.
##
##
#
define(`oracleasm_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oracleasm_domtrans'($*)) dnl
gen_require(`
type oracleasm_t, oracleasm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, oracleasm_exec_t, oracleasm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oracleasm_domtrans'($*)) dnl
')
########################################
##
## Execute oracleasm server in the oracleasm domain.
##
##
##
## Domain allowed access.
##
##
#
define(`oracleasm_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oracleasm_initrc_domtrans'($*)) dnl
gen_require(`
type oracleasm_initrc_exec_t;
')
init_labeled_script_domtrans($1, oracleasm_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oracleasm_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an oracleasm environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`oracleasm_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `oracleasm_admin'($*)) dnl
gen_require(`
type oracleasm_t;
type oracleasm_initrc_exec_t;
')
allow $1 oracleasm_t:process { ptrace signal_perms };
ps_process_pattern($1, oracleasm_t)
oracleasm_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 oracleasm_initrc_exec_t system_r;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `oracleasm_admin'($*)) dnl
')
## Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher.
########################################
##
## Execute osad in the osad domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`osad_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `osad_domtrans'($*)) dnl
gen_require(`
type osad_t, osad_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, osad_exec_t, osad_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `osad_domtrans'($*)) dnl
')
########################################
##
## Execute osad server in the osad domain.
##
##
##
## Domain allowed access.
##
##
#
define(`osad_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `osad_initrc_domtrans'($*)) dnl
gen_require(`
type osad_initrc_exec_t;
')
init_labeled_script_domtrans($1, osad_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `osad_initrc_domtrans'($*)) dnl
')
########################################
##
## Read osad's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`osad_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `osad_read_log'($*)) dnl
gen_require(`
type osad_log_t;
')
logging_search_logs($1)
read_files_pattern($1, osad_log_t, osad_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `osad_read_log'($*)) dnl
')
########################################
##
## Append to osad log files.
##
##
##
## Domain allowed access.
##
##
#
define(`osad_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `osad_append_log'($*)) dnl
gen_require(`
type osad_log_t;
')
logging_search_logs($1)
append_files_pattern($1, osad_log_t, osad_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `osad_append_log'($*)) dnl
')
########################################
##
## Manage osad log files
##
##
##
## Domain allowed access.
##
##
#
define(`osad_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `osad_manage_log'($*)) dnl
gen_require(`
type osad_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, osad_log_t, osad_log_t)
manage_files_pattern($1, osad_log_t, osad_log_t)
manage_lnk_files_pattern($1, osad_log_t, osad_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `osad_manage_log'($*)) dnl
')
########################################
##
## Read osad PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`osad_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `osad_read_pid_files'($*)) dnl
gen_require(`
type osad_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, osad_var_run_t, osad_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `osad_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an osad environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`osad_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `osad_admin'($*)) dnl
gen_require(`
type osad_t;
type osad_initrc_exec_t;
type osad_log_t;
type osad_var_run_t;
')
allow $1 osad_t:process { signal_perms };
ps_process_pattern($1, osad_t)
tunable_policy(`deny_ptrace',`',`
allow $1 osad_t:process ptrace;
')
osad_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 osad_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, osad_log_t)
files_search_pids($1)
admin_pattern($1, osad_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `osad_admin'($*)) dnl
')
## >A scalable high-availability cluster resource manager.
########################################
##
## Transition to pacemaker.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pacemaker_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_domtrans'($*)) dnl
gen_require(`
type pacemaker_t, pacemaker_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_domtrans'($*)) dnl
')
########################################
##
## Execute pacemaker server in the pacemaker domain.
##
##
##
## Domain allowed access.
##
##
#
define(`pacemaker_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_initrc_domtrans'($*)) dnl
gen_require(`
type pacemaker_initrc_exec_t;
')
init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_initrc_domtrans'($*)) dnl
')
########################################
##
## Search pacemaker lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`pacemaker_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_search_lib'($*)) dnl
gen_require(`
type pacemaker_var_lib_t;
')
allow $1 pacemaker_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_search_lib'($*)) dnl
')
########################################
##
## Read pacemaker lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`pacemaker_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_read_lib_files'($*)) dnl
gen_require(`
type pacemaker_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_read_lib_files'($*)) dnl
')
########################################
##
## Manage pacemaker lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`pacemaker_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_manage_lib_files'($*)) dnl
gen_require(`
type pacemaker_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_manage_lib_files'($*)) dnl
')
########################################
##
## Manage pacemaker lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`pacemaker_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_manage_lib_dirs'($*)) dnl
gen_require(`
type pacemaker_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read pacemaker PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`pacemaker_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_read_pid_files'($*)) dnl
gen_require(`
type pacemaker_var_run_t;
')
files_search_pids($1)
allow $1 pacemaker_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_read_pid_files'($*)) dnl
')
########################################
##
## Execute pacemaker server in the pacemaker domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pacemaker_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_systemctl'($*)) dnl
gen_require(`
type pacemaker_t;
type pacemaker_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 pacemaker_unit_file_t:file read_file_perms;
allow $1 pacemaker_unit_file_t:service manage_service_perms;
ps_process_pattern($1, pacemaker_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pacemaker environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`pacemaker_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pacemaker_admin'($*)) dnl
gen_require(`
type pacemaker_t;
type pacemaker_initrc_exec_t;
type pacemaker_var_lib_t;
type pacemaker_var_run_t;
type pacemaker_unit_file_t;
')
allow $1 pacemaker_t:process { ptrace signal_perms };
ps_process_pattern($1, pacemaker_t)
pacemaker_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pacemaker_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, pacemaker_var_lib_t)
files_search_pids($1)
admin_pattern($1, pacemaker_var_run_t)
pacemaker_systemctl($1)
admin_pattern($1, pacemaker_unit_file_t)
allow $1 pacemaker_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pacemaker_admin'($*)) dnl
')
## Passive Asset Detection System.
########################################
##
## All of the rules required to
## administrate an pads environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`pads_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pads_admin'($*)) dnl
gen_require(`
type pads_t, pads_config_t, pads_var_run_t;
type pads_initrc_exec_t;
')
allow $1 pads_t:process signal_perms;
ps_process_pattern($1, pads_t)
tunable_policy(`deny_ptrace',`',`
allow $1 pads_t:process ptrace;
')
init_labeled_script_domtrans($1, pads_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, pads_var_run_t)
files_search_etc($1)
admin_pattern($1, pads_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pads_admin'($*)) dnl
')
## Ruby on rails deployment for Apache and Nginx servers.
######################################
##
## Execute passenger in the passenger domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`passenger_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_domtrans'($*)) dnl
gen_require(`
type passenger_t, passenger_exec_t;
')
domtrans_pattern($1, passenger_exec_t, passenger_t)
allow passenger_t $1:unix_stream_socket { accept getattr read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_domtrans'($*)) dnl
')
######################################
##
## Execute passenger in the current domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`passenger_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_exec'($*)) dnl
gen_require(`
type passenger_exec_t;
')
can_exec($1, passenger_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_exec'($*)) dnl
')
#######################################
##
## Getattr passenger log files
##
##
##
## Domain allowed access.
##
##
#
define(`passenger_getattr_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_getattr_log_files'($*)) dnl
gen_require(`
type passenger_log_t;
')
getattr_files_pattern($1, passenger_log_t, passenger_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_getattr_log_files'($*)) dnl
')
########################################
##
## Read passenger lib files
##
##
##
## Domain allowed access.
##
##
#
define(`passenger_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_read_lib_files'($*)) dnl
gen_require(`
type passenger_var_lib_t;
')
read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_read_lib_files'($*)) dnl
')
########################################
##
## Manage passenger lib files
##
##
##
## Domain allowed access.
##
##
#
define(`passenger_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_manage_lib_files'($*)) dnl
gen_require(`
type passenger_var_lib_t;
')
manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_manage_lib_files'($*)) dnl
')
#####################################
##
## Manage passenger var_run content.
##
##
##
## Domain allowed access.
##
##
#
define(`passenger_manage_pid_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_manage_pid_content'($*)) dnl
gen_require(`
type passenger_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_manage_pid_content'($*)) dnl
')
########################################
##
## Connect to passenger unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`passenger_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_stream_connect'($*)) dnl
gen_require(`
type passenger_t;
type passenger_tmp_t;
type passenger_var_run_t;
')
stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_stream_connect'($*)) dnl
')
#######################################
##
## Allow to manage passenger tmp files/dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`passenger_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_manage_tmp_files'($*)) dnl
gen_require(`
type passenger_tmp_t;
')
files_search_tmp($1)
manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_manage_tmp_files'($*)) dnl
')
########################################
##
## Send kill signals to passenger.
##
##
##
## Domain allowed access.
##
##
#
define(`passenger_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `passenger_kill'($*)) dnl
gen_require(`
type passenger_t;
')
allow $1 passenger_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `passenger_kill'($*)) dnl
')
## PCMCIA card management services.
########################################
##
## PCMCIA stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_stub'($*)) dnl
gen_require(`
type cardmgr_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_stub'($*)) dnl
')
########################################
##
## Execute cardmgr in the cardmgr domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pcmcia_domtrans_cardmgr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_domtrans_cardmgr'($*)) dnl
gen_require(`
type cardmgr_t, cardmgr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cardmgr_exec_t, cardmgr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_domtrans_cardmgr'($*)) dnl
')
########################################
##
## Inherit and use cardmgr file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_use_cardmgr_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_use_cardmgr_fds'($*)) dnl
gen_require(`
type cardmgr_t;
')
allow $1 cardmgr_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_use_cardmgr_fds'($*)) dnl
')
########################################
##
## Execute cardctl in the cardmgr domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pcmcia_domtrans_cardctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_domtrans_cardctl'($*)) dnl
gen_require(`
type cardmgr_t, cardctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cardctl_exec_t, cardmgr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_domtrans_cardctl'($*)) dnl
')
########################################
##
## Execute cardctl in the cardmgr
## domain, and allow the specified
## role the cardmgr domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`pcmcia_run_cardctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_run_cardctl'($*)) dnl
gen_require(`
attribute_role cardmgr_roles;
')
pcmcia_domtrans_cardctl($1)
roleattribute $2 cardmgr_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_run_cardctl'($*)) dnl
')
########################################
##
## Read cardmgr pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_read_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_read_pid'($*)) dnl
gen_require(`
type cardmgr_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_read_pid'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## cardmgr pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_manage_pid'($*)) dnl
gen_require(`
type cardmgr_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_manage_pid'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## cardmgr runtime character nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`pcmcia_manage_pid_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcmcia_manage_pid_chr_files'($*)) dnl
gen_require(`
type cardmgr_var_run_t;
')
files_search_pids($1)
manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcmcia_manage_pid_chr_files'($*)) dnl
')
## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation
######################################
##
## Creates types and rules for a basic
## pcp daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`pcp_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcp_domain_template'($*)) dnl
gen_require(`
attribute pcp_domain;
')
type pcp_$1_t, pcp_domain;
type pcp_$1_exec_t;
init_daemon_domain(pcp_$1_t, pcp_$1_exec_t)
type pcp_$1_initrc_exec_t;
init_script_file(pcp_$1_initrc_exec_t)
auth_use_nsswitch(pcp_$1_t)
optional_policy(`
cron_system_entry(pcp_$1_t, pcp_$1_exec_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcp_domain_template'($*)) dnl
')
######################################
##
## Allow domain to read pcp lib files
##
##
##
## Prefix for the domain.
##
##
#
define(`pcp_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcp_read_lib_files'($*)) dnl
gen_require(`
type pcp_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcp_read_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pcp environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`pcp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcp_admin'($*)) dnl
gen_require(`
type pcp_pmcd_t;
type pcp_pmlogger_t;
type pcp_pmproxy_t;
type pcp_pmie_t;
type pcp_var_run_t;
')
allow $1 pcp_pmcd_t:process signal_perms;
ps_process_pattern($1, pcp_pmcd_t)
allow $1 pcp_pmlogger_t:process signal_perms;
ps_process_pattern($1, pcp_pmlogger_t)
allow $1 pcp_pmproxy_t:process signal_perms;
ps_process_pattern($1, pcp_pmproxy_t)
allow $1 pcp_pmie_t:process signal_perms;
ps_process_pattern($1, pcp_pmie_t)
tunable_policy(`deny_ptrace',`',`
allow $1 pcp_pmcd_t:process ptrace;
allow $1 pcp_pmlogger_t:process ptrace;
allow $1 pcp_pmproxy_t:process ptrace;
allow $1 pcp_pmie_t:process ptrace;
')
files_search_pids($1)
admin_pattern($1, pcp_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcp_admin'($*)) dnl
')
########################################
##
## Allow the specified domain to execute pcp_pmie
## in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pcp_pmie_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcp_pmie_exec'($*)) dnl
gen_require(`
type pcp_pmie_exec_t;
')
corecmd_search_bin($1)
can_exec($1, pcp_pmie_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcp_pmie_exec'($*)) dnl
')
########################################
##
## Allow the specified domain to execute pcp_pmlogger
## in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pcp_pmlogger_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcp_pmlogger_exec'($*)) dnl
gen_require(`
type pcp_pmlogger_exec_t;
')
corecmd_search_bin($1)
can_exec($1, pcp_pmlogger_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcp_pmlogger_exec'($*)) dnl
')
#######################################
##
## Transition to pcp named content
##
##
##
## Domain allowed access.
##
##
#
define(`pcp_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcp_filetrans_named_content'($*)) dnl
gen_require(`
type pcp_var_run_t;
')
files_pid_filetrans($1, pcp_var_run_t, dir, "pcp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcp_filetrans_named_content'($*)) dnl
')
## PCSC smart card service.
########################################
##
## Execute a domain transition to run pcscd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pcscd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcscd_domtrans'($*)) dnl
gen_require(`
type pcscd_t, pcscd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, pcscd_exec_t, pcscd_t)
ps_process_pattern(pcscd_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcscd_domtrans'($*)) dnl
')
########################################
##
## Read pcscd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcscd_read_pub_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcscd_read_pub_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use pcscd_read_pid_files() instead.')
pcscd_read_pid_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcscd_read_pub_files'($*)) dnl
')
########################################
##
## Read pcscd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcscd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcscd_read_pid_files'($*)) dnl
gen_require(`
type pcscd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcscd_read_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## pcscd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcscd_manage_pub_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcscd_manage_pub_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcscd_manage_pub_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## pcscd pid fifo files.
##
##
##
## Domain allowed access.
##
##
#
define(`pcscd_manage_pub_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcscd_manage_pub_pipes'($*)) dnl
refpolicywarn(`$0($*) has been deprecated')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcscd_manage_pub_pipes'($*)) dnl
')
########################################
##
## Send signulls to pcscd processes.
##
##
##
## Domain allowed access.
##
##
#
define(`pcscd_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcscd_signull'($*)) dnl
gen_require(`
type pcscd_t;
')
allow $1 pcscd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcscd_signull'($*)) dnl
')
########################################
##
## Connect to pcscd over an unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`pcscd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcscd_stream_connect'($*)) dnl
gen_require(`
type pcscd_t, pcscd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcscd_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an pcscd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`pcscd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pcscd_admin'($*)) dnl
gen_require(`
type pcscd_t, pcscd_initrc_exec_t, pcscd_var_run_t;
')
allow $1 pcscd_t:process { ptrace signal_perms };
ps_process_pattern($1, pcscd_t)
init_labeled_script_domtrans($1, pcscd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pcscd_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, pcscd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pcscd_admin'($*)) dnl
')
## PowerDNS DNS server.
########################################
##
## Execute pdns in the pdns domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pdns_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pdns_domtrans'($*)) dnl
gen_require(`
type pdns_t, pdns_exec_t;
')
domtrans_pattern($1, pdns_exec_t, pdns_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pdns_domtrans'($*)) dnl
')
########################################
##
## Execute pdns_control in the pdns_control domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pdns_domtrans_pdns_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pdns_domtrans_pdns_control'($*)) dnl
gen_require(`
type pdns_control_t, pdns_control_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, pdns_control_exec_t, pdns_control_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pdns_domtrans_pdns_control'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## pdns configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`pdns_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pdns_read_config'($*)) dnl
gen_require(`
type pdns_conf_t;
')
files_search_etc($1)
allow $1 pdns_conf_t:dir list_dir_perms;
read_files_pattern($1, pdns_conf_t, pdns_conf_t)
read_lnk_files_pattern($1, pdns_conf_t, pdns_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pdns_read_config'($*)) dnl
')
########################################
##
## Connect to pdns over an unix
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`pdns_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pdns_stream_connect'($*)) dnl
gen_require(`
type pdns_t, pdns_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, pdns_var_run_t, pdns_var_run_t, pdns_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pdns_stream_connect'($*)) dnl
')
## The Open Group Pegasus CIM/WBEM Server.
######################################
##
## Creates types and rules for a basic
## openlmi init daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`pegasus_openlmi_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pegasus_openlmi_domain_template'($*)) dnl
gen_require(`
attribute pegasus_openlmi_domain;
type pegasus_t;
')
##############################
#
# Declarations
#
type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
type pegasus_openlmi_$1_exec_t;
init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
##############################
#
# Local policy
#
domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
allow pegasus_t pegasus_openlmi_$1_exec_t:file ioctl;
kernel_read_system_state(pegasus_openlmi_$1_t)
logging_send_syslog_msg(pegasus_openlmi_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pegasus_openlmi_domain_template'($*)) dnl
')
########################################
##
## Connect to pegasus over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`pegasus_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pegasus_stream_connect'($*)) dnl
gen_require(`
type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
')
files_search_pids($1)
stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pegasus_stream_connect'($*)) dnl
')
## Perdition POP and IMAP proxy.
########################################
##
## Connect to perdition over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`perdition_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `perdition_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `perdition_tcp_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an perdition environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`perdition_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `perdition_admin'($*)) dnl
gen_require(`
type perdition_t, perdition_initrc_exec_t, perdition_etc_t;
type perdition_var_run_t;
')
allow $1 perdition_t:process { ptrace signal_perms };
ps_process_pattern($1, perdition_t)
init_labeled_script_domtrans($1, perdition_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 perdition_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, perdition_etc_t)
files_search_pids($1)
admin_pattern($1, perdition_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `perdition_admin'($*)) dnl
')
## pesign utility for signing UEFI binaries as well as other associated tools
########################################
##
## Execute TEMPLATE in the pesign domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pesign_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pesign_domtrans'($*)) dnl
gen_require(`
type pesign_t, pesign_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, pesign_exec_t, pesign_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pesign_domtrans'($*)) dnl
')
########################################
##
## Read pesign PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`pesign_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pesign_read_pid_files'($*)) dnl
gen_require(`
type pesign_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, pesign_var_run_t, pesign_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pesign_read_pid_files'($*)) dnl
')
########################################
##
## Execute pesign server in the pesign domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pesign_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pesign_systemctl'($*)) dnl
gen_require(`
type pesign_t;
type pesign_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 pesign_unit_file_t:file read_file_perms;
allow $1 pesign_unit_file_t:service manage_service_perms;
ps_process_pattern($1, pesign_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pesign_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pesign environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`pesign_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pesign_admin'($*)) dnl
gen_require(`
type pesign_t;
type pesign_var_run_t;
type pesign_unit_file_t;
')
allow $1 pesign_t:process { ptrace signal_perms };
ps_process_pattern($1, pesign_t)
files_search_pids($1)
admin_pattern($1, pesign_var_run_t)
pesign_systemctl($1)
admin_pattern($1, pesign_unit_file_t)
allow $1 pesign_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pesign_admin'($*)) dnl
')
## Pingd of the Whatsup cluster node up/down detection utility.
########################################
##
## Execute a domain transition to run pingd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pingd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pingd_domtrans'($*)) dnl
gen_require(`
type pingd_t, pingd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, pingd_exec_t, pingd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pingd_domtrans'($*)) dnl
')
#######################################
##
## Read pingd etc configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`pingd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pingd_read_config'($*)) dnl
gen_require(`
type pingd_etc_t;
')
files_search_etc($1)
allow $1 pingd_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pingd_read_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## pingd etc configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`pingd_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pingd_manage_config'($*)) dnl
gen_require(`
type pingd_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pingd_manage_config'($*)) dnl
')
#######################################
##
## All of the rules required to
## administrate an pingd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`pingd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pingd_admin'($*)) dnl
gen_require(`
type pingd_t, pingd_etc_t, pingd_modules_t;
type pingd_initrc_exec_t;
')
allow $1 pingd_t:process signal_perms;
ps_process_pattern($1, pingd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 pingd_t:process ptrace;
')
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pingd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, pingd_etc_t)
files_list_usr($1)
admin_pattern($1, pingd_modules_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pingd_admin'($*)) dnl
')
## policy for piranha
#######################################
##
## Creates types and rules for a basic
## cluster init daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`piranha_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `piranha_domain_template'($*)) dnl
gen_require(`
attribute piranha_domain;
')
##############################
#
# piranha_$1_t declarations
#
type piranha_$1_t, piranha_domain;
type piranha_$1_exec_t;
init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
# tmpfs files
type piranha_$1_tmpfs_t, piranha_tmpfs;
files_tmpfs_file(piranha_$1_tmpfs_t)
# pid files
type piranha_$1_var_run_t;
files_pid_file(piranha_$1_var_run_t)
##############################
#
# piranha_$1_t local policy
#
manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
kernel_read_system_state(piranha_$1_t)
auth_use_nsswitch(piranha_$1_t)
logging_send_syslog_msg(piranha_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `piranha_domain_template'($*)) dnl
')
########################################
##
## Execute a domain transition to run fos.
##
##
##
## Domain allowed to transition.
##
##
#
define(`piranha_domtrans_fos',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `piranha_domtrans_fos'($*)) dnl
gen_require(`
type piranha_fos_t, piranha_fos_exec_t;
')
domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `piranha_domtrans_fos'($*)) dnl
')
#######################################
##
## Execute a domain transition to run lvsd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`piranha_domtrans_lvs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `piranha_domtrans_lvs'($*)) dnl
gen_require(`
type piranha_lvs_t, piranha_lvs_exec_t;
')
domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `piranha_domtrans_lvs'($*)) dnl
')
#######################################
##
## Execute a domain transition to run pulse.
##
##
##
## Domain allowed to transition.
##
##
#
define(`piranha_domtrans_pulse',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `piranha_domtrans_pulse'($*)) dnl
gen_require(`
type piranha_pulse_t, piranha_pulse_exec_t;
')
domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `piranha_domtrans_pulse'($*)) dnl
')
#######################################
##
## Execute pulse server in the pulse domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`piranha_pulse_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `piranha_pulse_initrc_domtrans'($*)) dnl
gen_require(`
type piranha_pulse_initrc_exec_t;
')
init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `piranha_pulse_initrc_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to read piranha's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`piranha_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `piranha_read_log'($*)) dnl
gen_require(`
type piranha_log_t;
')
logging_search_logs($1)
read_files_pattern($1, piranha_log_t, piranha_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `piranha_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## piranha log files.
##
##
##
## Domain allowed access.
##
##
#
define(`piranha_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `piranha_append_log'($*)) dnl
gen_require(`
type piranha_log_t;
')
logging_search_logs($1)
append_files_pattern($1, piranha_log_t, piranha_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `piranha_append_log'($*)) dnl
')
########################################
##
## Allow domain to manage piranha log files
##
##
##
## Domain allowed access.
##
##
#
define(`piranha_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `piranha_manage_log'($*)) dnl
gen_require(`
type piranha_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
manage_files_pattern($1, piranha_log_t, piranha_log_t)
manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `piranha_manage_log'($*)) dnl
')
## Implementations of the Cryptoki specification.
########################################
##
## Read pkcs lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs_read_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_read_lock'($*)) dnl
gen_require(`
type pkcs_slotd_lock_t;
')
files_search_locks($1)
list_dirs_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
read_files_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_read_lock'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## pkcs lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs_manage_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_manage_lock'($*)) dnl
gen_require(`
type pkcs_slotd_lock_t;
')
files_search_locks($1)
manage_files_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
manage_dirs_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_manage_lock'($*)) dnl
')
########################################
##
## Read and write pkcs Shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_rw_shm'($*)) dnl
gen_require(`
type pkcs_slotd_t;
')
allow $1 pkcs_slotd_t:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_rw_shm'($*)) dnl
')
########################################
##
## Connect to pkcs using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_stream_connect'($*)) dnl
gen_require(`
type pkcs_slotd_t, pkcs_slotd_var_run_t;
')
stream_connect_pattern($1, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t, pkcs_slotd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_stream_connect'($*)) dnl
')
########################################
##
## Manage pkcs var_lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs_manage_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_manage_var_lib'($*)) dnl
gen_require(`
type pkcs_slotd_var_lib_t;
')
manage_dirs_pattern($1, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
manage_files_pattern($1, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_manage_var_lib'($*)) dnl
')
########################################
##
## Get attributes of pkcs executable files.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs_getattr_exec_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_getattr_exec_files'($*)) dnl
gen_require(`
type pkcs_slotd_exec_t;
')
allow $1 pkcs_slotd_exec_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_getattr_exec_files'($*)) dnl
')
########################################
##
## Create and manage objects in the tmpfs directories
## with a private type.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs_tmpfs_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_tmpfs_filetrans'($*)) dnl
gen_require(`
type pkcs_slotd_tmpfs_t;
')
allow $1 pkcs_slotd_tmpfs_t:file map;
manage_files_pattern($1, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, { file dir })
fs_manage_tmpfs_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_tmpfs_filetrans'($*)) dnl
')
########################################
##
## Use opencryptoki services
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs_use_opencryptoki',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_use_opencryptoki'($*)) dnl
gen_require(`
type pkcs_slotd_t;
')
allow $1 self:capability fsetid;
allow pkcs_slotd_t $1:process signull;
kernel_search_proc($1)
ps_process_pattern(pkcs_slotd_t, $1)
corenet_tcp_connect_tcs_port($1)
dev_rw_crypto($1)
pkcs_getattr_exec_files($1)
pkcs_manage_lock($1)
pkcs_rw_shm($1)
pkcs_stream_connect($1)
pkcs_manage_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_use_opencryptoki'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an pkcs slotd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`pkcs_admin_slotd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs_admin_slotd'($*)) dnl
gen_require(`
type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t, pkcs_slotd_lock_t;
type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
')
allow $1 pkcs_slotd_t:process { ptrace signal_perms };
ps_process_pattern($1, pkcs_slotd_t)
init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pkcs_slotd_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, pkcs_slotd_var_lib_t)
files_search_locks($1)
admin_pattern($1, pkcs_slotd_lock_t)
files_search_pids($1)
admin_pattern($1, pkcs_slotd_var_run_t)
files_search_tmp($1)
admin_pattern($1, pkcs_slotd_tmp_t)
fs_search_tmpfs($1)
admin_pattern($1, pkcs_slotd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs_admin_slotd'($*)) dnl
')
## pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm
########################################
##
## Execute pkcs11proxyd_exec_t in the pkcs11proxyd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pkcs11proxyd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_domtrans'($*)) dnl
gen_require(`
type pkcs11proxyd_t, pkcs11proxyd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, pkcs11proxyd_exec_t, pkcs11proxyd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs11proxyd_domtrans'($*)) dnl
')
######################################
##
## Execute pkcs11proxyd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs11proxyd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_exec'($*)) dnl
gen_require(`
type pkcs11proxyd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, pkcs11proxyd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs11proxyd_exec'($*)) dnl
')
########################################
##
## Search pkcs11proxyd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs11proxyd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_search_lib'($*)) dnl
gen_require(`
type pkcs11proxyd_var_lib_t;
')
allow $1 pkcs11proxyd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs11proxyd_search_lib'($*)) dnl
')
########################################
##
## Read pkcs11proxyd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs11proxyd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_read_lib_files'($*)) dnl
gen_require(`
type pkcs11proxyd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs11proxyd_read_lib_files'($*)) dnl
')
########################################
##
## Manage pkcs11proxyd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs11proxyd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_manage_lib_files'($*)) dnl
gen_require(`
type pkcs11proxyd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs11proxyd_manage_lib_files'($*)) dnl
')
########################################
##
## Manage pkcs11proxyd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs11proxyd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_manage_lib_dirs'($*)) dnl
gen_require(`
type pkcs11proxyd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs11proxyd_manage_lib_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pkcs11proxyd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`pkcs11proxyd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_admin'($*)) dnl
gen_require(`
type pkcs11proxyd_t;
type pkcs11proxyd_var_lib_t;
')
allow $1 pkcs11proxyd_t:process { signal_perms };
ps_process_pattern($1, pkcs11proxyd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 pkcs11proxyd_t:process ptrace;
')
files_search_var_lib($1)
admin_pattern($1, pkcs11proxyd_var_lib_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs11proxyd_admin'($*)) dnl
')
########################################
##
## Connect to pkcs11proxyd over an unix
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`pkcs11proxyd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_stream_connect'($*)) dnl
gen_require(`
type pkcs11proxyd_t, pkcs11proxyd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t, pkcs11proxyd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pkcs11proxyd_stream_connect'($*)) dnl
')
## policy for pki
########################################
##
## Allow read and write pki cert files.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_rw_tomcat_cert',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_rw_tomcat_cert'($*)) dnl
gen_require(`
type pki_tomcat_cert_t;
type pki_tomcat_etc_rw_t;
')
allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_rw_tomcat_cert'($*)) dnl
')
########################################
##
## Allow read and write pki cert files.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_tomcat_cert',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_cert'($*)) dnl
gen_require(`
type pki_tomcat_cert_t;
type pki_tomcat_etc_rw_t;
')
allow $1 pki_tomcat_etc_rw_t:dir manage_dir_perms;
manage_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
manage_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_cert'($*)) dnl
')
########################################
##
## Allow read and write pki cert files.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_tomcat_etc_rw',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_etc_rw'($*)) dnl
gen_require(`
type pki_tomcat_etc_rw_t;
')
manage_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
manage_lnk_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_etc_rw'($*)) dnl
')
########################################
##
## Allow domain to read pki cert files.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_read_tomcat_cert',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_read_tomcat_cert'($*)) dnl
gen_require(`
type pki_tomcat_cert_t;
')
read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_read_tomcat_cert'($*)) dnl
')
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
define(`pki_apache_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_apache_template'($*)) dnl
gen_require(`
attribute pki_apache_domain;
attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
')
########################################
#
# Declarations
#
type $1_t, pki_apache_domain;
type $1_exec_t, pki_apache_executable;
domain_type($1_t)
init_daemon_domain($1_t, $1_exec_t)
type $1_script_exec_t, pki_apache_script;
init_script_file($1_script_exec_t)
type $1_etc_rw_t, pki_apache_config;
files_type($1_etc_rw_t)
type $1_var_run_t, pki_apache_var_run;
files_pid_file($1_var_run_t)
type $1_var_lib_t, pki_apache_var_lib;
files_type($1_var_lib_t)
type $1_log_t, pki_apache_var_log;
logging_log_file($1_log_t)
type $1_lock_t;
files_lock_file($1_lock_t)
type $1_tmp_t;
files_tmpfs_file($1_tmp_t)
########################################
#
# $1 local policy
#
files_read_etc_files($1_t)
allow $1_t $1_etc_rw_t:lnk_file read;
manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t,$1_var_run_t, { file dir })
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
manage_files_pattern($1_t, $1_log_t, $1_log_t)
logging_log_filetrans($1_t, $1_log_t, { file dir } )
manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
#talk to lunasa hsm
logging_send_syslog_msg($1_t)
kernel_read_kernel_sysctls($1_t)
kernel_read_system_state($1_t)
corenet_all_recvfrom_unlabeled($1_t)
# need to resolve addresses?
auth_use_nsswitch($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_apache_template'($*)) dnl
')
#######################################
##
## Send a null signal to pki apache domains.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_apache_domain_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_apache_domain_signal'($*)) dnl
gen_require(`
attribute pki_apache_domain;
')
allow $1 pki_apache_domain:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_apache_domain_signal'($*)) dnl
')
#######################################
##
## Send a null signal to pki apache domains.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_apache_domain_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_apache_domain_signull'($*)) dnl
gen_require(`
attribute pki_apache_domain;
')
allow $1 pki_apache_domain:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_apache_domain_signull'($*)) dnl
')
###################################
##
## Allow domain to read pki apache subsystem pid files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_apache_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_apache_run'($*)) dnl
gen_require(`
attribute pki_apache_var_run;
')
files_search_var_lib($1)
read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_apache_run'($*)) dnl
')
####################################
##
## Allow domain to manage pki apache subsystem lib files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_apache_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_apache_lib'($*)) dnl
gen_require(`
attribute pki_apache_var_lib;
')
files_search_var_lib($1)
manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_apache_lib'($*)) dnl
')
##################################
##
## Dontaudit domain to write pki log files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_search_log_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_search_log_dirs'($*)) dnl
gen_require(`
type pki_log_t;
')
search_dirs_pattern($1, pki_log_t, pki_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_search_log_dirs'($*)) dnl
')
##################################
##
## Dontaudit domain to write pki log files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_dontaudit_write_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_dontaudit_write_log'($*)) dnl
gen_require(`
type pki_log_t;
')
dontaudit $1 pki_log_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_dontaudit_write_log'($*)) dnl
')
###################################
##
## Allow domain to manage pki apache subsystem log files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_apache_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_apache_log_files'($*)) dnl
gen_require(`
attribute pki_apache_var_log;
')
files_search_var_lib($1)
manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_apache_log_files'($*)) dnl
')
##################################
##
## Allow domain to manage pki apache subsystem config files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_apache_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_apache_config_files'($*)) dnl
gen_require(`
attribute pki_apache_config;
')
files_search_var_lib($1)
manage_files_pattern($1, pki_apache_config, pki_apache_config)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_apache_config_files'($*)) dnl
')
#################################
##
## Allow domain to read pki tomcat lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_read_tomcat_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_read_tomcat_lib_files'($*)) dnl
gen_require(`
type pki_tomcat_var_lib_t;
')
read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_read_tomcat_lib_files'($*)) dnl
')
#################################
##
## Allow domain to manage pki tomcat lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_tomcat_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_lib'($*)) dnl
gen_require(`
type pki_tomcat_var_lib_t;
')
manage_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
manage_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
manage_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_lib'($*)) dnl
')
#################################
##
## Allow domain to manage pki tomcat lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_tomcat_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_log'($*)) dnl
gen_require(`
type pki_tomcat_log_t;
')
manage_dirs_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
manage_files_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_log'($*)) dnl
')
#################################
##
## Allow domain to read pki tomcat lib dirs
##
##
##
## Domain allowed access.
##
##
#
define(`pki_read_tomcat_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_read_tomcat_lib_dirs'($*)) dnl
gen_require(`
type pki_tomcat_var_lib_t;
')
list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_read_tomcat_lib_dirs'($*)) dnl
')
########################################
##
## Allow read pki_common_t files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_read_common_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_read_common_files'($*)) dnl
gen_require(`
type pki_common_t;
')
read_files_pattern($1, pki_common_t, pki_common_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_read_common_files'($*)) dnl
')
########################################
##
## Allow execute pki_common_t files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_exec_common_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_exec_common_files'($*)) dnl
gen_require(`
type pki_common_t;
')
exec_files_pattern($1, pki_common_t, pki_common_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_exec_common_files'($*)) dnl
')
########################################
##
## Allow read pki_common_t files
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_common_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_common_files'($*)) dnl
gen_require(`
type pki_common_t;
')
manage_files_pattern($1, pki_common_t, pki_common_t)
manage_dirs_pattern($1, pki_common_t, pki_common_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_common_files'($*)) dnl
')
########################################
##
## Connect to pki over an unix
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_stream_connect'($*)) dnl
gen_require(`
type pki_tomcat_t, pki_common_t;
')
files_search_pids($1)
stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_stream_connect'($*)) dnl
')
########################################
##
## Execute pki in the pkit_tomcat_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pki_tomcat_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_tomcat_systemctl'($*)) dnl
gen_require(`
type pki_tomcat_t;
type pki_tomcat_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 pki_tomcat_unit_file_t:file read_file_perms;
allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
ps_process_pattern($1, pki_tomcat_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_tomcat_systemctl'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## pki tomcat pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`pki_manage_tomcat_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_pid'($*)) dnl
gen_require(`
type pki_tomcat_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, pki_tomcat_var_run_t, pki_tomcat_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_pid'($*)) dnl
')
## Plymouth graphical boot
########################################
##
## Execute a domain transition to run plymouthd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`plymouthd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_domtrans'($*)) dnl
gen_require(`
type plymouthd_t, plymouthd_exec_t;
')
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_domtrans'($*)) dnl
')
########################################
##
## Execute the plymoth daemon in the current domain
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_exec'($*)) dnl
gen_require(`
type plymouthd_exec_t;
')
can_exec($1, plymouthd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_exec'($*)) dnl
')
########################################
##
## Allow domain to Stream socket connect
## to Plymouth daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_stream_connect'($*)) dnl
gen_require(`
type plymouthd_t;
')
allow $1 plymouthd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_stream_connect'($*)) dnl
')
########################################
##
## Execute the plymoth command in the current domain
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_exec_plymouth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_exec_plymouth'($*)) dnl
gen_require(`
type plymouth_exec_t;
')
can_exec($1, plymouth_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_exec_plymouth'($*)) dnl
')
########################################
##
## Execute a domain transition to run plymouthd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`plymouthd_domtrans_plymouth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_domtrans_plymouth'($*)) dnl
gen_require(`
type plymouth_t, plymouth_exec_t;
')
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_domtrans_plymouth'($*)) dnl
')
########################################
##
## Search plymouthd spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_search_spool'($*)) dnl
gen_require(`
type plymouthd_spool_t;
')
allow $1 plymouthd_spool_t:dir search_dir_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_search_spool'($*)) dnl
')
########################################
##
## Read plymouthd spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_read_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_read_spool_files'($*)) dnl
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_read_spool_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## plymouthd spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_manage_spool_files'($*)) dnl
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_manage_spool_files'($*)) dnl
')
########################################
##
## Search plymouthd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_search_lib'($*)) dnl
gen_require(`
type plymouthd_var_lib_t;
')
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_search_lib'($*)) dnl
')
########################################
##
## Read plymouthd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_read_lib_files'($*)) dnl
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## plymouthd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_manage_lib_files'($*)) dnl
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_manage_lib_files'($*)) dnl
')
########################################
##
## Read plymouthd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_read_pid_files'($*)) dnl
gen_require(`
type plymouthd_var_run_t;
')
files_search_pids($1)
allow $1 plymouthd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_read_pid_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## to plymouthd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_read_log'($*)) dnl
gen_require(`
type plymouthd_var_log_t;
')
logging_search_logs($1)
read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_read_log'($*)) dnl
')
#####################################
##
## Allow the specified domain to create plymouthd's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_create_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_create_log'($*)) dnl
gen_require(`
type plymouthd_var_log_t;
')
logging_search_logs($1)
create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_create_log'($*)) dnl
')
########################################
##
## Allow the specified domain to manage
## to plymouthd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_manage_log'($*)) dnl
gen_require(`
type plymouthd_var_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_manage_log'($*)) dnl
')
#######################################
##
## Allow domain to create boot.log
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_filetrans_named_content'($*)) dnl
gen_require(`
type plymouthd_var_log_t;
')
logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_filetrans_named_content'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an plymouthd environment
##
##
##
## Domain allowed access.
##
##
#
define(`plymouthd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `plymouthd_admin'($*)) dnl
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
allow $1 plymouthd_t:process signal_perms;
ps_process_pattern($1, plymouthd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 plymouthd_t:process ptrace;
')
files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
admin_pattern($1, plymouthd_var_lib_t)
files_list_pids($1)
admin_pattern($1, plymouthd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `plymouthd_admin'($*)) dnl
')
## Podsleuth is a tool to get information about an Apple (TM) iPod (TM).
########################################
##
## Execute a domain transition to run podsleuth.
##
##
##
## Domain allowed to transition.
##
##
#
define(`podsleuth_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `podsleuth_domtrans'($*)) dnl
gen_require(`
type podsleuth_t, podsleuth_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `podsleuth_domtrans'($*)) dnl
')
########################################
##
## Execute podsleuth in the podsleuth
## domain, and allow the specified role
## the podsleuth domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`podsleuth_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `podsleuth_run'($*)) dnl
gen_require(`
attribute_role podsleuth_roles;
')
podsleuth_domtrans($1)
roleattribute $2 podsleuth_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `podsleuth_run'($*)) dnl
')
## Policy framework for controlling privileges for system-wide services.
########################################
##
## Send and receive messages from
## policykit over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`policykit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_dbus_chat'($*)) dnl
gen_require(`
type policykit_t;
class dbus send_msg;
')
ps_process_pattern(policykit_t, $1)
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## policykit over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`policykit_dbus_chat_auth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_dbus_chat_auth'($*)) dnl
gen_require(`
type policykit_auth_t;
class dbus send_msg;
')
ps_process_pattern(policykit_auth_t, $1)
allow $1 policykit_auth_t:dbus send_msg;
allow policykit_auth_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_dbus_chat_auth'($*)) dnl
')
########################################
##
## Execute a domain transition to run polkit_auth.
##
##
##
## Domain allowed to transition.
##
##
#
define(`policykit_domtrans_auth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_domtrans_auth'($*)) dnl
gen_require(`
type policykit_auth_t, policykit_auth_exec_t;
')
domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_domtrans_auth'($*)) dnl
')
########################################
##
## Execute a policy_auth in the policy_auth domain, and
## allow the specified role the policy_auth domain,
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`policykit_run_auth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_run_auth'($*)) dnl
gen_require(`
type policykit_auth_t;
')
policykit_domtrans_auth($1)
role $2 types policykit_auth_t;
allow $1 policykit_auth_t:process signal;
ps_process_pattern(policykit_auth_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_run_auth'($*)) dnl
')
########################################
##
## Execute a domain transition to run polkit_grant.
##
##
##
## Domain allowed to transition.
##
##
#
define(`policykit_domtrans_grant',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_domtrans_grant'($*)) dnl
gen_require(`
type policykit_grant_t, policykit_grant_exec_t;
')
domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_domtrans_grant'($*)) dnl
')
########################################
##
## Execute a policy_grant in the policy_grant domain, and
## allow the specified role the policy_grant domain,
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`policykit_run_grant',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_run_grant'($*)) dnl
gen_require(`
type policykit_grant_t;
')
policykit_domtrans_grant($1)
role $2 types policykit_grant_t;
allow $1 policykit_grant_t:process signal;
ps_process_pattern(policykit_grant_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_run_grant'($*)) dnl
')
########################################
##
## read policykit reload files
##
##
##
## Domain allowed access.
##
##
#
define(`policykit_read_reload',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_read_reload'($*)) dnl
gen_require(`
type policykit_reload_t;
')
files_search_var_lib($1)
read_files_pattern($1, policykit_reload_t, policykit_reload_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_read_reload'($*)) dnl
')
########################################
##
## rw policykit reload files
##
##
##
## Domain allowed access.
##
##
#
define(`policykit_rw_reload',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_rw_reload'($*)) dnl
gen_require(`
type policykit_reload_t;
')
files_search_var_lib($1)
rw_files_pattern($1, policykit_reload_t, policykit_reload_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_rw_reload'($*)) dnl
')
########################################
##
## Execute a domain transition to run polkit_resolve.
##
##
##
## Domain allowed to transition.
##
##
#
define(`policykit_domtrans_resolve',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_domtrans_resolve'($*)) dnl
gen_require(`
type policykit_resolve_t, policykit_resolve_exec_t;
')
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
ps_process_pattern(policykit_resolve_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_domtrans_resolve'($*)) dnl
')
########################################
##
## Search policykit lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`policykit_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_search_lib'($*)) dnl
gen_require(`
type policykit_var_lib_t;
')
allow $1 policykit_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_search_lib'($*)) dnl
')
########################################
##
## read policykit lib files
##
##
##
## Domain allowed access.
##
##
#
define(`policykit_read_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_read_lib'($*)) dnl
gen_require(`
type policykit_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
optional_policy(`
# Broken placement
cron_read_system_job_lib_files($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_read_lib'($*)) dnl
')
#######################################
##
## The per role template for the policykit module.
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`policykit_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_role'($*)) dnl
policykit_run_auth($2, $1)
policykit_run_grant($2, $1)
policykit_read_lib($2)
policykit_read_reload($2)
policykit_dbus_chat($2)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_role'($*)) dnl
')
########################################
##
## Send generic signal to policy_auth
##
##
##
## Domain allowed to transition.
##
##
#
define(`policykit_signal_auth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `policykit_signal_auth'($*)) dnl
gen_require(`
type policykit_auth_t;
')
allow $1 policykit_auth_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `policykit_signal_auth'($*)) dnl
')
## Caching web proxy.
########################################
##
## Role access for polipo session.
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`polipo_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `polipo_role'($*)) dnl
gen_require(`
type polipo_session_t, polipo_exec_t;
')
########################################
#
# Declarations
#
role $1 types polipo_session_t;
########################################
#
# Policy
#
allow $2 polipo_session_t:process signal_perms;
ps_process_pattern($2, polipo_session_t)
tunable_policy(`deny_ptrace',`',`
allow $2 polipo_session_t:process ptrace;
')
tunable_policy(`polipo_session_users',`
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
',`
can_exec($2, polipo_exec_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `polipo_role'($*)) dnl
')
########################################
##
## Create configuration files in user
## home directories with a named file
## type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`polipo_named_filetrans_config_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_config_home_files'($*)) dnl
gen_require(`
type polipo_config_home_t;
')
userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_config_home_files'($*)) dnl
')
########################################
##
## Create cache directories in user
## home directories with a named file
## type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`polipo_named_filetrans_cache_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_cache_home_dirs'($*)) dnl
gen_require(`
type polipo_cache_home_t;
')
userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_cache_home_dirs'($*)) dnl
')
########################################
##
## Create configuration files in admin
## home directories with a named file
## type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`polipo_named_filetrans_admin_config_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_admin_config_home_files'($*)) dnl
gen_require(`
type polipo_config_home_t;
')
userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_admin_config_home_files'($*)) dnl
')
########################################
##
## Create cache directories in admin
## home directories with a named file
## type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`polipo_named_filetrans_admin_cache_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_admin_cache_home_dirs'($*)) dnl
gen_require(`
type polipo_cache_home_t;
')
userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_admin_cache_home_dirs'($*)) dnl
')
########################################
##
## Create log files with a named file
## type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`polipo_named_filetrans_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_log_files'($*)) dnl
gen_require(`
type polipo_log_t;
')
logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_log_files'($*)) dnl
')
########################################
##
## Execute polipo server in the polipo domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`polipo_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `polipo_systemctl'($*)) dnl
gen_require(`
type polipo_t;
type polipo_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 polipo_unit_file_t:file read_file_perms;
allow $1 polipo_unit_file_t:service manage_service_perms;
ps_process_pattern($1, polipo_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `polipo_systemctl'($*)) dnl
')
########################################
##
## Administrate an polipo environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`polipo_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `polipo_admin'($*)) dnl
gen_require(`
type polipo_t, polipo_pid_t, polipo_cache_t;
type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
type polipo_unit_file_t;
')
allow $1 polipo_t:process signal_perms;
ps_process_pattern($1, polipo_t)
tunable_policy(`deny_ptrace',`',`
allow $1 polipo_t:process ptrace;
')
init_labeled_script_domtrans($1, polipo_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 polipo_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, polipo_etc_t)
logging_list_logs($1)
admin_pattern($1, polipo_log_t)
files_list_var($1)
admin_pattern($1, polipo_cache_t)
files_list_pids($1)
admin_pattern($1, polipo_pid_t)
polipo_systemctl($1)
admin_pattern($1, polipo_unit_file_t)
allow $1 polipo_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `polipo_admin'($*)) dnl
')
## Package Management System.
########################################
##
## Execute emerge in the portage domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`portage_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_domtrans'($*)) dnl
gen_require(`
type portage_t, portage_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, portage_exec_t, portage_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_domtrans'($*)) dnl
')
########################################
##
## Execute emerge in the portage domain,
## and allow the specified role the
## portage domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`portage_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_run'($*)) dnl
gen_require(`
attribute_role portage_roles;
')
portage_domtrans($1)
roleattribute $2 portage_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_run'($*)) dnl
')
########################################
##
## Template for portage sandbox.
##
##
##
## Template for portage sandbox. Portage
## does all compiling in the sandbox.
##
##
##
##
## Domain Allowed Access
##
##
#
define(`portage_compile_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_compile_domain'($*)) dnl
gen_require(`
class dbus send_msg;
type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
type portage_tmpfs_t;
type portage_sandbox_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search net_raw };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow $1 self:fd use;
allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
allow $1 self:sem create_sem_perms;
allow $1 self:msgq create_msgq_perms;
allow $1 self:msg { send receive };
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;
# really shouldnt need this
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl):
allow $1 self:rawip_socket { create ioctl };
# needed for merging dbus:
allow $1 self:netlink_selinux_socket { bind create read };
allow $1 self:dbus send_msg;
allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1, portage_devpts_t)
# write compile logs
allow $1 portage_log_t:dir setattr_dir_perms;
allow $1 portage_log_t:file { write_file_perms setattr_file_perms };
# Support live ebuilds (-9999)
manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)
manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)
manage_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
# SELinux-enabled programs running in the sandbox
allow $1 portage_tmp_t:file relabel_file_perms;
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
kernel_read_network_state($1)
kernel_read_software_raid_state($1)
kernel_getattr_core_if($1)
kernel_getattr_message_if($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_all_executables($1)
# really shouldnt need this but some packages test
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_raw_sendrecv_generic_node($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_distccd_port($1)
corenet_tcp_connect_git_port($1)
dev_read_sysfs($1)
dev_read_rand($1)
dev_read_urand($1)
domain_use_interactive_fds($1)
domain_dontaudit_read_all_domains_state($1)
# SELinux-aware installs doing relabels in the sandbox
domain_obj_id_change_exemption($1)
files_exec_etc_files($1)
files_exec_usr_src_files($1)
fs_getattr_xattr_fs($1)
fs_list_noxattr_fs($1)
fs_read_noxattr_fs_files($1)
fs_read_noxattr_fs_symlinks($1)
fs_search_auto_mountpoints($1)
selinux_validate_context($1)
# needed for merging dbus:
selinux_compute_access_vector($1)
files_list_non_auth_dirs($1)
files_read_non_auth_files($1)
files_read_non_auth_symlinks($1)
libs_exec_lib_files($1)
# some config scripts use ldd
libs_exec_ld_so($1)
libs_exec_ldconfig($1)
logging_send_syslog_msg($1)
userdom_use_user_terminals($1)
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
tunable_policy(`portage_use_nfs',`
fs_getattr_nfs($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
fs_manage_nfs_symlinks($1)
')
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
allow $1 xdm_xserver_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms };
allow $1 xdm_xserver_tmp_t:sock_file { create_file_perms delete_file_perms write_file_perms };
')
') dnl end TODO
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_compile_domain'($*)) dnl
')
########################################
##
## Execute tree management functions
## (fetching, layman, ...) in the
## portage fetch domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`portage_domtrans_fetch',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_domtrans_fetch'($*)) dnl
gen_require(`
type portage_fetch_t, portage_fetch_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_domtrans_fetch'($*)) dnl
')
########################################
##
## Execute tree management functions
## (fetching, layman, ...) in the
## portage fetch domain, and allow
## the specified role the portage
## fetch domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`portage_run_fetch',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_run_fetch'($*)) dnl
gen_require(`
attribute_role portage_fetch_roles;
')
portage_domtrans_fetch($1)
roleattribute $2 portage_fetch_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_run_fetch'($*)) dnl
')
########################################
##
## Execute gcc-config in the gcc config domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`portage_domtrans_gcc_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_domtrans_gcc_config'($*)) dnl
gen_require(`
type gcc_config_t, gcc_config_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_domtrans_gcc_config'($*)) dnl
')
########################################
##
## Execute gcc-config in the gcc config
## domain, and allow the specified role
## the gcc_config domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`portage_run_gcc_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_run_gcc_config'($*)) dnl
gen_require(`
attribute_role gcc_config_roles;
')
portage_domtrans_gcc_config($1)
roleattribute $2 gcc_config_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_run_gcc_config'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## portage file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`portage_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_dontaudit_use_fds'($*)) dnl
gen_require(`
type portage_t;
')
dontaudit $1 portage_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## portage temporary directories.
##
##
##
## Domain to not audit.
##
##
#
define(`portage_dontaudit_search_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_dontaudit_search_tmp'($*)) dnl
gen_require(`
type portage_tmp_t;
')
dontaudit $1 portage_tmp_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_dontaudit_search_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## the portage temporary files.
##
##
##
## Domain to not audit.
##
##
#
define(`portage_dontaudit_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portage_dontaudit_rw_tmp_files'($*)) dnl
gen_require(`
type portage_tmp_t;
')
dontaudit $1 portage_tmp_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portage_dontaudit_rw_tmp_files'($*)) dnl
')
## RPC port mapping service.
########################################
##
## Execute portmap helper in the helper domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`portmap_domtrans_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portmap_domtrans_helper'($*)) dnl
gen_require(`
type portmap_helper_t, portmap_helper_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portmap_domtrans_helper'($*)) dnl
')
########################################
##
## Execute portmap helper in the helper
## domain, and allow the specified role
## the helper domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`portmap_run_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portmap_run_helper'($*)) dnl
gen_require(`
attribute_role portmap_helper_roles;
')
portmap_domtrans_helper($1)
roleattribute $2 portmap_helper_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portmap_run_helper'($*)) dnl
')
########################################
##
## Send UDP network traffic to portmap. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`portmap_udp_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portmap_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portmap_udp_send'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic from portmap. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`portmap_udp_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portmap_udp_chat'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portmap_udp_chat'($*)) dnl
')
########################################
##
## Connect to portmap over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`portmap_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portmap_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portmap_tcp_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an portmap environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`portmap_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portmap_admin'($*)) dnl
gen_require(`
type portmap_t, portmap_initrc_exec_t, portmap_helper_t;
type portmap_var_run_t, portmap_tmp_t;
')
allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms };
ps_process_pattern($1, { portmap_t portmap_helper_t })
init_labeled_script_domtrans($1, portmap_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 portmap_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, portmap_var_run_t)
files_search_tmp($1)
admin_pattern($1, portmap_tmp_t)
portmap_run_helper($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portmap_admin'($*)) dnl
')
## Reserve well-known ports in the RPC port range.
########################################
##
## Execute a domain transition to run portreserve.
##
##
##
## Domain allowed to transition.
##
##
#
define(`portreserve_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portreserve_domtrans'($*)) dnl
gen_require(`
type portreserve_t, portreserve_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, portreserve_exec_t, portreserve_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portreserve_domtrans'($*)) dnl
')
#######################################
##
## Read portreserve configuration content.
##
##
##
## Domain allowed access.
##
##
##
#
define(`portreserve_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portreserve_read_config'($*)) dnl
gen_require(`
type portreserve_etc_t;
')
files_search_etc($1)
allow $1 portreserve_etc_t:dir list_dir_perms;
allow $1 portreserve_etc_t:file read_file_perms;
allow $1 portreserve_etc_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portreserve_read_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## portreserve configuration content.
##
##
##
## Domain allowed access.
##
##
#
define(`portreserve_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portreserve_manage_config'($*)) dnl
gen_require(`
type portreserve_etc_t;
')
files_search_etc($1)
allow $1 portreserve_etc_t:dir manage_dir_perms;
allow $1 portreserve_etc_t:file manage_file_perms;
allow $1 portreserve_etc_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portreserve_manage_config'($*)) dnl
')
########################################
##
## Execute portreserve init scripts in
## the init script domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`portreserve_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portreserve_initrc_domtrans'($*)) dnl
gen_require(`
type portreserve_initrc_exec_t;
')
init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portreserve_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an portreserve environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`portreserve_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portreserve_admin'($*)) dnl
gen_require(`
type portreserve_t, portreserve_etc_t, portreserve_var_run_t;
type portreserve_initrc_exec_t;
')
allow $1 portreserve_t:process signal_perms;
ps_process_pattern($1, portreserve_t)
tunable_policy(`deny_ptrace',`',`
allow $1 portreserve_t:process ptrace;
')
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 portreserve_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, portreserve_etc_t)
files_list_pids($1)
admin_pattern($1, portreserve_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portreserve_admin'($*)) dnl
')
## Portslave terminal server software.
########################################
##
## Execute portslave with a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`portslave_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `portslave_domtrans'($*)) dnl
gen_require(`
type portslave_t, portslave_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, portslave_exec_t, portslave_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `portslave_domtrans'($*)) dnl
')
## Postfix email server
########################################
##
## Postfix stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_stub'($*)) dnl
gen_require(`
type postfix_master_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_stub'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## postfix process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`postfix_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_domain_template'($*)) dnl
gen_require(`
attribute postfix_domain;
')
type postfix_$1_t, postfix_domain;
type postfix_$1_exec_t;
domain_type(postfix_$1_t)
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
kernel_read_system_state(postfix_$1_t)
auth_use_nsswitch(postfix_$1_t)
logging_send_syslog_msg(postfix_$1_t)
can_exec(postfix_$1_t, postfix_$1_exec_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_domain_template'($*)) dnl
')
########################################
##
## Creates a postfix server process domain.
##
##
##
## Prefix of the domain.
##
##
#
define(`postfix_server_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_server_domain_template'($*)) dnl
postfix_domain_template($1)
type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
corenet_all_recvfrom_netlabel(postfix_$1_t)
corenet_tcp_sendrecv_generic_if(postfix_$1_t)
corenet_udp_sendrecv_generic_if(postfix_$1_t)
corenet_tcp_sendrecv_generic_node(postfix_$1_t)
corenet_udp_sendrecv_generic_node(postfix_$1_t)
corenet_tcp_sendrecv_all_ports(postfix_$1_t)
corenet_udp_sendrecv_all_ports(postfix_$1_t)
corenet_tcp_bind_generic_node(postfix_$1_t)
corenet_udp_bind_generic_node(postfix_$1_t)
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_server_domain_template'($*)) dnl
')
########################################
##
## Creates a process domain for programs
## that are ran by users.
##
##
##
## Prefix of the domain.
##
##
#
define(`postfix_user_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_user_domain_template'($*)) dnl
gen_require(`
attribute postfix_user_domains, postfix_user_domtrans;
')
postfix_domain_template($1)
typeattribute postfix_$1_t postfix_user_domains;
allow postfix_$1_t self:capability { dac_read_search };
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
application_domain(postfix_$1_t, postfix_$1_exec_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_user_domain_template'($*)) dnl
')
########################################
##
## Read postfix configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`postfix_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_read_config'($*)) dnl
gen_require(`
type postfix_etc_t;
')
read_files_pattern($1, postfix_etc_t, postfix_etc_t)
list_dirs_pattern($1, postfix_etc_t, postfix_etc_t)
read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_read_config'($*)) dnl
')
########################################
##
## Create files with the specified type in
## the postfix configuration directories.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`postfix_config_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_config_filetrans'($*)) dnl
gen_require(`
type postfix_etc_t;
')
files_search_etc($1)
filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_config_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write postfix local delivery
## TCP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`postfix_dontaudit_rw_local_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_dontaudit_rw_local_tcp_sockets'($*)) dnl
gen_require(`
type postfix_local_t;
')
dontaudit $1 postfix_local_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_dontaudit_rw_local_tcp_sockets'($*)) dnl
')
########################################
##
## Allow read/write postfix local pipes
## TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_rw_local_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_rw_local_pipes'($*)) dnl
gen_require(`
type postfix_local_t;
')
allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_rw_local_pipes'($*)) dnl
')
#######################################
##
## Allow read/write postfix public pipes
## TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_rw_public_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_rw_public_pipes'($*)) dnl
gen_require(`
type postfix_public_t;
')
allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_rw_public_pipes'($*)) dnl
')
########################################
##
## Allow domain to read postfix local process state
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_read_local_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_read_local_state'($*)) dnl
gen_require(`
type postfix_local_t;
')
kernel_search_proc($1)
ps_process_pattern($1, postfix_local_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_read_local_state'($*)) dnl
')
########################################
##
## Allow domain to read postfix master process state
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_read_master_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_read_master_state'($*)) dnl
gen_require(`
type postfix_master_t;
')
kernel_search_proc($1)
ps_process_pattern($1, postfix_master_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_read_master_state'($*)) dnl
')
########################################
##
## Use postfix master process file
## file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_use_fds_master',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_use_fds_master'($*)) dnl
gen_require(`
type postfix_master_t;
')
allow $1 postfix_master_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_use_fds_master'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## postfix master process file
## file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`postfix_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_dontaudit_use_fds'($*)) dnl
gen_require(`
type postfix_master_t;
')
dontaudit $1 postfix_master_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Execute postfix_map in the postfix_map domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`postfix_domtrans_map',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_map'($*)) dnl
gen_require(`
type postfix_map_t, postfix_map_exec_t;
')
domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_map'($*)) dnl
')
########################################
##
## Execute postfix_map in the postfix_map domain, and
## allow the specified role the postfix_map domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`postfix_run_map',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_run_map'($*)) dnl
gen_require(`
type postfix_map_t;
')
postfix_domtrans_map($1)
role $2 types postfix_map_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_run_map'($*)) dnl
')
########################################
##
## Execute the master postfix program in the
## postfix_master domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`postfix_domtrans_master',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_master'($*)) dnl
gen_require(`
type postfix_master_t, postfix_master_exec_t;
attribute postfix_domain;
')
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_master'($*)) dnl
')
########################################
##
## Execute the master postfix in the postfix master domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_initrc_domtrans'($*)) dnl
gen_require(`
type postfix_initrc_exec_t;
')
init_labeled_script_domtrans($1, postfix_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute the master postfix program in the
## caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_exec_master',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_exec_master'($*)) dnl
gen_require(`
type postfix_master_exec_t;
')
can_exec($1, postfix_master_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_exec_master'($*)) dnl
')
#######################################
##
## Connect to postfix master process using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_stream_connect_master',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_stream_connect_master'($*)) dnl
gen_require(`
type postfix_master_t, postfix_public_t;
')
stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_stream_connect_master'($*)) dnl
')
########################################
##
## Allow read/write postfix master pipes
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_rw_inherited_master_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_rw_inherited_master_pipes'($*)) dnl
gen_require(`
type postfix_master_t;
')
allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_rw_inherited_master_pipes'($*)) dnl
')
########################################
##
## Execute the master postdrop in the
## postfix_postdrop domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`postfix_domtrans_postdrop',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postdrop'($*)) dnl
gen_require(`
type postfix_postdrop_t, postfix_postdrop_exec_t;
')
domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_postdrop'($*)) dnl
')
########################################
##
## Execute the master postqueue in the
## postfix_postqueue domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`postfix_domtrans_postqueue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postqueue'($*)) dnl
gen_require(`
type postfix_postqueue_t, postfix_postqueue_exec_t;
')
domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_postqueue'($*)) dnl
')
########################################
##
## Execute the master postqueue in the
## postfix_postdrop domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to be allowed the iptables domain.
##
##
##
#
define(`postfix_run_postqueue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_run_postqueue'($*)) dnl
gen_require(`
type postfix_postqueue_t;
')
postfix_domtrans_postqueue($1)
role $2 types postfix_postqueue_t;
allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_run_postqueue'($*)) dnl
')
########################################
##
## Execute postfix_postgqueue in the postfix_postgqueue domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`postfix_domtrans_postgqueue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postgqueue'($*)) dnl
gen_require(`
type postfix_postgqueue_t;
type postfix_postgqueue_exec_t;
')
domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_postgqueue'($*)) dnl
')
########################################
##
## Execute postfix_postgqueue in the postfix_postgqueue domain, and
## allow the specified role the postfix_postgqueue domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`postfix_run_postgqueue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_run_postgqueue'($*)) dnl
gen_require(`
type postfix_postgqueue_t;
')
postfix_domtrans_postgqueue($1)
role $2 types postfix_postgqueue_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_run_postgqueue'($*)) dnl
')
#######################################
##
## Execute the master postqueue in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_exec_postqueue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_exec_postqueue'($*)) dnl
gen_require(`
type postfix_postqueue_exec_t;
')
can_exec($1, postfix_postqueue_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_exec_postqueue'($*)) dnl
')
########################################
##
## Create a named socket in a postfix private directory.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_create_private_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_create_private_sockets'($*)) dnl
gen_require(`
type postfix_private_t;
')
allow $1 postfix_private_t:dir list_dir_perms;
create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_create_private_sockets'($*)) dnl
')
########################################
##
## manage named socket in a postfix private directory.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_manage_private_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_manage_private_sockets'($*)) dnl
gen_require(`
type postfix_private_t;
')
allow $1 postfix_private_t:dir list_dir_perms;
manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_manage_private_sockets'($*)) dnl
')
########################################
##
## Execute the master postfix program in the
## postfix_master domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`postfix_domtrans_smtp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_smtp'($*)) dnl
gen_require(`
type postfix_smtp_t, postfix_smtp_exec_t;
')
domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_smtp'($*)) dnl
')
########################################
##
## Getattr postfix mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_getattr_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_getattr_spool_files'($*)) dnl
gen_require(`
attribute postfix_spool_type;
')
files_search_spool($1)
getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_getattr_spool_files'($*)) dnl
')
########################################
##
## Search postfix mail spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_search_spool'($*)) dnl
gen_require(`
attribute postfix_spool_type;
')
allow $1 postfix_spool_type:dir search_dir_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_search_spool'($*)) dnl
')
########################################
##
## List postfix mail spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_list_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_list_spool'($*)) dnl
gen_require(`
attribute postfix_spool_type;
')
allow $1 postfix_spool_type:dir list_dir_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_list_spool'($*)) dnl
')
########################################
##
## Read postfix mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_read_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_read_spool_files'($*)) dnl
gen_require(`
attribute postfix_spool_type;
')
files_search_spool($1)
read_files_pattern($1, postfix_spool_type, postfix_spool_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_read_spool_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete postfix mail spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_manage_spool_files'($*)) dnl
gen_require(`
attribute postfix_spool_type;
')
files_search_spool($1)
manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_manage_spool_files'($*)) dnl
')
#######################################
##
## Read, write, and delete postfix maildrop spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_rw_spool_maildrop_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_rw_spool_maildrop_files'($*)) dnl
gen_require(`
type postfix_spool_maildrop_t;
')
files_search_spool($1)
rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_rw_spool_maildrop_files'($*)) dnl
')
#######################################
##
## Create, read, write, and delete postfix maildrop spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_manage_spool_maildrop_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_manage_spool_maildrop_files'($*)) dnl
gen_require(`
type postfix_spool_maildrop_t;
')
files_search_spool($1)
manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_manage_spool_maildrop_files'($*)) dnl
')
########################################
##
## Execute postfix user mail programs
## in their respective domains.
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_domtrans_user_mail_handler',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_domtrans_user_mail_handler'($*)) dnl
gen_require(`
attribute postfix_user_domtrans;
')
typeattribute $1 postfix_user_domtrans;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_domtrans_user_mail_handler'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an postfix environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`postfix_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_admin'($*)) dnl
gen_require(`
attribute postfix_spool_type;
type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
type postfix_smtpd_t, postfix_var_run_t;
')
allow $1 postfix_bounce_t:process signal_perms;
ps_process_pattern($1, postfix_bounce_t)
tunable_policy(`deny_ptrace',`',`
allow $1 postfix_bounce_t:process ptrace;
')
allow $1 postfix_cleanup_t:process signal_perms;
ps_process_pattern($1, postfix_cleanup_t)
tunable_policy(`deny_ptrace',`',`
allow $1 postfix_cleanup_t:process ptrace;
allow $1 postfix_local_t:process ptrace;
allow $1 postfix_master_t:process ptrace;
allow $1 postfix_pickup_t:process ptrace;
allow $1 postfix_qmgr_t:process ptrace;
allow $1 postfix_smtpd_t:process ptrace;
')
allow $1 postfix_local_t:process signal_perms;
ps_process_pattern($1, postfix_local_t)
allow $1 postfix_master_t:process signal_perms;
ps_process_pattern($1, postfix_master_t)
allow $1 postfix_pickup_t:process signal_perms;
ps_process_pattern($1, postfix_pickup_t)
allow $1 postfix_qmgr_t:process signal_perms;
ps_process_pattern($1, postfix_qmgr_t)
allow $1 postfix_smtpd_t:process signal_perms;
ps_process_pattern($1, postfix_smtpd_t)
postfix_run_map($1, $2)
postfix_run_postdrop($1, $2)
postfix_run_postqueue($1, $2)
postfix_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 postfix_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, postfix_data_t)
files_list_etc($1)
admin_pattern($1, postfix_etc_t)
files_list_spool($1)
admin_pattern($1, postfix_spool_type)
admin_pattern($1, postfix_var_run_t)
files_list_tmp($1)
admin_pattern($1, postfix_map_tmp_t)
admin_pattern($1, postfix_prng_t)
admin_pattern($1, postfix_public_t)
postfix_filetrans_named_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_admin'($*)) dnl
')
########################################
##
## Execute the master postdrop in the
## postfix_postdrop domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to be allowed the iptables domain.
##
##
##
#
define(`postfix_run_postdrop',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_run_postdrop'($*)) dnl
gen_require(`
type postfix_postdrop_t;
')
postfix_domtrans_postdrop($1)
role $2 types postfix_postdrop_t;
allow $1 postfix_postdrop_t:process signal;
allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_run_postdrop'($*)) dnl
')
########################################
##
## Execute postfix exec in the users domain
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_exec'($*)) dnl
gen_require(`
type postfix_exec_t;
')
can_exec($1, postfix_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_exec'($*)) dnl
')
########################################
##
## Transition to postfix named content
##
##
##
## Domain allowed access.
##
##
#
define(`postfix_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfix_filetrans_named_content'($*)) dnl
gen_require(`
type postfix_exec_t;
type postfix_prng_t;
')
postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfix_filetrans_named_content'($*)) dnl
')
## Postfix policy server.
########################################
##
## All of the rules required to administrate
## an postfixpolicyd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`postfixpolicyd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postfixpolicyd_admin'($*)) dnl
gen_require(`
type postfix_policyd_t, postfix_policyd_conf_t;
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
allow $1 postfix_policyd_t:process signal_perms;
ps_process_pattern($1, postfix_policyd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 postfix_policyd_t:process ptrace;
')
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postfix_policyd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postfix_policyd_conf_t)
files_list_pids($1)
admin_pattern($1, postfix_policyd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postfixpolicyd_admin'($*)) dnl
')
## Postfix grey-listing server.
########################################
##
## Connect to postgrey using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`postgrey_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgrey_stream_connect'($*)) dnl
gen_require(`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
files_search_pids($1)
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgrey_stream_connect'($*)) dnl
')
########################################
##
## Search spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`postgrey_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgrey_search_spool'($*)) dnl
gen_require(`
type postgrey_spool_t;
')
files_search_spool($1)
allow $1 postgrey_spool_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgrey_search_spool'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an postgrey environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`postgrey_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgrey_admin'($*)) dnl
gen_require(`
type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t;
')
allow $1 postgrey_t:process signal_perms;
ps_process_pattern($1, postgrey_t)
tunable_policy(`deny_ptrace',`',`
allow $1 postgrey_t:process ptrace;
')
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, postgrey_etc_t)
files_list_var_lib($1)
admin_pattern($1, postgrey_var_lib_t)
files_list_spool($1)
admin_pattern($1, postgrey_spool_t)
files_list_pids($1)
admin_pattern($1, postgrey_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgrey_admin'($*)) dnl
')
## Point to Point Protocol daemon creates links in ppp networks
#######################################
##
## Create, read, write, and delete
## ppp home files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_manage_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_manage_home_files'($*)) dnl
gen_require(`
type ppp_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 ppp_home_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_manage_home_files'($*)) dnl
')
#######################################
##
## Read ppp user home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_home_files'($*)) dnl
gen_require(`
type ppp_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 ppp_home_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_home_files'($*)) dnl
')
#######################################
##
## Relabel ppp home files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_relabel_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_relabel_home_files'($*)) dnl
gen_require(`
type ppp_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 ppp_home_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_relabel_home_files'($*)) dnl
')
#######################################
##
## Create objects in user home
## directories with the ppp home type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`ppp_home_filetrans_ppp_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_home_filetrans_ppp_home'($*)) dnl
gen_require(`
type ppp_home_t;
')
userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_home_filetrans_ppp_home'($*)) dnl
')
########################################
##
## Inherit and use ppp file discriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_use_fds'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## and use PPP file discriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`ppp_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_dontaudit_use_fds'($*)) dnl
gen_require(`
type pppd_t;
')
dontaudit $1 pppd_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to PPP.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_sigchld'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_sigchld'($*)) dnl
')
########################################
##
## Send ppp a kill signal
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_kill'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_kill'($*)) dnl
')
########################################
##
## Send a generic signal to PPP.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_signal'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_signal'($*)) dnl
')
########################################
##
## Send a generic signull to PPP.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_signull'($*)) dnl
gen_require(`
type pppd_t;
')
allow $1 pppd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_signull'($*)) dnl
')
########################################
##
## Execute domain in the ppp domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ppp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_domtrans'($*)) dnl
gen_require(`
type pppd_t, pppd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, pppd_exec_t, pppd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_domtrans'($*)) dnl
')
########################################
##
## Conditionally execute ppp daemon on behalf of a user or staff type.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the ppp domain.
##
##
##
#
define(`ppp_run_cond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_run_cond'($*)) dnl
gen_require(`
attribute_role pppd_roles;
')
roleattribute $2 pppd_roles;
tunable_policy(`pppd_for_user',`
ppp_domtrans($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_run_cond'($*)) dnl
')
########################################
##
## Unconditionally execute ppp daemon on behalf of a user or staff type.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the ppp domain.
##
##
##
#
define(`ppp_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_run'($*)) dnl
gen_require(`
attribute_role pppd_roles;
')
ppp_domtrans($1)
roleattribute $2 pppd_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_run'($*)) dnl
')
########################################
##
## Execute domain in the ppp caller.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_exec'($*)) dnl
gen_require(`
type pppd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, pppd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_exec'($*)) dnl
')
########################################
##
## Read ppp configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_config'($*)) dnl
gen_require(`
type pppd_etc_t;
')
read_files_pattern($1, pppd_etc_t, pppd_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_config'($*)) dnl
')
########################################
##
## Read PPP-writable configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_rw_config'($*)) dnl
gen_require(`
type pppd_etc_t, pppd_etc_rw_t;
')
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_etc_rw_t:file read_file_perms;
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_rw_config'($*)) dnl
')
########################################
##
## Read PPP secrets.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_secrets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_secrets'($*)) dnl
gen_require(`
type pppd_etc_t, pppd_secret_t;
')
allow $1 pppd_etc_t:dir list_dir_perms;
allow $1 pppd_secret_t:file read_file_perms;
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_secrets'($*)) dnl
')
########################################
##
## Read PPP pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_read_pid_files'($*)) dnl
gen_require(`
type pppd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_read_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete PPP pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_manage_pid_files'($*)) dnl
gen_require(`
type pppd_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_manage_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete PPP pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_pid_filetrans'($*)) dnl
gen_require(`
type pppd_var_run_t;
')
files_pid_filetrans($1, pppd_var_run_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_pid_filetrans'($*)) dnl
')
########################################
##
## Execute ppp server in the ntpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ppp_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_initrc_domtrans'($*)) dnl
gen_require(`
type pppd_initrc_exec_t;
')
init_labeled_script_domtrans($1, pppd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute pppd server in the pppd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ppp_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_systemctl'($*)) dnl
gen_require(`
type pppd_unit_file_t;
type pppd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 pppd_unit_file_t:file read_file_perms;
allow $1 pppd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, pppd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_systemctl'($*)) dnl
')
########################################
##
## Transition to ppp named content
##
##
##
## Domain allowed access.
##
##
#
define(`ppp_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_filetrans_named_content'($*)) dnl
gen_require(`
type pppd_lock_t;
')
files_lock_filetrans($1, pppd_lock_t, dir, "ppp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_filetrans_named_content'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ppp environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ppp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ppp_admin'($*)) dnl
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
type pppd_initrc_exec_t, pppd_etc_rw_t;
type pppd_unit_file_t;
')
allow $1 pppd_t:process signal_perms;
ps_process_pattern($1, pppd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 pppd_t:process ptrace;
allow $1 pptp_t:process ptrace;
')
allow $1 pptp_t:process signal_perms;
ps_process_pattern($1, pptp_t)
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, pppd_tmp_t)
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
files_list_locks($1)
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
admin_pattern($1, pppd_etc_t)
admin_pattern($1, pppd_etc_rw_t)
admin_pattern($1, pppd_secret_t)
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
admin_pattern($1, pptp_log_t)
admin_pattern($1, pptp_var_run_t)
ppp_systemctl($1)
admin_pattern($1, pppd_unit_file_t)
allow $1 pppd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ppp_admin'($*)) dnl
')
## Prelink ELF shared library mappings.
########################################
##
## Execute the prelink program in the prelink domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`prelink_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_domtrans'($*)) dnl
gen_require(`
type prelink_t, prelink_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, prelink_exec_t, prelink_t)
ifdef(`hide_broken_symptoms', `
dontaudit prelink_t $1:socket_class_set { read write };
dontaudit prelink_t $1:fifo_file setattr;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_domtrans'($*)) dnl
')
########################################
##
## Execute the prelink program in the current domain.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_exec'($*)) dnl
gen_require(`
type prelink_exec_t;
')
corecmd_search_bin($1)
can_exec($1, prelink_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_exec'($*)) dnl
')
########################################
##
## Execute the prelink program in the prelink domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the prelink domain.
##
##
##
#
define(`prelink_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_run'($*)) dnl
gen_require(`
type prelink_t;
')
prelink_domtrans($1)
role $2 types prelink_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_run'($*)) dnl
')
########################################
##
## Make the specified file type prelinkable.
##
##
##
## File type to be prelinked.
##
##
#
# cjp: added for misc non-entrypoint objects
define(`prelink_object_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_object_file'($*)) dnl
gen_require(`
attribute prelink_object;
')
typeattribute $1 prelink_object;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_object_file'($*)) dnl
')
########################################
##
## Read the prelink cache.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_read_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_read_cache'($*)) dnl
gen_require(`
type prelink_cache_t;
')
files_search_etc($1)
allow $1 prelink_cache_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_read_cache'($*)) dnl
')
########################################
##
## Delete the prelink cache.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_delete_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_delete_cache'($*)) dnl
gen_require(`
type prelink_cache_t;
')
allow $1 prelink_cache_t:file unlink;
files_rw_etc_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_delete_cache'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## prelink log files.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_manage_log'($*)) dnl
gen_require(`
type prelink_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, prelink_log_t, prelink_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_manage_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## prelink var_lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_manage_lib'($*)) dnl
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_manage_lib'($*)) dnl
')
########################################
##
## Relabel from files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_relabelfrom_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_relabelfrom_lib'($*)) dnl
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_relabelfrom_lib'($*)) dnl
')
########################################
##
## Relabel from files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_relabel_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_relabel_lib'($*)) dnl
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_relabel_lib'($*)) dnl
')
########################################
##
## Transition to prelink named content
##
##
##
## Domain allowed access.
##
##
#
define(`prelink_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelink_filetrans_named_content'($*)) dnl
gen_require(`
type prelink_cache_t;
')
files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelink_filetrans_named_content'($*)) dnl
')
## Prelude hybrid intrusion detection system
########################################
##
## Execute a domain transition to run prelude.
##
##
##
## Domain allowed to transition.
##
##
#
define(`prelude_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelude_domtrans'($*)) dnl
gen_require(`
type prelude_t, prelude_exec_t;
')
domtrans_pattern($1, prelude_exec_t, prelude_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelude_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run prelude_audisp.
##
##
##
## Domain allowed to transition.
##
##
#
define(`prelude_domtrans_audisp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelude_domtrans_audisp'($*)) dnl
gen_require(`
type prelude_audisp_t, prelude_audisp_exec_t;
')
domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelude_domtrans_audisp'($*)) dnl
')
########################################
##
## Signal the prelude_audisp domain.
##
##
##
## Domain allowed acccess.
##
##
#
define(`prelude_signal_audisp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelude_signal_audisp'($*)) dnl
gen_require(`
type prelude_audisp_t;
')
allow $1 prelude_audisp_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelude_signal_audisp'($*)) dnl
')
########################################
##
## Read the prelude spool files
##
##
##
## Domain allowed access.
##
##
#
define(`prelude_read_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelude_read_spool'($*)) dnl
gen_require(`
type prelude_spool_t;
')
files_search_spool($1)
read_files_pattern($1, prelude_spool_t, prelude_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelude_read_spool'($*)) dnl
')
########################################
##
## Manage to prelude-manager spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`prelude_manage_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelude_manage_spool'($*)) dnl
gen_require(`
type prelude_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelude_manage_spool'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an prelude environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`prelude_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prelude_admin'($*)) dnl
gen_require(`
type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
type prelude_lml_t;
')
allow $1 prelude_t:process signal_perms;
ps_process_pattern($1, prelude_t)
tunable_policy(`deny_ptrace',`',`
allow $1 prelude_t:process ptrace;
allow $1 prelude_audisp_t:process ptrace;
allow $1 prelude_lml_t:process ptrace;
')
allow $1 prelude_audisp_t:process signal_perms;
ps_process_pattern($1, prelude_audisp_t)
allow $1 prelude_lml_t:process signal_perms;
ps_process_pattern($1, prelude_lml_t)
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 prelude_initrc_exec_t system_r;
allow $2 system_r;
files_list_spool($1)
admin_pattern($1, prelude_spool_t)
files_list_var_lib($1)
admin_pattern($1, prelude_var_lib_t)
files_list_pids($1)
admin_pattern($1, prelude_var_run_t)
admin_pattern($1, prelude_audisp_var_run_t)
admin_pattern($1, prelude_lml_var_run_t)
files_list_tmp($1)
admin_pattern($1, prelude_lml_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prelude_admin'($*)) dnl
')
## Privacy enhancing web proxy.
########################################
##
## All of the rules required to
## administrate an privoxy environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`privoxy_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `privoxy_admin'($*)) dnl
gen_require(`
type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
type privoxy_etc_rw_t, privoxy_var_run_t;
')
allow $1 privoxy_t:process signal_perms;
ps_process_pattern($1, privoxy_t)
tunable_policy(`deny_ptrace',`',`
allow $1 privoxy_t:process ptrace;
')
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 privoxy_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, privoxy_log_t)
files_list_etc($1)
admin_pattern($1, privoxy_etc_rw_t)
files_list_pids($1)
admin_pattern($1, privoxy_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `privoxy_admin'($*)) dnl
')
## Procmail mail delivery agent
########################################
##
## Execute procmail with a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`procmail_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `procmail_domtrans'($*)) dnl
gen_require(`
type procmail_exec_t, procmail_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, procmail_exec_t, procmail_t)
allow $1 procmail_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `procmail_domtrans'($*)) dnl
')
########################################
##
## Execute procmail in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`procmail_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `procmail_exec'($*)) dnl
gen_require(`
type procmail_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, procmail_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `procmail_exec'($*)) dnl
')
########################################
##
## Read procmail tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`procmail_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `procmail_read_tmp_files'($*)) dnl
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
allow $1 procmail_tmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `procmail_read_tmp_files'($*)) dnl
')
########################################
##
## Read/write procmail tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`procmail_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `procmail_rw_tmp_files'($*)) dnl
gen_require(`
type procmail_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `procmail_rw_tmp_files'($*)) dnl
')
########################################
##
## Read procmail home directory content
##
##
##
## Domain allowed access.
##
##
#
define(`procmail_read_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `procmail_read_home_files'($*)) dnl
gen_require(`
type procmail_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, procmail_home_t, procmail_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `procmail_read_home_files'($*)) dnl
')
## policy for prosody
########################################
##
## Execute TEMPLATE in the prosody domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`prosody_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_domtrans'($*)) dnl
gen_require(`
type prosody_t, prosody_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, prosody_exec_t, prosody_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_domtrans'($*)) dnl
')
########################################
##
## Search prosody lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`prosody_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_search_lib'($*)) dnl
gen_require(`
type prosody_var_lib_t;
')
allow $1 prosody_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_search_lib'($*)) dnl
')
########################################
##
## Read prosody lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`prosody_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_read_lib_files'($*)) dnl
gen_require(`
type prosody_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_read_lib_files'($*)) dnl
')
########################################
##
## Manage prosody lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`prosody_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_manage_lib_files'($*)) dnl
gen_require(`
type prosody_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_manage_lib_files'($*)) dnl
')
########################################
##
## Manage prosody lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`prosody_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_manage_lib_dirs'($*)) dnl
gen_require(`
type prosody_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read prosody PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`prosody_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_read_pid_files'($*)) dnl
gen_require(`
type prosody_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, prosody_var_run_t, prosody_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_read_pid_files'($*)) dnl
')
########################################
##
## Execute prosody server in the prosody domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`prosody_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_systemctl'($*)) dnl
gen_require(`
type prosody_t;
type prosody_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 prosody_unit_file_t:file read_file_perms;
allow $1 prosody_unit_file_t:service manage_service_perms;
ps_process_pattern($1, prosody_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_systemctl'($*)) dnl
')
########################################
##
## Execute prosody in the prosody domain, and
## allow the specified role the prosody domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the prosody domain.
##
##
#
define(`prosody_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_run'($*)) dnl
gen_require(`
type prosody_t;
attribute_role prosody_roles;
')
prosody_domtrans($1)
roleattribute $2 prosody_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_run'($*)) dnl
')
######################################
##
## Connect to prosody with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`prosody_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_stream_connect'($*)) dnl
gen_require(`
type prosody_t, prosody_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, prosody_var_run_t, prosody_var_run_t, prosody_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_stream_connect'($*)) dnl
')
########################################
##
## Role access for prosody
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`prosody_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_role'($*)) dnl
gen_require(`
type prosody_t;
attribute_role prosody_roles;
')
roleattribute $1 prosody_roles;
prosody_domtrans($2)
ps_process_pattern($2, prosody_t)
allow $2 prosody_t:process { signull signal sigkill };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_role'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an prosody environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`prosody_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `prosody_admin'($*)) dnl
gen_require(`
type prosody_t;
type prosody_var_lib_t;
type prosody_var_run_t;
type prosody_unit_file_t;
')
allow $1 prosody_t:process { ptrace signal_perms };
ps_process_pattern($1, prosody_t)
files_search_var_lib($1)
admin_pattern($1, prosody_var_lib_t)
files_search_pids($1)
admin_pattern($1, prosody_var_run_t)
prosody_systemctl($1)
admin_pattern($1, prosody_unit_file_t)
allow $1 prosody_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `prosody_admin'($*)) dnl
')
## Intrusion Detection and Log Analysis with iptables.
########################################
##
## Execute a domain transition to run psad.
##
##
##
## Domain allowed to transition.
##
##
#
define(`psad_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_domtrans'($*)) dnl
gen_require(`
type psad_t, psad_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, psad_exec_t, psad_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_domtrans'($*)) dnl
')
########################################
##
## Send generic signals to psad.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_signal'($*)) dnl
gen_require(`
type psad_t;
')
allow $1 psad_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_signal'($*)) dnl
')
#######################################
##
## Send null signals to psad.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_signull'($*)) dnl
gen_require(`
type psad_t;
')
allow $1 psad_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_signull'($*)) dnl
')
########################################
##
## Read psad configuration content.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_read_config'($*)) dnl
gen_require(`
type psad_etc_t;
')
files_search_etc($1)
allow $1 psad_etc_t:dir list_dir_perms;
allow $1 psad_etc_t:file read_file_perms;
allow $1 psad_etc_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_read_config'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## psad configuration content.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_manage_config'($*)) dnl
gen_require(`
type psad_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
manage_files_pattern($1, psad_etc_t, psad_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_manage_config'($*)) dnl
')
########################################
##
## Read psad pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_read_pid_files'($*)) dnl
gen_require(`
type psad_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, psad_var_run_t, psad_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_read_pid_files'($*)) dnl
')
########################################
##
## Read and write psad PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_rw_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_rw_pid_files'($*)) dnl
gen_require(`
type psad_var_run_t;
')
files_search_pids($1)
rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_rw_pid_files'($*)) dnl
')
########################################
##
## Read psad log content.
##
##
##
## Domain allowed access.
##
##
##
#
define(`psad_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_read_log'($*)) dnl
gen_require(`
type psad_var_log_t;
')
logging_search_logs($1)
allow $1 psad_var_log_t:dir list_dir_perms;
allow $1 psad_var_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_read_log'($*)) dnl
')
########################################
##
## Append psad log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`psad_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_append_log'($*)) dnl
gen_require(`
type psad_var_log_t;
')
logging_search_logs($1)
append_files_pattern($1, psad_var_log_t, psad_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_append_log'($*)) dnl
')
########################################
##
## Allow the specified domain to write to psad's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`psad_write_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_write_log'($*)) dnl
gen_require(`
type psad_var_log_t;
')
logging_search_logs($1)
write_files_pattern($1, psad_var_log_t, psad_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_write_log'($*)) dnl
')
#######################################
##
## Allow the specified domain to setattr to psad's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_setattr_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_setattr_log'($*)) dnl
gen_require(`
type psad_var_log_t;
')
logging_search_logs($1)
setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_setattr_log'($*)) dnl
')
########################################
##
## Read and write psad fifo files.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_rw_fifo_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_rw_fifo_file'($*)) dnl
gen_require(`
type psad_var_lib_t;
')
files_search_var_lib($1)
rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_rw_fifo_file'($*)) dnl
')
#######################################
##
## Allow setattr to psad fifo files.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_setattr_fifo_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_setattr_fifo_file'($*)) dnl
gen_require(`
type psad_t, psad_var_lib_t;
')
files_search_var_lib($1)
allow $1 psad_var_lib_t:fifo_file setattr;
search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_setattr_fifo_file'($*)) dnl
')
#######################################
##
## Allow search to psad lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_search_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_search_lib_files'($*)) dnl
gen_require(`
type psad_t, psad_var_lib_t;
')
files_search_var_lib($1)
search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_search_lib_files'($*)) dnl
')
#######################################
##
## Read and write psad temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`psad_rw_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_rw_tmp_files'($*)) dnl
gen_require(`
type psad_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_rw_tmp_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an psad environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`psad_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `psad_admin'($*)) dnl
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
type psad_tmp_t;
')
allow $1 psad_t:process signal_perms;
ps_process_pattern($1, psad_t)
tunable_policy(`deny_ptrace',`',`
allow $1 psad_t:process ptrace;
')
init_labeled_script_domtrans($1, psad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 psad_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, psad_etc_t)
files_list_pids($1)
admin_pattern($1, psad_var_run_t)
logging_list_logs($1)
admin_pattern($1, psad_var_log_t)
files_list_var_lib($1)
admin_pattern($1, psad_var_lib_t)
files_list_tmp($1)
admin_pattern($1, psad_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `psad_admin'($*)) dnl
')
## helper function for grantpt(3), changes ownship and permissions of pseudotty.
########################################
##
## Execute a domain transition to run ptchown.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ptchown_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ptchown_domtrans'($*)) dnl
gen_require(`
type ptchown_t, ptchown_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ptchown_exec_t, ptchown_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ptchown_domtrans'($*)) dnl
')
#######################################
##
## Execute ptchown in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ptchown_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ptchown_exec'($*)) dnl
gen_require(`
type ptchown_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ptchown_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ptchown_exec'($*)) dnl
')
########################################
##
## Execute ptchown in the ptchown
## domain, and allow the specified
## role the ptchown domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`ptchown_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ptchown_run'($*)) dnl
gen_require(`
attribute_role ptchown_roles;
')
ptchown_domtrans($1)
roleattribute $2 ptchown_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ptchown_run'($*)) dnl
')
## publicfile supplies files to the public through HTTP and FTP.
## Pulseaudio network sound server.
########################################
##
## Role access for pulseaudio
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`pulseaudio_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_role'($*)) dnl
gen_require(`
attribute pulseaudio_tmpfsfile;
type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
class dbus { acquire_svc send_msg };
')
role $1 types pulseaudio_t;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
ps_process_pattern($2, pulseaudio_t)
allow pulseaudio_t $2:process { signal signull };
allow $2 pulseaudio_t:process { signal signull sigkill };
allow $2 pulseaudio_t:process2 nnp_transition;
ps_process_pattern(pulseaudio_t, $2)
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
userdom_manage_tmp_role($1, pulseaudio_t)
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_role'($*)) dnl
')
########################################
##
## Execute a domain transition to run pulseaudio.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pulseaudio_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_domtrans'($*)) dnl
gen_require(`
attribute pulseaudio_client;
type pulseaudio_t, pulseaudio_exec_t;
')
typeattribute $1 pulseaudio_client;
corecmd_search_bin($1)
domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_domtrans'($*)) dnl
')
########################################
##
## Execute pulseaudio in the pulseaudio domain, and
## allow the specified role the pulseaudio domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`pulseaudio_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_run'($*)) dnl
gen_require(`
type pulseaudio_t;
')
pulseaudio_domtrans($1)
role $2 types pulseaudio_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_run'($*)) dnl
')
########################################
##
## Execute a pulseaudio in the current domain.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_exec'($*)) dnl
gen_require(`
type pulseaudio_exec_t;
')
can_exec($1, pulseaudio_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_exec'($*)) dnl
')
########################################
##
## Do not audit to execute a pulseaudio.
##
##
##
## Domain to not audit.
##
##
#
define(`pulseaudio_dontaudit_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_dontaudit_exec'($*)) dnl
gen_require(`
type pulseaudio_exec_t;
')
dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_dontaudit_exec'($*)) dnl
')
########################################
##
## Send signull signal to pulseaudio
## processes.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_signull'($*)) dnl
gen_require(`
type pulseaudio_t;
')
allow $1 pulseaudio_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_signull'($*)) dnl
')
#####################################
##
## Connect to pulseaudio over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_stream_connect'($*)) dnl
gen_require(`
type pulseaudio_t, pulseaudio_var_run_t;
type pulseaudio_home_t;
')
files_search_pids($1)
allow $1 pulseaudio_t:process signull;
allow pulseaudio_t $1:process signull;
allow $1 pulseaudio_t:unix_stream_socket create_stream_socket_perms;
stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_stream_connect'($*)) dnl
')
########################################
##
## Send and receive messages from
## pulseaudio over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_dbus_chat'($*)) dnl
gen_require(`
type pulseaudio_t;
class dbus send_msg;
')
allow $1 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_dbus_chat'($*)) dnl
')
########################################
##
## Set the attributes of the pulseaudio homedir.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_setattr_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_setattr_home_dir'($*)) dnl
gen_require(`
type pulseaudio_home_t;
')
allow $1 pulseaudio_home_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_setattr_home_dir'($*)) dnl
')
########################################
##
## Read pulseaudio homedir files.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_read_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_read_home_files'($*)) dnl
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_read_home_files'($*)) dnl
')
########################################
##
## Read and write Pulse Audio files.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_rw_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_rw_home_files'($*)) dnl
gen_require(`
type pulseaudio_home_t;
')
rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_rw_home_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete pulseaudio
## home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_manage_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_manage_home_dirs'($*)) dnl
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_manage_home_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete pulseaudio
## home directory files.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_manage_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_manage_home_files'($*)) dnl
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
pulseaudio_filetrans_home_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_manage_home_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete pulseaudio
## home directory symlinks.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_manage_home_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_manage_home_symlinks'($*)) dnl
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_manage_home_symlinks'($*)) dnl
')
########################################
##
## Create pulseaudio content in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_filetrans_home_content'($*)) dnl
gen_require(`
type pulseaudio_home_t;
')
userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
optional_policy(`
gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_filetrans_home_content'($*)) dnl
')
########################################
##
## Create pulseaudio content in the admin home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_filetrans_admin_home_content'($*)) dnl
gen_require(`
type pulseaudio_home_t;
')
userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_filetrans_admin_home_content'($*)) dnl
')
#######################################
##
## Make the specified tmpfs file type
## pulseaudio tmpfs content.
##
##
##
## File type to make pulseaudio tmpfs content.
##
##
#
define(`pulseaudio_tmpfs_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_tmpfs_content'($*)) dnl
gen_require(`
attribute pulseaudio_tmpfsfile;
')
typeattribute $1 pulseaudio_tmpfsfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_tmpfs_content'($*)) dnl
')
########################################
##
## Allow the domain to read pulseaudio state files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`pulseaudio_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pulseaudio_read_state'($*)) dnl
gen_require(`
type pulseaudio_t;
')
kernel_search_proc($1)
ps_process_pattern($1, pulseaudio_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pulseaudio_read_state'($*)) dnl
')
## Puppet client daemon
##
##
## Puppet is a configuration management system written in Ruby.
## The client daemon is responsible for periodically requesting the
## desired system state from the server and ensuring the state of
## the client system matches.
##
##
########################################
##
## Execute puppet_master in the puppet_master
## domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`puppet_domtrans_master',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_domtrans_master'($*)) dnl
gen_require(`
type puppetmaster_t, puppetmaster_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_domtrans_master'($*)) dnl
')
########################################
##
## Execute puppet in the puppet
## domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`puppet_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_domtrans'($*)) dnl
gen_require(`
type puppet_t, puppet_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, puppet_exec_t, puppet_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_domtrans'($*)) dnl
')
########################################
##
## Execute puppetca in the puppetca
## domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`puppet_domtrans_puppetca',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_domtrans_puppetca'($*)) dnl
gen_require(`
type puppetca_t, puppetca_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, puppetca_exec_t, puppetca_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_domtrans_puppetca'($*)) dnl
')
#####################################
##
## Execute puppet in the puppet
## domain and allow the specified
## role the puppetca domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`puppet_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_run'($*)) dnl
gen_require(`
type puppet_t, puppet_exec_t;
')
puppet_domtrans($1)
role $2 types puppet_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_run'($*)) dnl
')
#####################################
##
## Execute puppetca in the puppetca
## domain and allow the specified
## role the puppetca domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`puppet_run_puppetca',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_run_puppetca'($*)) dnl
gen_require(`
type puppetca_t, puppetca_exec_t;
')
puppet_domtrans_puppetca($1)
role $2 types puppetca_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_run_puppetca'($*)) dnl
')
################################################
##
## Read / Write to Puppet temp files. Puppet uses
## some system binaries (groupadd, etc) that run in
## a non-puppet domain and redirects output into temp
## files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_rw_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_rw_tmp'($*)) dnl
gen_require(`
type puppet_tmp_t;
')
allow $1 puppet_tmp_t:file rw_inherited_file_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_rw_tmp'($*)) dnl
')
################################################
##
## Read Puppet lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_read_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_read_lib'($*)) dnl
gen_require(`
type puppet_var_lib_t;
')
read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_read_lib'($*)) dnl
')
###############################################
##
## Manage Puppet lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_manage_lib'($*)) dnl
gen_require(`
type puppet_var_lib_t;
')
manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_manage_lib'($*)) dnl
')
######################################
##
## Allow the specified domain to search puppet's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_search_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_search_log'($*)) dnl
gen_require(`
type puppet_log_t;
')
logging_search_logs($1)
allow $1 puppet_log_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_search_log'($*)) dnl
')
#####################################
##
## Allow the specified domain to read puppet's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_read_log'($*)) dnl
gen_require(`
type puppet_log_t;
')
logging_search_logs($1)
read_files_pattern($1, puppet_log_t, puppet_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_read_log'($*)) dnl
')
#####################################
##
## Allow the specified domain to create puppet's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_create_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_create_log'($*)) dnl
gen_require(`
type puppet_log_t;
')
logging_search_logs($1)
create_files_pattern($1, puppet_log_t, puppet_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_create_log'($*)) dnl
')
####################################
##
## Allow the specified domain to append puppet's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_append_log'($*)) dnl
gen_require(`
type puppet_log_t;
')
logging_search_logs($1)
append_files_pattern($1, puppet_log_t, puppet_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_append_log'($*)) dnl
')
####################################
##
## Allow the specified domain to manage puppet's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_manage_log'($*)) dnl
gen_require(`
type puppet_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, puppet_log_t, puppet_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_manage_log'($*)) dnl
')
####################################
##
## Allow the specified domain to read puppet's config files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_read_config'($*)) dnl
gen_require(`
type puppet_etc_t;
')
files_search_etc($1)
list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
read_files_pattern($1, puppet_etc_t, puppet_etc_t)
read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_read_config'($*)) dnl
')
#####################################
##
## Allow the specified domain to search puppet's pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`puppet_search_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `puppet_search_pid'($*)) dnl
gen_require(`
type puppet_var_run_t;
')
files_search_pids($1)
allow $1 puppet_var_run_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `puppet_search_pid'($*)) dnl
')
## policy for pwauth
########################################
##
## Transition to pwauth.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pwauth_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pwauth_domtrans'($*)) dnl
gen_require(`
type pwauth_t, pwauth_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, pwauth_exec_t, pwauth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pwauth_domtrans'($*)) dnl
')
########################################
##
## Execute pwauth in the pwauth domain, and
## allow the specified role the pwauth domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the pwauth domain.
##
##
#
define(`pwauth_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pwauth_run'($*)) dnl
gen_require(`
type pwauth_t;
')
pwauth_domtrans($1)
role $2 types pwauth_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pwauth_run'($*)) dnl
')
########################################
##
## Role access for pwauth
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`pwauth_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pwauth_role'($*)) dnl
gen_require(`
type pwauth_t;
')
role $1 types pwauth_t;
pwauth_domtrans($2)
ps_process_pattern($2, pwauth_t)
allow $2 pwauth_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pwauth_role'($*)) dnl
')
## Server for the PXE network boot protocol.
########################################
##
## All of the rules required to
## administrate an pxe environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`pxe_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pxe_admin'($*)) dnl
gen_require(`
type pxe_t, pxe_initrc_exec_t, pxe_log_t;
type pxe_var_run_t;
')
allow $1 pxe_t:process { ptrace signal_perms };
ps_process_pattern($1, pxe_t)
init_labeled_script_domtrans($1, pxe_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pxe_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, pxe_log_t)
files_search_pids($1)
admin_pattern($1, pxe_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pxe_admin'($*)) dnl
')
## Pyzor is a distributed, collaborative spam detection and filtering network.
########################################
##
## Role access for pyzor
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
##
#
define(`pyzor_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pyzor_role'($*)) dnl
gen_require(`
type pyzor_t, pyzor_exec_t;
type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
')
role $1 types pyzor_t;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, pyzor_exec_t, pyzor_t)
# allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
allow $2 pyzor_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 pyzor_t:process ptrace;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pyzor_role'($*)) dnl
')
########################################
##
## Send generic signals to pyzor
##
##
##
## Domain allowed access.
##
##
#
define(`pyzor_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pyzor_signal'($*)) dnl
gen_require(`
type pyzor_t;
')
allow $1 pyzor_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pyzor_signal'($*)) dnl
')
########################################
##
## Execute pyzor with a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`pyzor_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pyzor_domtrans'($*)) dnl
gen_require(`
type pyzor_exec_t, pyzor_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, pyzor_exec_t, pyzor_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pyzor_domtrans'($*)) dnl
')
########################################
##
## Execute pyzor in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`pyzor_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pyzor_exec'($*)) dnl
gen_require(`
type pyzor_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pyzor_exec'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an pyzor environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the pyzor domain.
##
##
##
#
define(`pyzor_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `pyzor_admin'($*)) dnl
gen_require(`
type pyzord_t, pyzor_tmp_t, pyzord_log_t;
type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
')
allow $1 pyzord_t:process signal_perms;
ps_process_pattern($1, pyzord_t)
tunable_policy(`deny_ptrace',`',`
allow $1 pyzord_t:process ptrace;
')
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pyzord_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, pyzor_tmp_t)
logging_list_logs($1)
admin_pattern($1, pyzord_log_t)
files_list_etc($1)
admin_pattern($1, pyzor_etc_t)
files_list_var_lib($1)
admin_pattern($1, pyzor_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `pyzor_admin'($*)) dnl
')
## QEMU machine emulator and virtualizer
########################################
##
## Creates types and rules for a basic
## qemu process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`qemu_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_domain_template'($*)) dnl
##############################
#
# Local Policy
#
type $1_t;
domain_type($1_t)
type $1_tmp_t;
files_tmp_file($1_tmp_t)
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
##############################
#
# Local Policy
#
allow $1_t self:capability { dac_read_search };
allow $1_t self:process { execstack execmem signal getsched };
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:shm create_shm_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:tun_socket create;
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir })
kernel_read_system_state($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_tcp_bind_generic_node($1_t)
corenet_tcp_bind_vnc_port($1_t)
corenet_rw_tun_tap_dev($1_t)
# dev_rw_kvm($1_t)
domain_use_interactive_fds($1_t)
files_read_etc_files($1_t)
files_read_usr_files($1_t)
files_read_var_files($1_t)
files_search_all($1_t)
storage_raw_write_removable_device($1_t)
storage_raw_read_removable_device($1_t)
term_use_ptmx($1_t)
term_getattr_pty_fs($1_t)
term_use_generic_ptys($1_t)
sysnet_read_config($1_t)
userdom_use_inherited_user_terminals($1_t)
userdom_attach_admin_tun_iface($1_t)
optional_policy(`
samba_domtrans_smbd($1_t)
')
optional_policy(`
virt_manage_images($1_t)
virt_read_config($1_t)
virt_read_lib_files($1_t)
virt_attach_tun_iface($1_t)
')
optional_policy(`
xserver_stream_connect($1_t)
xserver_read_xdm_tmp_files($1_t)
xserver_read_xdm_pid($1_t)
# xserver_xdm_rw_shm($1_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_domain_template'($*)) dnl
')
########################################
##
## Execute a domain transition to run qemu.
##
##
##
## Domain allowed to transition.
##
##
#
define(`qemu_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_domtrans'($*)) dnl
gen_require(`
type qemu_t, qemu_exec_t;
')
domtrans_pattern($1, qemu_exec_t, qemu_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_domtrans'($*)) dnl
')
########################################
##
## Execute a qemu in the callers domain
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_exec'($*)) dnl
gen_require(`
type qemu_exec_t;
')
can_exec($1, qemu_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_exec'($*)) dnl
')
########################################
##
## Execute qemu in the qemu domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the qemu domain.
##
##
##
#
define(`qemu_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_run'($*)) dnl
gen_require(`
type qemu_t;
')
qemu_domtrans($1)
role $2 types qemu_t;
allow qemu_t $1:process signull;
allow $1 qemu_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_run'($*)) dnl
')
########################################
##
## Allow the domain to read state files in /proc.
##
##
##
## Domain to allow access.
##
##
#
define(`qemu_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_read_state'($*)) dnl
gen_require(`
type qemu_t;
')
read_files_pattern($1, qemu_t, qemu_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_read_state'($*)) dnl
')
########################################
##
## Set the schedule on qemu.
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_setsched',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_setsched'($*)) dnl
gen_require(`
type qemu_t;
')
allow $1 qemu_t:process setsched;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_setsched'($*)) dnl
')
########################################
##
## Send a signal to qemu.
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_signal'($*)) dnl
gen_require(`
type qemu_t;
')
allow $1 qemu_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_signal'($*)) dnl
')
########################################
##
## Send a sigill to qemu
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_kill'($*)) dnl
gen_require(`
type qemu_t;
')
allow $1 qemu_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_kill'($*)) dnl
')
########################################
##
## Execute qemu_exec_t
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon().
##
##
##
## Execute qemu_exec_t
## in the specified domain. This allows
## the specified domain to qemu programs
## on these filesystems in the specified
## domain.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`qemu_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_spec_domtrans'($*)) dnl
gen_require(`
type qemu_exec_t;
')
read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
domain_transition_pattern($1, qemu_exec_t, $2)
domain_entry_file($2,qemu_exec_t)
can_exec($1,qemu_exec_t)
allow $2 $1:fd use;
allow $2 $1:fifo_file rw_fifo_file_perms;
allow $2 $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_spec_domtrans'($*)) dnl
')
########################################
##
## Execute qemu unconfined programs in the role.
##
##
##
## The role to allow the qemu unconfined domain.
##
##
#
define(`qemu_unconfined_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_unconfined_role'($*)) dnl
gen_require(`
type unconfined_qemu_t;
type qemu_t;
')
role $1 types unconfined_qemu_t;
role $1 types qemu_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_unconfined_role'($*)) dnl
')
########################################
##
## Manage qemu temporary dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_manage_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_manage_tmp_dirs'($*)) dnl
gen_require(`
type qemu_tmp_t;
')
manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_manage_tmp_dirs'($*)) dnl
')
########################################
##
## Manage qemu temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`qemu_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_manage_tmp_files'($*)) dnl
gen_require(`
type qemu_tmp_t;
')
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_manage_tmp_files'($*)) dnl
')
########################################
##
## Make qemu_exec_t an entrypoint for
## the specified domain.
##
##
##
## The domain for which qemu_exec_t is an entrypoint.
##
##
#
define(`qemu_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_entry_type'($*)) dnl
gen_require(`
type qemu_exec_t;
')
domain_entry_file($1, qemu_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_entry_type'($*)) dnl
')
#######################################
##
## Getattr on qemu executable.
##
##
##
## Domain allowed to transition.
##
##
#
define(`qemu_getattr_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qemu_getattr_exec'($*)) dnl
gen_require(`
type qemu_exec_t;
')
allow $1 qemu_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qemu_getattr_exec'($*)) dnl
')
## Qmail Mail Server
########################################
##
## Template for qmail parent/sub-domain pairs
##
##
##
## The prefix of the child domain
##
##
##
##
## The name of the parent domain.
##
##
#
define(`qmail_child_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qmail_child_domain_template'($*)) dnl
type $1_t;
domain_type($1_t)
type $1_exec_t;
domain_entry_file($1_t, $1_exec_t)
domain_auto_trans($2, $1_exec_t, $1_t)
role system_r types $1_t;
allow $1_t self:process signal_perms;
allow $1_t $2:fd use;
allow $1_t $2:fifo_file rw_file_perms;
allow $1_t $2:process sigchld;
allow $1_t qmail_etc_t:dir list_dir_perms;
allow $1_t qmail_etc_t:file read_file_perms;
allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
allow $1_t qmail_start_t:fd use;
kernel_list_proc($2)
kernel_read_proc_symlinks($2)
corecmd_search_bin($1_t)
files_search_var($1_t)
fs_getattr_xattr_fs($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qmail_child_domain_template'($*)) dnl
')
########################################
##
## Transition to qmail_inject_t
##
##
##
## Domain allowed to transition.
##
##
#
define(`qmail_domtrans_inject',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qmail_domtrans_inject'($*)) dnl
gen_require(`
type qmail_inject_t, qmail_inject_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
ifdef(`distro_debian',`
files_search_usr($1)
',`
files_search_var($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qmail_domtrans_inject'($*)) dnl
')
########################################
##
## Transition to qmail_queue_t
##
##
##
## Domain allowed to transition.
##
##
#
define(`qmail_domtrans_queue',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qmail_domtrans_queue'($*)) dnl
gen_require(`
type qmail_queue_t, qmail_queue_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
ifdef(`distro_debian',`
files_search_usr($1)
',`
files_search_var($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qmail_domtrans_queue'($*)) dnl
')
########################################
##
## Read qmail configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`qmail_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qmail_read_config'($*)) dnl
gen_require(`
type qmail_etc_t;
')
allow $1 qmail_etc_t:dir list_dir_perms;
allow $1 qmail_etc_t:file read_file_perms;
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
files_search_var($1)
ifdef(`distro_debian',`
# handle /etc/qmail
files_search_etc($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qmail_read_config'($*)) dnl
')
########################################
##
## Define the specified domain as a qmail-smtp service.
## Needed by antivirus/antispam filters.
##
##
##
## Domain allowed access
##
##
##
##
## The type associated with the process program.
##
##
#
define(`qmail_smtpd_service_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qmail_smtpd_service_domain'($*)) dnl
gen_require(`
type qmail_smtpd_t;
')
domtrans_pattern(qmail_smtpd_t, $2, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qmail_smtpd_service_domain'($*)) dnl
')
########################################
##
## Create, read, write, and delete qmail
## spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`qmail_manage_spool_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qmail_manage_spool_dirs'($*)) dnl
gen_require(`
type qmail_spool_t;
')
manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qmail_manage_spool_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete qmail
## spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`qmail_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qmail_manage_spool_files'($*)) dnl
gen_require(`
type qmail_spool_t;
')
manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qmail_manage_spool_files'($*)) dnl
')
########################################
##
## Read and write to qmail spool pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`qmail_rw_spool_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qmail_rw_spool_pipes'($*)) dnl
gen_require(`
type qmail_spool_t;
')
allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qmail_rw_spool_pipes'($*)) dnl
')
## policy for qpidd
########################################
##
## Execute a domain transition to run qpidd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`qpidd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_domtrans'($*)) dnl
gen_require(`
type qpidd_t, qpidd_exec_t;
')
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_domtrans'($*)) dnl
')
########################################
##
## Execute qpidd server in the qpidd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_initrc_domtrans'($*)) dnl
gen_require(`
type qpidd_initrc_exec_t;
')
init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_initrc_domtrans'($*)) dnl
')
########################################
##
## Read qpidd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_read_pid_files'($*)) dnl
gen_require(`
type qpidd_var_run_t;
')
files_search_pids($1)
allow $1 qpidd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_read_pid_files'($*)) dnl
')
########################################
##
## Manage qpidd var_run files.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_manage_var_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_manage_var_run'($*)) dnl
gen_require(`
type qpidd_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_manage_var_run'($*)) dnl
')
########################################
##
## Search qpidd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_search_lib'($*)) dnl
gen_require(`
type qpidd_var_lib_t;
')
allow $1 qpidd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_search_lib'($*)) dnl
')
########################################
##
## Read qpidd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_read_lib_files'($*)) dnl
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## qpidd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_manage_lib_files'($*)) dnl
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_manage_lib_files'($*)) dnl
')
########################################
##
## Manage qpidd var_lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_manage_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_manage_var_lib'($*)) dnl
gen_require(`
type qpidd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_manage_var_lib'($*)) dnl
')
#####################################
##
## Allow read and write access to qpidd semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_rw_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_rw_semaphores'($*)) dnl
gen_require(`
type qpidd_t;
')
allow $1 qpidd_t:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_rw_semaphores'($*)) dnl
')
#######################################
##
## Read and write to qpidd shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`qpidd_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_rw_shm'($*)) dnl
gen_require(`
type qpidd_t;
type qpidd_tmpfs_t;
')
allow $1 qpidd_t:shm rw_shm_perms;
fs_search_tmpfs($1)
manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_rw_shm'($*)) dnl
')
#######################################
##
## All of the rules required to
## administrate an qpidd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`qpidd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `qpidd_admin'($*)) dnl
gen_require(`
type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
type qpidd_var_run_t;
')
allow $1 qpidd_t:process { signal_perms };
ps_process_pattern($1, qpidd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 qpidd_t:process ptrace;
')
qpidd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 qpidd_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, qpidd_var_lib_t)
files_search_pids($1)
admin_pattern($1, qpidd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `qpidd_admin'($*)) dnl
')
## Virtual network service for Openstack.
########################################
##
## Transition to neutron.
##
##
##
## Domain allowed to transition.
##
##
#
define(`neutron_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_domtrans'($*)) dnl
gen_require(`
type neutron_t, neutron_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, neutron_exec_t, neutron_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_domtrans'($*)) dnl
')
########################################
##
## Allow read/write neutron pipes
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_rw_inherited_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_rw_inherited_pipes'($*)) dnl
gen_require(`
type neutron_t;
')
allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_rw_inherited_pipes'($*)) dnl
')
########################################
##
## Send sigchld to neutron.
##
##
##
## Domain allowed access.
##
##
#
#
define(`neutron_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_sigchld'($*)) dnl
gen_require(`
type neutron_t;
')
allow $1 neutron_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_sigchld'($*)) dnl
')
########################################
##
## Read neutron's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`neutron_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_read_log'($*)) dnl
gen_require(`
type neutron_log_t;
')
logging_search_logs($1)
read_files_pattern($1, neutron_log_t, neutron_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_read_log'($*)) dnl
')
########################################
##
## Append to neutron log files.
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_append_log'($*)) dnl
gen_require(`
type neutron_log_t;
')
logging_search_logs($1)
append_files_pattern($1, neutron_log_t, neutron_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_append_log'($*)) dnl
')
########################################
##
## Manage neutron log files
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_manage_log'($*)) dnl
gen_require(`
type neutron_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
manage_files_pattern($1, neutron_log_t, neutron_log_t)
manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_manage_log'($*)) dnl
')
########################################
##
## Search neutron lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_search_lib'($*)) dnl
gen_require(`
type neutron_var_lib_t;
')
allow $1 neutron_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_search_lib'($*)) dnl
')
########################################
##
## Read neutron lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_read_lib_files'($*)) dnl
gen_require(`
type neutron_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_read_lib_files'($*)) dnl
')
########################################
##
## Manage neutron lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_manage_lib_files'($*)) dnl
gen_require(`
type neutron_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_manage_lib_files'($*)) dnl
')
########################################
##
## Manage neutron lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_manage_lib_dirs'($*)) dnl
gen_require(`
type neutron_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read and write neutron fifo files.
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_rw_fifo_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_rw_fifo_file'($*)) dnl
gen_require(`
type neutron_t;
')
allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_rw_fifo_file'($*)) dnl
')
#####################################
##
## Connect to neutron over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_stream_connect'($*)) dnl
gen_require(`
type neutron_t;
type neutron_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_stream_connect'($*)) dnl
')
########################################
##
## Execute neutron server in the neutron domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`neutron_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_systemctl'($*)) dnl
gen_require(`
type neutron_t;
type neutron_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 neutron_unit_file_t:file read_file_perms;
allow $1 neutron_unit_file_t:service manage_service_perms;
ps_process_pattern($1, neutron_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_systemctl'($*)) dnl
')
#######################################
##
## Read neutron process state files.
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_read_state'($*)) dnl
gen_require(`
type neutron_t;
')
allow $1 neutron_t:dir search_dir_perms;
allow $1 neutron_t:file read_file_perms;
allow $1 neutron_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_read_state'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an neutron environment
##
##
##
## Domain allowed access.
##
##
#
define(`neutron_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `neutron_admin'($*)) dnl
gen_require(`
type neutron_t;
type neutron_log_t;
type neutron_var_lib_t;
type neutron_unit_file_t;
')
allow $1 neutron_t:process { ptrace signal_perms };
ps_process_pattern($1, neutron_t)
logging_search_logs($1)
admin_pattern($1, neutron_log_t)
files_search_var_lib($1)
admin_pattern($1, neutron_var_lib_t)
neutron_systemctl($1)
admin_pattern($1, neutron_unit_file_t)
allow $1 neutron_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `neutron_admin'($*)) dnl
')
## File system quota management
########################################
##
## Execute quota management tools in the quota domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`quota_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `quota_domtrans'($*)) dnl
gen_require(`
type quota_t, quota_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, quota_exec_t, quota_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `quota_domtrans'($*)) dnl
')
########################################
##
## Execute quota management tools in the quota domain, and
## allow the specified role the quota domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`quota_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `quota_run'($*)) dnl
gen_require(`
type quota_t;
')
quota_domtrans($1)
role $2 types quota_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `quota_run'($*)) dnl
')
#######################################
##
## Alow to read of filesystem quota data files.
##
##
##
## Domain to not audit.
##
##
#
define(`quota_read_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `quota_read_db'($*)) dnl
gen_require(`
type quota_db_t;
')
allow $1 quota_db_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `quota_read_db'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of filesystem quota data files.
##
##
##
## Domain to not audit.
##
##
#
define(`quota_dontaudit_getattr_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `quota_dontaudit_getattr_db'($*)) dnl
gen_require(`
type quota_db_t;
')
dontaudit $1 quota_db_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `quota_dontaudit_getattr_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete quota
## db files.
##
##
##
## Domain to not audit.
##
##
#
define(`quota_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `quota_manage_db'($*)) dnl
gen_require(`
type quota_db_t;
')
allow $1 quota_db_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `quota_manage_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete quota
## flag files.
##
##
##
## Domain allowed access.
##
##
#
define(`quota_manage_flags',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `quota_manage_flags'($*)) dnl
gen_require(`
type quota_flag_t;
')
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `quota_manage_flags'($*)) dnl
')
########################################
##
## Transition to quota named content
##
##
##
## Domain allowed access.
##
##
#
define(`quota_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `quota_filetrans_named_content'($*)) dnl
gen_require(`
type quota_db_t;
')
files_root_filetrans($1, quota_db_t, file, "aquota.user")
files_root_filetrans($1, quota_db_t, file, "aquota.group")
files_boot_filetrans($1, quota_db_t, file, "aquota.user")
files_boot_filetrans($1, quota_db_t, file, "aquota.group")
files_etc_filetrans($1, quota_db_t, file, "aquota.user")
files_etc_filetrans($1, quota_db_t, file, "aquota.group")
files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
files_home_filetrans($1, quota_db_t, file, "aquota.user")
files_home_filetrans($1, quota_db_t, file, "aquota.group")
files_usr_filetrans($1, quota_db_t, file, "aquota.user")
files_usr_filetrans($1, quota_db_t, file, "aquota.group")
files_var_filetrans($1, quota_db_t, file, "aquota.user")
files_var_filetrans($1, quota_db_t, file, "aquota.group")
files_spool_filetrans($1, quota_db_t, file, "aquota.user")
files_spool_filetrans($1, quota_db_t, file, "aquota.group")
mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `quota_filetrans_named_content'($*)) dnl
')
#######################################
##
## Transition to quota_nld.
##
##
##
## Domain allowed to transition.
##
##
#
define(`quota_domtrans_nld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `quota_domtrans_nld'($*)) dnl
gen_require(`
type quota_nld_t, quota_nld_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `quota_domtrans_nld'($*)) dnl
')
## AMQP server written in Erlang.
########################################
##
## Execute rabbitmq in the rabbitmq domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rabbitmq_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rabbitmq_domtrans'($*)) dnl
gen_require(`
type rabbitmq_t, rabbitmq_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rabbitmq_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an rabbitmq environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rabbitmq_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rabbitmq_admin'($*)) dnl
gen_require(`
type rabbitmq_t, rabbitmq_initrc_exec_t;
type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t;
')
allow $1 { rabbitmq_t }:process { ptrace signal_perms };
ps_process_pattern($1, rabbitmq_t)
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rabbitmq_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, rabbitmq_var_log_t)
files_search_var_lib($1)
admin_pattern($1, rabbitmq_var_lib_t)
files_search_pids($1)
admin_pattern($1, rabbitmq_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rabbitmq_admin'($*)) dnl
')
## RADIUS authentication and accounting server.
########################################
##
## Use radius over a UDP connection. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`radius_use',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `radius_use'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `radius_use'($*)) dnl
')
#######################################
##
## Execute radiusd server in the radiusd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`radiusd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `radiusd_systemctl'($*)) dnl
gen_require(`
type radiusd_unit_file_t;
type radiusd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 radiusd_unit_file_t:file read_file_perms;
allow $1 radiusd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, radiusd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `radiusd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an radius environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`radius_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `radius_admin'($*)) dnl
gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t;
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
type radiusd_initrc_exec_t, radiusd_unit_file_t;
')
allow $1 radiusd_t:process signal_perms;
ps_process_pattern($1, radiusd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 radiusd_t:process ptrace;
')
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 radiusd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t })
logging_list_logs($1)
admin_pattern($1, radiusd_log_t)
files_list_var_lib($1)
admin_pattern($1, radiusd_var_lib_t)
files_list_pids($1)
admin_pattern($1, radiusd_var_run_t)
admin_pattern($1, radiusd_unit_file_t)
bind_systemctl($1)
allow $1 radiusd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `radius_admin'($*)) dnl
')
## IPv6 router advertisement daemon.
######################################
##
## Read radvd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`radvd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `radvd_read_pid_files'($*)) dnl
gen_require(`
type radvd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `radvd_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an radvd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`radvd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `radvd_admin'($*)) dnl
gen_require(`
type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
type radvd_var_run_t;
')
allow $1 radvd_t:process signal_perms;
ps_process_pattern($1, radvd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 radvd_t:process ptrace;
')
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 radvd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, radvd_etc_t)
files_list_pids($1)
admin_pattern($1, radvd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `radvd_admin'($*)) dnl
')
## RAID array management tools
########################################
##
## Execute software raid tools in the mdadm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`raid_domtrans_mdadm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_domtrans_mdadm'($*)) dnl
gen_require(`
type mdadm_t, mdadm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mdadm_exec_t, mdadm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_domtrans_mdadm'($*)) dnl
')
######################################
##
## Execute a domain transition to mdadm_t for the
## specified role, allowing it to use the mdadm_t
## domain
##
##
##
## Role allowed to access mdadm_t domain
##
##
##
##
## Domain allowed to transition to mdadm_t
##
##
#
define(`raid_run_mdadm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_run_mdadm'($*)) dnl
gen_require(`
type mdadm_t;
')
role $1 types mdadm_t;
raid_domtrans_mdadm($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_run_mdadm'($*)) dnl
')
######################################
##
## Execute mdadm server in the mdadm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mdadm_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mdadm_systemctl'($*)) dnl
gen_require(`
type mdadm_t;
type mdadm_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 mdadm_unit_file_t:file read_file_perms;
allow $1 mdadm_unit_file_t:service manage_service_perms;
ps_process_pattern($1, mdadm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mdadm_systemctl'($*)) dnl
')
########################################
##
## read the mdadm pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`raid_read_mdadm_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_read_mdadm_pid'($*)) dnl
gen_require(`
type mdadm_var_run_t;
')
read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_read_mdadm_pid'($*)) dnl
')
########################################
##
## Create, read, write, and delete the mdadm pid files.
##
##
##
## Create, read, write, and delete the mdadm pid files.
##
##
## Added for use in the init module.
##
##
##
##
## Domain allowed access.
##
##
#
define(`raid_manage_mdadm_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_manage_mdadm_pid'($*)) dnl
gen_require(`
type mdadm_var_run_t;
')
# FIXME: maybe should have a type_transition. not
# clear what this is doing, from the original
# mdadm policy
allow $1 mdadm_var_run_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_manage_mdadm_pid'($*)) dnl
')
#######################################
##
## Check access to the mdadm executable.
##
##
##
## Domain allowed access.
##
##
#
define(`raid_access_check_mdadm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_access_check_mdadm'($*)) dnl
gen_require(`
type mdadm_exec_t;
')
corecmd_search_bin($1)
allow $1 mdadm_exec_t:file { getattr_file_perms execute };
dontaudit $1 mdadm_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_access_check_mdadm'($*)) dnl
')
########################################
##
## Read mdadm config files.
##
##
##
## Domain allowed access.
##
##
#
define(`raid_read_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_read_conf_files'($*)) dnl
gen_require(`
type mdadm_conf_t;
')
read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_read_conf_files'($*)) dnl
')
########################################
##
## Manage mdadm config files.
##
##
##
## Domain allowed access.
##
##
#
define(`raid_manage_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_manage_conf_files'($*)) dnl
gen_require(`
type mdadm_conf_t;
')
manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_manage_conf_files'($*)) dnl
')
########################################
##
## Transition to mdadm named content
##
##
##
## Domain allowed access.
##
##
#
define(`raid_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_filetrans_named_content'($*)) dnl
gen_require(`
type mdadm_conf_t;
')
files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_filetrans_named_content'($*)) dnl
')
########################################
##
## Relabel from mdadm_var_run_t sock file.
##
##
##
## Domain allowed access.
##
##
#
define(`raid_relabel_mdadm_var_run_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_relabel_mdadm_var_run_content'($*)) dnl
gen_require(`
type mdadm_var_run_t;
')
allow $1 mdadm_var_run_t:sock_file relabel_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_relabel_mdadm_var_run_content'($*)) dnl
')
#####################################
##
## Connect to raid with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`raid_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `raid_stream_connect'($*)) dnl
gen_require(`
type mdadm_t, mdadm_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, mdadm_var_run_t, mdadm_var_run_t, mdadm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `raid_stream_connect'($*)) dnl
')
## The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
########################################
##
## Execute TEMPLATE in the rasdaemon domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rasdaemon_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rasdaemon_domtrans'($*)) dnl
gen_require(`
type rasdaemon_t, rasdaemon_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rasdaemon_domtrans'($*)) dnl
')
########################################
##
## Search rasdaemon lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rasdaemon_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rasdaemon_search_lib'($*)) dnl
gen_require(`
type rasdaemon_var_lib_t;
')
allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rasdaemon_search_lib'($*)) dnl
')
########################################
##
## Read rasdaemon lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rasdaemon_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rasdaemon_read_lib_files'($*)) dnl
gen_require(`
type rasdaemon_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rasdaemon_read_lib_files'($*)) dnl
')
########################################
##
## Manage rasdaemon lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rasdaemon_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rasdaemon_manage_lib_files'($*)) dnl
gen_require(`
type rasdaemon_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rasdaemon_manage_lib_files'($*)) dnl
')
########################################
##
## Manage rasdaemon lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rasdaemon_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rasdaemon_manage_lib_dirs'($*)) dnl
gen_require(`
type rasdaemon_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rasdaemon_manage_lib_dirs'($*)) dnl
')
########################################
##
## Execute rasdaemon server in the rasdaemon domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rasdaemon_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rasdaemon_systemctl'($*)) dnl
gen_require(`
type rasdaemon_t;
type rasdaemon_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 rasdaemon_unit_file_t:file read_file_perms;
allow $1 rasdaemon_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rasdaemon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rasdaemon_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rasdaemon environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`rasdaemon_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rasdaemon_admin'($*)) dnl
gen_require(`
type rasdaemon_t;
type rasdaemon_var_lib_t;
type rasdaemon_unit_file_t;
')
allow $1 rasdaemon_t:process { ptrace signal_perms };
ps_process_pattern($1, rasdaemon_t)
files_search_var_lib($1)
admin_pattern($1, rasdaemon_var_lib_t)
rasdaemon_systemctl($1)
admin_pattern($1, rasdaemon_unit_file_t)
allow $1 rasdaemon_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rasdaemon_admin'($*)) dnl
')
## A distributed, collaborative, spam detection and filtering network.
##
##
## A distributed, collaborative, spam detection and filtering network.
##
##
## This policy will work with either the ATrpms provided config
## file in /etc/razor, or with the default of dumping everything into
## $HOME/.razor.
##
##
#######################################
##
## Template to create types and rules common to
## all razor domains.
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`razor_common_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `razor_common_domain_template'($*)) dnl
gen_require(`
type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:tcp_socket create_socket_perms;
# Read system config file
allow $1_t razor_etc_t:dir list_dir_perms;
allow $1_t razor_etc_t:file read_file_perms;
allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
manage_files_pattern($1_t, razor_log_t, razor_log_t)
manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
logging_log_filetrans($1_t, razor_log_t, file)
manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
files_search_var_lib($1_t)
# Razor is one executable and several symlinks
allow $1_t razor_exec_t:file read_file_perms;
allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_read_kernel_sysctls($1_t)
corecmd_exec_bin($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
corenet_raw_sendrecv_generic_node($1_t)
corenet_tcp_sendrecv_razor_port($1_t)
# mktemp and other randoms
dev_read_rand($1_t)
dev_read_urand($1_t)
files_search_pids($1_t)
# Allow access to various files in the /etc/directory including mtab
# and nsswitch
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
fs_search_auto_mountpoints($1_t)
libs_read_lib_files($1_t)
sysnet_read_config($1_t)
sysnet_dns_name_resolve($1_t)
optional_policy(`
nis_use_ypbind($1_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `razor_common_domain_template'($*)) dnl
')
########################################
##
## Role access for razor
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
##
#
define(`razor_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `razor_role'($*)) dnl
gen_require(`
type razor_t, razor_exec_t, razor_home_t;
')
role $1 types razor_t;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, razor_exec_t, razor_t)
# allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
allow $2 razor_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 razor_t:process ptrace;
')
manage_dirs_pattern($2, razor_home_t, razor_home_t)
manage_files_pattern($2, razor_home_t, razor_home_t)
manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
relabel_dirs_pattern($2, razor_home_t, razor_home_t)
relabel_files_pattern($2, razor_home_t, razor_home_t)
relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `razor_role'($*)) dnl
')
########################################
##
## Execute razor in the system razor domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`razor_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `razor_domtrans'($*)) dnl
gen_require(`
type razor_t, razor_exec_t;
')
domtrans_pattern($1, razor_exec_t, razor_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `razor_domtrans'($*)) dnl
')
########################################
##
## Create, read, write, and delete razor files
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`razor_manage_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `razor_manage_user_home_files'($*)) dnl
gen_require(`
type razor_home_t;
')
userdom_search_user_home_dirs($1)
manage_files_pattern($1, razor_home_t, razor_home_t)
read_lnk_files_pattern($1, razor_home_t, razor_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `razor_manage_user_home_files'($*)) dnl
')
########################################
##
## read razor lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`razor_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `razor_read_lib_files'($*)) dnl
gen_require(`
type razor_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `razor_read_lib_files'($*)) dnl
')
## Network router discovery daemon.
######################################
##
## Execute rdisc in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rdisc_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rdisc_exec'($*)) dnl
gen_require(`
type rdisc_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rdisc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rdisc_exec'($*)) dnl
')
########################################
##
## Execute rdisc server in the rdisc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rdisc_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rdisc_systemctl'($*)) dnl
gen_require(`
type rdisc_t;
type rdisc_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 rdisc_unit_file_t:file read_file_perms;
allow $1 rdisc_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rdisc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rdisc_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rdisc environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`rdisc_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rdisc_admin'($*)) dnl
gen_require(`
type rdisc_t;
type rdisc_unit_file_t;
')
allow $1 rdisc_t:process { ptrace signal_perms };
ps_process_pattern($1, rdisc_t)
rdisc_systemctl($1)
admin_pattern($1, rdisc_unit_file_t)
allow $1 rdisc_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rdisc_admin'($*)) dnl
')
## Read files into page cache for improved performance.
########################################
##
## Execute a domain transition
## to run readahead.
##
##
##
## Domain allowed to transition.
##
##
#
define(`readahead_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `readahead_domtrans'($*)) dnl
gen_require(`
type readahead_t, readahead_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, readahead_exec_t, readahead_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `readahead_domtrans'($*)) dnl
')
########################################
##
## Manage readahead var_run files.
##
##
##
## Domain allowed access.
##
##
#
define(`readahead_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `readahead_manage_pid_files'($*)) dnl
gen_require(`
type readahead_var_run_t;
')
manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
dev_filetrans($1, readahead_var_run_t, { dir file })
init_pid_filetrans($1, readahead_var_run_t, { dir file })
files_search_pids($1)
init_search_pid_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `readahead_manage_pid_files'($*)) dnl
')
## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA
########################################
##
## Execute realmd in the realmd_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`realmd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_domtrans'($*)) dnl
gen_require(`
type realmd_t, realmd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, realmd_exec_t, realmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## realmd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`realmd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_dbus_chat'($*)) dnl
gen_require(`
type realmd_t;
class dbus send_msg;
')
allow $1 realmd_t:dbus send_msg;
allow realmd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_dbus_chat'($*)) dnl
')
########################################
##
## Search realmd cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`realmd_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_search_cache'($*)) dnl
gen_require(`
type realmd_var_cache_t;
')
allow $1 realmd_var_cache_t:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_search_cache'($*)) dnl
')
########################################
##
## Read realmd cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`realmd_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_read_cache_files'($*)) dnl
gen_require(`
type realmd_var_cache_t;
')
files_search_var($1)
read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_read_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## realmd cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`realmd_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_manage_cache_files'($*)) dnl
gen_require(`
type realmd_var_cache_t;
')
files_search_var($1)
manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_manage_cache_files'($*)) dnl
')
########################################
##
## Manage realmd cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`realmd_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_manage_cache_dirs'($*)) dnl
gen_require(`
type realmd_var_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_manage_cache_dirs'($*)) dnl
')
########################################
##
## Read realmd tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`realmd_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_read_tmp_files'($*)) dnl
gen_require(`
type realmd_tmp_t;
')
files_search_var($1)
read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_read_tmp_files'($*)) dnl
')
#######################################
##
## Read realmd library files.
##
##
##
## Domain allowed access.
##
##
#
define(`realmd_read_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_read_var_lib'($*)) dnl
gen_require(`
type realmd_var_lib_t;
')
list_dirs_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
read_files_pattern($1, realmd_var_lib_t, realmd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_read_var_lib'($*)) dnl
')
########################################
##
## Send to realmd over a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`realmd_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `realmd_dgram_send'($*)) dnl
gen_require(`
type realmd_t, realmd_var_lib_t;
')
files_search_var_lib($1)
dgram_send_pattern($1, realmd_var_lib_t, realmd_var_lib_t, realmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `realmd_dgram_send'($*)) dnl
')
## Advanced key-value store
########################################
##
## Execute redis server in the redis domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`redis_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_domtrans'($*)) dnl
gen_require(`
type redis_t, redis_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, redis_exec_t, redis_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_domtrans'($*)) dnl
')
########################################
##
## Execute redis server in the redis domain.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_initrc_domtrans'($*)) dnl
gen_require(`
type redis_initrc_exec_t;
')
init_labeled_script_domtrans($1, redis_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_initrc_domtrans'($*)) dnl
')
########################################
##
## Read redis's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_read_log'($*)) dnl
gen_require(`
type redis_log_t;
')
logging_search_logs($1)
read_files_pattern($1, redis_log_t, redis_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_read_log'($*)) dnl
')
########################################
##
## Append to redis log files.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_append_log'($*)) dnl
gen_require(`
type redis_log_t;
')
logging_search_logs($1)
append_files_pattern($1, redis_log_t, redis_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_append_log'($*)) dnl
')
########################################
##
## Manage redis log files
##
##
##
## Domain allowed access.
##
##
#
define(`redis_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_manage_log'($*)) dnl
gen_require(`
type redis_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, redis_log_t, redis_log_t)
manage_files_pattern($1, redis_log_t, redis_log_t)
manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_manage_log'($*)) dnl
')
########################################
##
## Search redis lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_search_lib'($*)) dnl
gen_require(`
type redis_var_lib_t;
')
allow $1 redis_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_search_lib'($*)) dnl
')
########################################
##
## Read redis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_read_lib_files'($*)) dnl
gen_require(`
type redis_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_read_lib_files'($*)) dnl
')
########################################
##
## Manage redis lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_manage_lib_files'($*)) dnl
gen_require(`
type redis_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_manage_lib_files'($*)) dnl
')
########################################
##
## Manage redis lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_manage_lib_dirs'($*)) dnl
gen_require(`
type redis_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read redis PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_read_pid_files'($*)) dnl
gen_require(`
type redis_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, redis_var_run_t, redis_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_read_pid_files'($*)) dnl
')
#######################################
##
## Connect to redis over an unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`redis_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_stream_connect'($*)) dnl
gen_require(`
type redis_t, redis_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, redis_var_run_t, redis_var_run_t, redis_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_stream_connect'($*)) dnl
')
########################################
##
## Execute redis server in the redis domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`redis_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_systemctl'($*)) dnl
gen_require(`
type redis_t;
type redis_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 redis_unit_file_t:file read_file_perms;
allow $1 redis_unit_file_t:service manage_service_perms;
ps_process_pattern($1, redis_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an redis environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`redis_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `redis_admin'($*)) dnl
gen_require(`
type redis_t, redis_initrc_exec_t, redis_var_lib_t;
type redis_log_t, redis_var_run_t, redis_unit_file_t;
')
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
init_labeled_script_domtrans($1, redis_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 redis_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, redis_log_t)
files_search_var_lib($1)
admin_pattern($1, redis_var_lib_t)
files_search_pids($1)
admin_pattern($1, redis_var_run_t)
redis_systemctl($1)
admin_pattern($1, redis_unit_file_t)
allow $1 redis_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `redis_admin'($*)) dnl
')
## Policy for rshd, rlogind, and telnetd.
########################################
##
## Domain transition to the remote login domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`remotelogin_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `remotelogin_domtrans'($*)) dnl
gen_require(`
type remote_login_t;
')
auth_domtrans_login_program($1, remote_login_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `remotelogin_domtrans'($*)) dnl
')
########################################
##
## allow Domain to signal remote login domain.
##
##
##
## Domain allowed access.
##
##
#
define(`remotelogin_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `remotelogin_signal'($*)) dnl
gen_require(`
type remote_login_t;
')
allow $1 remote_login_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `remotelogin_signal'($*)) dnl
')
########################################
##
## allow Domain to signal remote login domain.
##
##
##
## Domain allowed access.
##
##
#
define(`remotelogin_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `remotelogin_signull'($*)) dnl
gen_require(`
type remote_login_t;
')
allow $1 remote_login_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `remotelogin_signull'($*)) dnl
')
## Resource management daemon.
########################################
##
## Connect to resmgrd over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`resmgr_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `resmgr_stream_connect'($*)) dnl
gen_require(`
type resmgrd_var_run_t, resmgrd_t;
')
files_search_pids($1)
stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `resmgr_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an resmgr environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`resmgr_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `resmgr_admin'($*)) dnl
gen_require(`
type resmgrd_t, resmgrd_initrc_exec_t, resmgrd_var_run_t;
type resmgrd_etc_t;
')
allow $1 resmgrd_t:process { ptrace signal_perms };
ps_process_pattern($1, resmgrd_t)
init_labeled_script_domtrans($1, resmgrd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 resmgrd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, resmgrd_etc_t)
files_search_pids($1)
admin_pattern($1, resmgrd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `resmgr_admin'($*)) dnl
')
## rgmanager - Resource Group Manager
#######################################
##
## Execute a domain transition to run rgmanager.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rgmanager_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_domtrans'($*)) dnl
gen_require(`
type rgmanager_t, rgmanager_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_domtrans'($*)) dnl
')
########################################
##
## Connect to rgmanager over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rgmanager_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_stream_connect'($*)) dnl
gen_require(`
type rgmanager_t, rgmanager_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_stream_connect'($*)) dnl
')
########################################
##
## Manage rgmanager pid files
##
##
##
## Domain allowed access.
##
##
#
define(`rgmanager_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_manage_pid_files'($*)) dnl
gen_require(`
type rgmanager_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_manage_pid_files'($*)) dnl
')
######################################
##
## Allow manage rgmanager tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`rgmanager_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_manage_tmp_files'($*)) dnl
gen_require(`
type rgmanager_tmp_t;
')
files_search_tmp($1)
manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_manage_tmp_files'($*)) dnl
')
######################################
##
## Allow manage rgmanager tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`rgmanager_manage_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_manage_tmpfs_files'($*)) dnl
gen_require(`
type rgmanager_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_manage_tmpfs_files'($*)) dnl
')
#######################################
##
## Allow read and write access to rgmanager semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`rgmanager_rw_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_rw_semaphores'($*)) dnl
gen_require(`
type rgmanager_t;
')
allow $1 rgmanager_t:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_rw_semaphores'($*)) dnl
')
######################################
##
## All of the rules required to administrate
## an rgmanager environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the rgmanager domain.
##
##
##
#
define(`rgmanager_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_admin'($*)) dnl
gen_require(`
type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
')
allow $1 rgmanager_t:process signal_perms;
ps_process_pattern($1, rgmanager_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rgmanager_t:process ptrace;
')
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rgmanager_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, rgmanager_tmp_t)
admin_pattern($1, rgmanager_tmpfs_t)
logging_list_logs($1)
admin_pattern($1, rgmanager_var_log_t)
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_admin'($*)) dnl
')
######################################
##
## Allow the specified domain to manage rgmanager's lib/run files.
##
##
##
## Domain allowed access.
##
##
#
define(`rgmanager_manage_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_manage_files'($*)) dnl
gen_require(`
type rgmanager_var_lib_t;
type rgmanager_var_run_t;
')
files_list_var_lib($1)
admin_pattern($1, rgmanager_var_lib_t)
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_manage_files'($*)) dnl
')
######################################
##
## Allow the specified domain to execute rgmanager's lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rgmanager_execute_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_execute_lib'($*)) dnl
gen_require(`
type rgmanager_var_lib_t;
')
files_list_var_lib($1)
allow $1 rgmanager_var_lib_t:dir search_dir_perms;
can_exec($1, rgmanager_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_execute_lib'($*)) dnl
')
######################################
##
## Allow the specified domain to search rgmanager's lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rgmanager_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rgmanager_search_lib'($*)) dnl
gen_require(`
type rgmanager_var_lib_t;
')
files_list_var_lib($1)
allow $1 rgmanager_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rgmanager_search_lib'($*)) dnl
')
## RHCS - Red Hat Cluster Suite
#######################################
##
## Creates types and rules for a basic
## rhcs init daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`rhcs_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_domain_template'($*)) dnl
gen_require(`
attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log;
')
##############################
#
# Declarations
#
type $1_t, cluster_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
type $1_tmpfs_t, cluster_tmpfs;
files_tmpfs_file($1_tmpfs_t)
type $1_var_log_t, cluster_log;
logging_log_file($1_var_log_t)
type $1_var_run_t, cluster_pid;
files_pid_file($1_var_run_t)
##############################
#
# Local policy
#
manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
kernel_read_system_state($1_t)
auth_use_nsswitch($1_t)
logging_send_syslog_msg($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_domain_template'($*)) dnl
')
######################################
##
## Execute a domain transition to run dlm_controld.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_domtrans_dlm_controld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_dlm_controld'($*)) dnl
gen_require(`
type dlm_controld_t, dlm_controld_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_domtrans_dlm_controld'($*)) dnl
')
#####################################
##
## Connect to dlm_controld over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_stream_connect_dlm_controld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_dlm_controld'($*)) dnl
gen_require(`
type dlm_controld_t, dlm_controld_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_dlm_controld'($*)) dnl
')
#####################################
##
## Connect to haproxy over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_stream_connect_haproxy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_haproxy'($*)) dnl
gen_require(`
type haproxy_t, haproxy_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_haproxy'($*)) dnl
')
########################################
##
## Send a null signal to haproxy.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_signull_haproxy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_signull_haproxy'($*)) dnl
gen_require(`
type haproxy_t;
')
allow $1 haproxy_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_signull_haproxy'($*)) dnl
')
#####################################
##
## Allow read and write access to dlm_controld semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_dlm_controld_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_dlm_controld_semaphores'($*)) dnl
gen_require(`
type dlm_controld_t, dlm_controld_tmpfs_t;
')
allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_dlm_controld_semaphores'($*)) dnl
')
######################################
##
## Execute a domain transition to run fenced.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_domtrans_fenced',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_fenced'($*)) dnl
gen_require(`
type fenced_t, fenced_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fenced_exec_t, fenced_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_domtrans_fenced'($*)) dnl
')
#####################################
##
## Allow a domain to getattr on fenced executable.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_getattr_fenced',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_getattr_fenced'($*)) dnl
gen_require(`
type fenced_t, fenced_exec_t;
')
allow $1 fenced_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_getattr_fenced'($*)) dnl
')
######################################
##
## Allow read and write access to fenced semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_fenced_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_fenced_semaphores'($*)) dnl
gen_require(`
type fenced_t, fenced_tmpfs_t;
')
allow $1 fenced_t:sem { rw_sem_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_fenced_semaphores'($*)) dnl
')
######################################
##
## Read fenced PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_read_fenced_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_read_fenced_pid_files'($*)) dnl
gen_require(`
type fenced_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_read_fenced_pid_files'($*)) dnl
')
######################################
##
## Connect to fenced over a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_stream_connect_fenced',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_fenced'($*)) dnl
gen_require(`
type fenced_var_run_t, fenced_t;
')
files_search_pids($1)
stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_fenced'($*)) dnl
')
######################################
##
## Send and receive messages from
## fenced over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_dbus_chat_fenced',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_dbus_chat_fenced'($*)) dnl
gen_require(`
type fenced_t;
class dbus send_msg;
')
allow $1 fenced_t:dbus send_msg;
allow fenced_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_dbus_chat_fenced'($*)) dnl
')
######################################
##
## Execute a domain transition to run fenced.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_domtrans_haproxy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_haproxy'($*)) dnl
gen_require(`
type haproxy_t, haproxy_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, haproxy_exec_t, haproxy_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_domtrans_haproxy'($*)) dnl
')
#####################################
##
## Execute a domain transition to run gfs_controld.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_domtrans_gfs_controld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_gfs_controld'($*)) dnl
gen_require(`
type gfs_controld_t, gfs_controld_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_domtrans_gfs_controld'($*)) dnl
')
####################################
##
## Allow read and write access to gfs_controld semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_gfs_controld_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_gfs_controld_semaphores'($*)) dnl
gen_require(`
type gfs_controld_t, gfs_controld_tmpfs_t;
')
allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_gfs_controld_semaphores'($*)) dnl
')
########################################
##
## Read and write to gfs_controld_t shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_gfs_controld_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_gfs_controld_shm'($*)) dnl
gen_require(`
type gfs_controld_t, gfs_controld_tmpfs_t;
')
allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_gfs_controld_shm'($*)) dnl
')
#####################################
##
## Connect to gfs_controld_t over a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_stream_connect_gfs_controld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_gfs_controld'($*)) dnl
gen_require(`
type gfs_controld_t, gfs_controld_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_gfs_controld'($*)) dnl
')
######################################
##
## Execute a domain transition to run groupd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_domtrans_groupd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_groupd'($*)) dnl
gen_require(`
type groupd_t, groupd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, groupd_exec_t, groupd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_domtrans_groupd'($*)) dnl
')
#####################################
##
## Connect to groupd over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_stream_connect_groupd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_groupd'($*)) dnl
gen_require(`
type groupd_t, groupd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_groupd'($*)) dnl
')
#####################################
##
## Allow read and write access to groupd semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_groupd_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_groupd_semaphores'($*)) dnl
gen_require(`
type groupd_t, groupd_tmpfs_t;
')
allow $1 groupd_t:sem { rw_sem_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_groupd_semaphores'($*)) dnl
')
########################################
##
## Read and write to group shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_groupd_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_groupd_shm'($*)) dnl
gen_require(`
type groupd_t, groupd_tmpfs_t;
')
allow $1 groupd_t:shm { rw_shm_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_groupd_shm'($*)) dnl
')
########################################
##
## Read and write to group shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_cluster_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_cluster_shm'($*)) dnl
gen_require(`
attribute cluster_domain, cluster_tmpfs;
')
allow $1 cluster_domain:shm { rw_shm_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_cluster_shm'($*)) dnl
')
####################################
##
## Read and write access to cluster domains semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_cluster_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_cluster_semaphores'($*)) dnl
gen_require(`
attribute cluster_domain;
')
allow $1 cluster_domain:sem { rw_sem_perms destroy };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_cluster_semaphores'($*)) dnl
')
####################################
##
## Connect to cluster domains over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_stream_connect_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_cluster'($*)) dnl
gen_require(`
attribute cluster_domain, cluster_pid;
')
files_search_pids($1)
stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_cluster'($*)) dnl
')
#####################################
##
## Connect to cluster domains over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_stream_connect_cluster_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_cluster_to'($*)) dnl
gen_require(`
attribute cluster_domain;
attribute cluster_pid;
')
files_search_pids($1)
stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_cluster_to'($*)) dnl
')
########################################
##
## Send a null signal to cluster.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_signull_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_signull_cluster'($*)) dnl
gen_require(`
type cluster_t;
')
allow $1 cluster_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_signull_cluster'($*)) dnl
')
######################################
##
## Execute a domain transition to run qdiskd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_domtrans_qdiskd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_qdiskd'($*)) dnl
gen_require(`
type qdiskd_t, qdiskd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_domtrans_qdiskd'($*)) dnl
')
########################################
##
## Allow domain to read qdiskd tmpfs files
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_read_qdiskd_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_read_qdiskd_tmpfs_files'($*)) dnl
gen_require(`
type qdiskd_tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 qdiskd_tmpfs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_read_qdiskd_tmpfs_files'($*)) dnl
')
######################################
##
## Allow domain to read cluster lib files
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_read_cluster_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_read_cluster_lib_files'($*)) dnl
gen_require(`
type cluster_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_read_cluster_lib_files'($*)) dnl
')
#####################################
##
## Allow domain to manage cluster lib files
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_manage_cluster_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_manage_cluster_lib_files'($*)) dnl
gen_require(`
type cluster_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_manage_cluster_lib_files'($*)) dnl
')
####################################
##
## Allow domain to relabel cluster lib files
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_relabel_cluster_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_relabel_cluster_lib_files'($*)) dnl
gen_require(`
type cluster_var_lib_t;
')
files_search_var_lib($1)
relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_relabel_cluster_lib_files'($*)) dnl
')
######################################
##
## Execute a domain transition to run cluster administrative domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_domtrans_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_cluster'($*)) dnl
gen_require(`
type cluster_t, cluster_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, cluster_exec_t, cluster_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_domtrans_cluster'($*)) dnl
')
#######################################
##
## Execute cluster init scripts in
## the init script domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_initrc_domtrans_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_initrc_domtrans_cluster'($*)) dnl
gen_require(`
type cluster_initrc_exec_t;
')
init_labeled_script_domtrans($1, cluster_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_initrc_domtrans_cluster'($*)) dnl
')
#####################################
##
## Execute cluster in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_exec_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_exec_cluster'($*)) dnl
gen_require(`
type cluster_exec_t;
')
corecmd_search_bin($1)
can_exec($1, cluster_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_exec_cluster'($*)) dnl
')
######################################
##
## Read cluster log files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_read_log_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_read_log_cluster'($*)) dnl
gen_require(`
type cluster_var_log_t;
')
logging_search_logs($1)
list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t)
read_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_read_log_cluster'($*)) dnl
')
######################################
##
## Setattr cluster log files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_setattr_log_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_setattr_log_cluster'($*)) dnl
gen_require(`
type cluster_var_log_t;
')
setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_setattr_log_cluster'($*)) dnl
')
#####################################
##
## Allow the specified domain to read/write inherited cluster's tmpf files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_inherited_cluster_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_inherited_cluster_tmp_files'($*)) dnl
gen_require(`
type cluster_tmp_t;
')
allow $1 cluster_tmp_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_inherited_cluster_tmp_files'($*)) dnl
')
#####################################
##
## Allow manage cluster tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_manage_cluster_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_manage_cluster_tmp_files'($*)) dnl
gen_require(`
type cluster_tmp_t;
')
files_search_tmp($1)
manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_manage_cluster_tmp_files'($*)) dnl
')
#####################################
##
## Allow the specified domain to read/write cluster's tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_rw_cluster_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_rw_cluster_tmpfs'($*)) dnl
gen_require(`
type cluster_tmpfs_t;
')
rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
allow $1 cluster_tmpfs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_rw_cluster_tmpfs'($*)) dnl
')
#####################################
##
## Allow manage cluster tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_manage_cluster_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_manage_cluster_tmpfs_files'($*)) dnl
gen_require(`
type cluster_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_manage_cluster_tmpfs_files'($*)) dnl
')
#####################################
##
## Allow read cluster pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_read_cluster_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_read_cluster_pid_files'($*)) dnl
gen_require(`
type cluster_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_read_cluster_pid_files'($*)) dnl
')
#####################################
##
## Allow manage cluster pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_manage_cluster_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_manage_cluster_pid_files'($*)) dnl
gen_require(`
type cluster_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_manage_cluster_pid_files'($*)) dnl
')
#######################################
##
## Execute cluster server in the cluster domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_systemctl_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_systemctl_cluster'($*)) dnl
gen_require(`
type cluster_t;
type cluster_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 cluster_unit_file_t:file read_file_perms;
allow $1 cluster_unit_file_t:service manage_service_perms;
ps_process_pattern($1, cluster_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_systemctl_cluster'($*)) dnl
')
########################################
##
## Send and receive messages from
## a cluster service over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_dbus_chat_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_dbus_chat_cluster'($*)) dnl
gen_require(`
type cluster_t;
class dbus send_msg;
')
allow $1 cluster_t:dbus send_msg;
allow cluster_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_dbus_chat_cluster'($*)) dnl
')
#####################################
##
## All of the rules required to administrate
## an cluster environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the rgmanager domain.
##
##
##
#
define(`rhcs_admin_cluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_admin_cluster'($*)) dnl
gen_require(`
type cluster_t, cluster_initrc_exec_t, cluster_tmp_t;
type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
type cluster_unit_file_t;
')
allow $1 cluster_t:process signal_perms;
ps_process_pattern($1, cluster_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cluster_t:process ptrace;
')
init_labeled_script_domtrans($1, cluster_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cluster_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, cluster_tmp_t)
admin_pattern($1, cluster_tmpfs_t)
logging_list_logs($1)
admin_pattern($1, cluster_var_log_t)
files_list_pids($1)
admin_pattern($1, cluster_var_run_t)
rhcs_systemctl_cluster($1)
admin_pattern($1, cluster_unit_file_t)
allow $1 cluster_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_admin_cluster'($*)) dnl
')
########################################
##
## Start haproxy unit files domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhcs_start_haproxy_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_start_haproxy_services'($*)) dnl
gen_require(`
type haproxy_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 haproxy_unit_file_t:service {status start};
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_start_haproxy_services'($*)) dnl
')
########################################
##
## Create log files with a named file
## type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`rhcs_named_filetrans_log_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhcs_named_filetrans_log_dir'($*)) dnl
gen_require(`
type var_log_t;
')
logging_log_named_filetrans($1, var_log_t, dir, "bundles")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhcs_named_filetrans_log_dir'($*)) dnl
')
## rhev polic module contains policies for rhev apps
#####################################
##
## Execute rhev-agentd in the rhev_agentd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rhev_domtrans_agentd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhev_domtrans_agentd'($*)) dnl
gen_require(`
type rhev_agentd_t, rhev_agentd_exec_t;
')
domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhev_domtrans_agentd'($*)) dnl
')
####################################
##
## Read rhev-agentd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhev_read_pid_files_agentd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhev_read_pid_files_agentd'($*)) dnl
gen_require(`
type rhev_agentd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhev_read_pid_files_agentd'($*)) dnl
')
#####################################
##
## Connect to rhev_agentd over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhev_stream_connect_agentd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhev_stream_connect_agentd'($*)) dnl
gen_require(`
type rhev_agentd_var_run_t, rhev_agentd_t;
')
files_search_pids($1)
stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhev_stream_connect_agentd'($*)) dnl
')
######################################
##
## Send sigchld to rhev-agentd
##
##
##
## Domain allowed access
##
##
#
define(`rhev_sigchld_agentd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhev_sigchld_agentd'($*)) dnl
gen_require(`
type rhev_agentd_t;
')
allow $1 rhev_agentd_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhev_sigchld_agentd'($*)) dnl
')
## Red Hat Graphical Boot
########################################
##
## RHGB stub interface. No access allowed.
##
##
##
## N/A
##
##
#
define(`rhgb_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_stub'($*)) dnl
gen_require(`
type rhgb_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_stub'($*)) dnl
')
########################################
##
## Use a rhgb file descriptor.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_use_fds'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_use_fds'($*)) dnl
')
########################################
##
## Get the process group of rhgb.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_getpgid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_getpgid'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:process getpgid;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_getpgid'($*)) dnl
')
########################################
##
## Send a signal to rhgb.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_signal'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_signal'($*)) dnl
')
########################################
##
## Read and write to unix stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_rw_stream_sockets'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_rw_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## rhgb unix domain stream sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`rhgb_dontaudit_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_dontaudit_rw_stream_sockets'($*)) dnl
gen_require(`
type rhgb_t;
')
dontaudit $1 rhgb_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_dontaudit_rw_stream_sockets'($*)) dnl
')
########################################
##
## Connected to rhgb unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_stream_connect'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_stream_connect'($*)) dnl
')
########################################
##
## Read and write to rhgb shared memory.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_rw_shm'($*)) dnl
gen_require(`
type rhgb_t;
')
allow $1 rhgb_t:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_rw_shm'($*)) dnl
')
########################################
##
## Read from and write to the rhgb devpts.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_use_ptys'($*)) dnl
gen_require(`
type rhgb_devpts_t;
')
allow $1 rhgb_devpts_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_use_ptys'($*)) dnl
')
########################################
##
## dontaudit Read from and write to the rhgb devpts.
##
##
##
## Domain to not audit.
##
##
#
define(`rhgb_dontaudit_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_dontaudit_use_ptys'($*)) dnl
gen_require(`
type rhgb_devpts_t;
')
dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_dontaudit_use_ptys'($*)) dnl
')
########################################
##
## Read and write to rhgb temporary file system.
##
##
##
## Domain allowed access.
##
##
#
define(`rhgb_rw_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhgb_rw_tmpfs_files'($*)) dnl
gen_require(`
type rhgb_tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 rhgb_tmpfs_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhgb_rw_tmpfs_files'($*)) dnl
')
## policy for rhnsd
########################################
##
## Transition to rhnsd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhnsd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhnsd_domtrans'($*)) dnl
gen_require(`
type rhnsd_t, rhnsd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rhnsd_exec_t, rhnsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhnsd_domtrans'($*)) dnl
')
########################################
##
## Execute rhnsd server in the rhnsd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rhnsd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhnsd_initrc_domtrans'($*)) dnl
gen_require(`
type rhnsd_initrc_exec_t;
')
init_labeled_script_domtrans($1, rhnsd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhnsd_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute rhnsd server in the rhnsd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhnsd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhnsd_systemctl'($*)) dnl
gen_require(`
type rhnsd_t;
type rhnsd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 rhnsd_unit_file_t:file read_file_perms;
allow $1 rhnsd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rhnsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhnsd_systemctl'($*)) dnl
')
######################################
##
## Allow the specified domain to manage
## rhnsd configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhnsd_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhnsd_manage_config'($*)) dnl
gen_require(`
type rhnsd_conf_t;
')
files_search_etc($1)
manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t)
manage_lnk_files_pattern($1, rhnsd_conf_t, rhnsd_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhnsd_manage_config'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rhnsd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rhnsd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhnsd_admin'($*)) dnl
gen_require(`
type rhnsd_t;
type rhnsd_initrc_exec_t;
')
allow $1 rhnsd_t:process { ptrace signal_perms };
ps_process_pattern($1, rhnsd_t)
rhnsd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 rhnsd_initrc_exec_t system_r;
allow $2 system_r;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhnsd_admin'($*)) dnl
')
## Subscription Management Certificate Daemon policy
########################################
##
## Transition to rhsmcertd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rhsmcertd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_domtrans'($*)) dnl
gen_require(`
type rhsmcertd_t, rhsmcertd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_domtrans'($*)) dnl
')
########################################
##
## Execute rhsmcertd server in the rhsmcertd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_initrc_domtrans'($*)) dnl
gen_require(`
type rhsmcertd_initrc_exec_t;
')
init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_initrc_domtrans'($*)) dnl
')
########################################
##
## Read rhsmcertd's config files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_read_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_config_files'($*)) dnl
gen_require(`
type rhsmcertd_config_t;
')
allow $1 rhsmcertd_config_t:dir search;
files_search_var_lib($1)
read_files_pattern($1, rhsmcertd_config_t, rhsmcertd_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_read_config_files'($*)) dnl
')
########################################
##
## Read rhsmcertd's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rhsmcertd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_log'($*)) dnl
gen_require(`
type rhsmcertd_log_t;
')
logging_search_logs($1)
read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_read_log'($*)) dnl
')
########################################
##
## Append to rhsmcertd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_append_log'($*)) dnl
gen_require(`
type rhsmcertd_log_t;
')
logging_search_logs($1)
append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_append_log'($*)) dnl
')
########################################
##
## Manage rhsmcertd log files
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_log'($*)) dnl
gen_require(`
type rhsmcertd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_log'($*)) dnl
')
########################################
##
## Search rhsmcertd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_search_lib'($*)) dnl
gen_require(`
type rhsmcertd_var_lib_t;
')
allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_search_lib'($*)) dnl
')
########################################
##
## Read rhsmcertd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_lib_files'($*)) dnl
gen_require(`
type rhsmcertd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_read_lib_files'($*)) dnl
')
########################################
##
## Manage rhsmcertd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_lib_files'($*)) dnl
gen_require(`
type rhsmcertd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_lib_files'($*)) dnl
')
########################################
##
## Manage rhsmcertd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_lib_dirs'($*)) dnl
gen_require(`
type rhsmcertd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read cloud-what cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`cloud_what_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloud_what_read_cache_files'($*)) dnl
gen_require(`
type cloud_what_var_cache_t;
')
files_search_var($1)
read_files_pattern($1, cloud_what_var_cache_t, cloud_what_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloud_what_read_cache_files'($*)) dnl
')
########################################
##
## Manage cloud-what cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`cloud_what_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloud_what_manage_cache_files'($*)) dnl
gen_require(`
type cloud_what_var_cache_t;
')
files_search_var($1)
manage_files_pattern($1, cloud_what_var_cache_t, cloud_what_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloud_what_manage_cache_files'($*)) dnl
')
########################################
##
## Manage cloud-what cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`cloud_what_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `cloud_what_manage_cache_dirs'($*)) dnl
gen_require(`
type cloud_what_var_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, cloud_what_var_cache_t, cloud_what_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `cloud_what_manage_cache_dirs'($*)) dnl
')
########################################
##
## Read rhsmcertd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_pid_files'($*)) dnl
gen_require(`
type rhsmcertd_var_run_t;
')
files_search_pids($1)
allow $1 rhsmcertd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_read_pid_files'($*)) dnl
')
########################################
##
## Read rhsmcertd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_pid_files'($*)) dnl
gen_require(`
type rhsmcertd_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_pid_files'($*)) dnl
')
########################################
##
## Read/wirte inherited lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_rw_inherited_lock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_rw_inherited_lock_files'($*)) dnl
gen_require(`
type rhsmcertd_lock_t;
')
files_search_locks($1)
allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_rw_inherited_lock_files'($*)) dnl
')
########################################
##
## Read/wirte lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_rw_lock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_rw_lock_files'($*)) dnl
gen_require(`
type rhsmcertd_lock_t;
')
files_search_locks($1)
allow $1 rhsmcertd_lock_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_rw_lock_files'($*)) dnl
')
####################################
##
## Connect to rhsmcertd over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_stream_connect'($*)) dnl
gen_require(`
type rhsmcertd_t, rhsmcertd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_stream_connect'($*)) dnl
')
#######################################
##
## Send and receive messages from
## rhsmcertd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_dbus_chat'($*)) dnl
gen_require(`
type rhsmcertd_t;
class dbus send_msg;
')
allow $1 rhsmcertd_t:dbus send_msg;
allow rhsmcertd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_dbus_chat'($*)) dnl
')
######################################
##
## Dontaudit Send and receive messages from
## rhsmcertd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rhsmcertd_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type rhsmcertd_t;
class dbus send_msg;
')
dontaudit $1 rhsmcertd_t:dbus send_msg;
dontaudit rhsmcertd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rhsmcertd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rhsmcertd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rhsmcertd_admin'($*)) dnl
gen_require(`
type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t;
')
allow $1 rhsmcertd_t:process signal_perms;
ps_process_pattern($1, rhsmcertd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rhsmcertd_t:process ptrace;
')
rhsmcertd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 rhsmcertd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, rhsmcertd_log_t)
files_search_var_lib($1)
admin_pattern($1, rhsmcertd_var_lib_t)
files_search_pids($1)
admin_pattern($1, rhsmcertd_var_run_t)
files_search_locks($1)
admin_pattern($1, rhsmcertd_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rhsmcertd_admin'($*)) dnl
')
## Ricci cluster management agent
########################################
##
## Execute a domain transition to run ricci.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans'($*)) dnl
gen_require(`
type ricci_t, ricci_exec_t;
')
domtrans_pattern($1, ricci_exec_t, ricci_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans'($*)) dnl
')
#######################################
##
## Execute ricci server in the ricci domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ricci_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_initrc_domtrans'($*)) dnl
gen_require(`
type ricci_initrc_exec_t;
')
init_labeled_script_domtrans($1, ricci_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modcluster.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modcluster',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modcluster'($*)) dnl
gen_require(`
type ricci_modcluster_t, ricci_modcluster_exec_t;
')
domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modcluster'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## ricci_modcluster file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`ricci_dontaudit_use_modcluster_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_dontaudit_use_modcluster_fds'($*)) dnl
gen_require(`
type ricci_modcluster_t;
')
dontaudit $1 ricci_modcluster_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_dontaudit_use_modcluster_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to read write
## ricci_modcluster unamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`ricci_dontaudit_rw_modcluster_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_dontaudit_rw_modcluster_pipes'($*)) dnl
gen_require(`
type ricci_modcluster_t;
')
dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_dontaudit_rw_modcluster_pipes'($*)) dnl
')
########################################
##
## Connect to ricci_modclusterd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ricci_stream_connect_modclusterd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_stream_connect_modclusterd'($*)) dnl
gen_require(`
type ricci_modclusterd_t, ricci_modcluster_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_stream_connect_modclusterd'($*)) dnl
')
########################################
##
## Read and write to ricci_modcluserd temporary file system.
##
##
##
## Domain allowed access.
##
##
#
define(`ricci_rw_modclusterd_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_rw_modclusterd_tmpfs_files'($*)) dnl
gen_require(`
type ricci_modclusterd_tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_rw_modclusterd_tmpfs_files'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modlog.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modlog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modlog'($*)) dnl
gen_require(`
type ricci_modlog_t, ricci_modlog_exec_t;
')
domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modlog'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modrpm.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modrpm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modrpm'($*)) dnl
gen_require(`
type ricci_modrpm_t, ricci_modrpm_exec_t;
')
domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modrpm'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modservice.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modservice',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modservice'($*)) dnl
gen_require(`
type ricci_modservice_t, ricci_modservice_exec_t;
')
domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modservice'($*)) dnl
')
########################################
##
## Execute a domain transition to run ricci_modstorage.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ricci_domtrans_modstorage',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modstorage'($*)) dnl
gen_require(`
type ricci_modstorage_t, ricci_modstorage_exec_t;
')
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_domtrans_modstorage'($*)) dnl
')
####################################
##
## Allow the specified domain to manage ricci's lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`ricci_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_manage_lib_files'($*)) dnl
gen_require(`
type ricci_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_manage_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an ricci environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ricci_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ricci_admin'($*)) dnl
gen_require(`
type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
')
allow $1 ricci_t:process signal_perms;
ps_process_pattern($1, ricci_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ricci_t:process ptrace;
')
ricci_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, ricci_tmp_t)
files_list_var_lib($1)
admin_pattern($1, ricci_var_lib_t)
logging_list_logs($1)
admin_pattern($1, ricci_var_log_t)
files_list_pids($1)
admin_pattern($1, ricci_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ricci_admin'($*)) dnl
')
## policy for rkhunter
########################################
##
## Append rkhunter lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rkhunter_append_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkhunter_append_lib_files'($*)) dnl
gen_require(`
type rkhunter_var_lib_t;
')
files_search_var_lib($1)
append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkhunter_append_lib_files'($*)) dnl
')
########################################
##
## Manage rkhunter lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rkhunter_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkhunter_manage_lib_files'($*)) dnl
gen_require(`
type rkhunter_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkhunter_manage_lib_files'($*)) dnl
')
## CLI for running app containers
########################################
##
## Execute rkt_exec_t in the rkt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rkt_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkt_domtrans'($*)) dnl
gen_require(`
type rkt_t, rkt_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rkt_exec_t, rkt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkt_domtrans'($*)) dnl
')
######################################
##
## Execute rkt in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rkt_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkt_exec'($*)) dnl
gen_require(`
type rkt_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rkt_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkt_exec'($*)) dnl
')
########################################
##
## Search rkt lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rkt_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkt_search_lib'($*)) dnl
gen_require(`
type rkt_var_lib_t;
')
allow $1 rkt_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkt_search_lib'($*)) dnl
')
########################################
##
## Read rkt lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rkt_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkt_read_lib_files'($*)) dnl
gen_require(`
type rkt_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, rkt_var_lib_t, rkt_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkt_read_lib_files'($*)) dnl
')
########################################
##
## Manage rkt lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rkt_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkt_manage_lib_files'($*)) dnl
gen_require(`
type rkt_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rkt_var_lib_t, rkt_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkt_manage_lib_files'($*)) dnl
')
########################################
##
## Manage rkt lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rkt_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkt_manage_lib_dirs'($*)) dnl
gen_require(`
type rkt_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rkt_var_lib_t, rkt_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkt_manage_lib_dirs'($*)) dnl
')
########################################
##
## Execute rkt server in the rkt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rkt_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkt_systemctl'($*)) dnl
gen_require(`
type rkt_t;
type rkt_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 rkt_unit_file_t:file read_file_perms;
allow $1 rkt_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rkt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkt_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rkt environment
##
##
##
## Domain allowed access.
##
##
#
define(`rkt_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rkt_admin'($*)) dnl
gen_require(`
type rkt_t;
type rkt_var_lib_t;
type rkt_unit_file_t;
')
allow $1 rkt_t:process { signal_perms };
ps_process_pattern($1, rkt_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rkt_t:process ptrace;
')
files_search_var_lib($1)
admin_pattern($1, rkt_var_lib_t)
rkt_systemctl($1)
admin_pattern($1, rkt_unit_file_t)
allow $1 rkt_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rkt_admin'($*)) dnl
')
## Remote login daemon.
########################################
##
## Execute rlogind in the rlogin domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rlogin_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rlogin_domtrans'($*)) dnl
gen_require(`
type rlogind_t, rlogind_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rlogind_exec_t, rlogind_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rlogin_domtrans'($*)) dnl
')
########################################
##
## Read rlogin user home content.
##
##
##
## Domain allowed access.
##
##
#
define(`rlogin_read_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rlogin_read_home_content'($*)) dnl
gen_require(`
type rlogind_home_t;
')
userdom_search_user_home_dirs($1)
list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
read_files_pattern($1, rlogind_home_t, rlogind_home_t)
read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rlogin_read_home_content'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## rlogind home files.
##
##
##
## Domain allowed access.
##
##
#
define(`rlogin_manage_rlogind_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rlogin_manage_rlogind_home_files'($*)) dnl
gen_require(`
type rlogind_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 rlogind_home_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rlogin_manage_rlogind_home_files'($*)) dnl
')
########################################
##
## Relabel rlogind home files.
##
##
##
## Domain allowed access.
##
##
#
define(`rlogin_relabel_rlogind_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rlogin_relabel_rlogind_home_files'($*)) dnl
gen_require(`
type rlogind_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 rlogind_home_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rlogin_relabel_rlogind_home_files'($*)) dnl
')
########################################
##
## Create objects in user home
## directories with the rlogind home type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`rlogin_home_filetrans_logind_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rlogin_home_filetrans_logind_home'($*)) dnl
gen_require(`
type rlogind_home_t;
')
userdom_user_home_dir_filetrans($1, rlogind_home_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rlogin_home_filetrans_logind_home'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## rlogind temporary content.
##
##
##
## Domain allowed access.
##
##
#
define(`rlogin_manage_rlogind_tmp_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rlogin_manage_rlogind_tmp_content'($*)) dnl
gen_require(`
type rlogind_tmp_t;
')
files_search_tmp($1)
allow $1 rlogind_tmp_t:dir manage_dir_perms;
allow $1 rlogind_tmp_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rlogin_manage_rlogind_tmp_content'($*)) dnl
')
########################################
##
## Relabel rlogind temporary content.
##
##
##
## Domain allowed access.
##
##
#
define(`rlogin_relabel_rlogind_tmp_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rlogin_relabel_rlogind_tmp_content'($*)) dnl
gen_require(`
type rlogind_tmp_t;
')
files_search_tmp($1)
allow $1 rlogind_tmp_t:dir relabel_dir_perms;
allow $1 rlogind_tmp_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rlogin_relabel_rlogind_tmp_content'($*)) dnl
')
## Check and feed random data from hardware device to kernel random device.
########################################
##
## Execute rngd in the rngd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rng_systemctl_rngd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rng_systemctl_rngd'($*)) dnl
gen_require(`
type rngd_t, rngd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 rngd_unit_file_t:file read_file_perms;
allow $1 rngd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rngd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rng_systemctl_rngd'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an rng environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rng_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rng_admin'($*)) dnl
gen_require(`
type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t;
')
allow $1 rngd_t:process signal_perms;
ps_process_pattern($1, rngd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rngd_t:process ptrace;
')
init_labeled_script_domtrans($1, rngd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rngd_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, rngd_var_run_t)
rng_systemctl_rngd($1)
admin_pattern($1, rngd_unit_file_t)
allow $1 rngd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rng_admin'($*)) dnl
')
## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles.
########################################
##
## Execute rolekit in the rolekit domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rolekit_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rolekit_domtrans'($*)) dnl
gen_require(`
type rolekit_t, rolekit_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rolekit_exec_t, rolekit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rolekit_domtrans'($*)) dnl
')
########################################
##
## Execute rolekit server in the rolekit domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rolekit_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rolekit_systemctl'($*)) dnl
gen_require(`
type rolekit_t;
type rolekit_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 rolekit_unit_file_t:file read_file_perms;
allow $1 rolekit_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rolekit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rolekit_systemctl'($*)) dnl
')
#######################################
##
## Manage rolekit kernel keyrings.
##
##
##
## Domain allowed access.
##
##
#
define(`rolekit_manage_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rolekit_manage_keys'($*)) dnl
gen_require(`
type rolekit_t;
')
allow $1 rolekit_t:key manage_key_perms;
allow rolekit_t $1:key manage_key_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rolekit_manage_keys'($*)) dnl
')
########################################
##
## Send and receive messages from
## policykit over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rolekit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rolekit_dbus_chat'($*)) dnl
gen_require(`
type rolekit_t;
class dbus send_msg;
')
ps_process_pattern(rolekit_t, $1)
allow $1 rolekit_t:dbus send_msg;
allow rolekit_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rolekit_dbus_chat'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rolekit environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`rolekit_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rolekit_admin'($*)) dnl
gen_require(`
type rolekit_t;
type rolekit_unit_file_t;
')
allow $1 rolekit_t:process { signal_perms };
ps_process_pattern($1, rolekit_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rolekit_t:process ptrace;
')
rolekit_systemctl($1)
admin_pattern($1, rolekit_unit_file_t)
allow $1 rolekit_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rolekit_admin'($*)) dnl
')
#######################################
##
## Send to rolekit with a unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rolekit_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rolekit_dgram_send'($*)) dnl
gen_require(`
type rolekit_t;
')
allow $1 rolekit_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rolekit_dgram_send'($*)) dnl
')
## Roundup Issue Tracking System.
########################################
##
## All of the rules required to
## administrate an roundup environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`roundup_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `roundup_admin'($*)) dnl
gen_require(`
type roundup_t, roundup_var_lib_t, roundup_var_run_t;
type roundup_initrc_exec_t;
')
allow $1 roundup_t:process signal_perms;
ps_process_pattern($1, roundup_t)
tunable_policy(`deny_ptrace',`',`
allow $1 roundup_t:process ptrace;
')
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 roundup_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, roundup_var_lib_t)
files_list_pids($1)
admin_pattern($1, roundup_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `roundup_admin'($*)) dnl
')
## Remote Procedure Call Daemon for managment of network based process communication
########################################
##
## RPC stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_stub'($*)) dnl
gen_require(`
type exports_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_stub'($*)) dnl
')
#######################################
##
## The template to define a rpc domain.
##
##
##
## This template creates a domain to be used for
## a new rpc daemon.
##
##
##
##
## The type of daemon to be used.
##
##
#
define(`rpc_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_domain_template'($*)) dnl
gen_require(`
attribute rpc_domain;
')
########################################
#
# Declarations
#
type $1_t, rpc_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
domain_use_interactive_fds($1_t)
####################################
#
# Local Policy
#
kernel_read_system_state($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
auth_use_nsswitch($1_t)
logging_send_syslog_msg($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_domain_template'($*)) dnl
')
########################################
##
## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_udp_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_udp_send'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the NFS export file.
##
##
##
## Domain to not audit.
##
##
#
define(`rpc_dontaudit_getattr_exports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_dontaudit_getattr_exports'($*)) dnl
gen_require(`
type exports_t;
')
dontaudit $1 exports_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_dontaudit_getattr_exports'($*)) dnl
')
########################################
##
## Allow read access to exports.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_read_exports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_read_exports'($*)) dnl
gen_require(`
type exports_t;
')
allow $1 exports_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_read_exports'($*)) dnl
')
########################################
##
## Allow write access to exports.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_write_exports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_write_exports'($*)) dnl
gen_require(`
type exports_t;
')
allow $1 exports_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_write_exports'($*)) dnl
')
########################################
##
## Manage nfs file exports
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_manage_exports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_manage_exports'($*)) dnl
gen_require(`
type exports_t;
')
manage_files_pattern($1, exports_t, exports_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_manage_exports'($*)) dnl
')
########################################
##
## Execute domain in nfsd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpc_domtrans_nfsd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_domtrans_nfsd'($*)) dnl
gen_require(`
type nfsd_t, nfsd_exec_t;
')
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_domtrans_nfsd'($*)) dnl
')
#######################################
##
## Execute domain in nfsd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpc_initrc_domtrans_nfsd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_initrc_domtrans_nfsd'($*)) dnl
gen_require(`
type nfsd_initrc_exec_t;
')
init_labeled_script_domtrans($1, nfsd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_initrc_domtrans_nfsd'($*)) dnl
')
########################################
##
## Execute nfsd server in the nfsd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpc_systemctl_nfsd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_systemctl_nfsd'($*)) dnl
gen_require(`
type nfsd_unit_file_t;
type nfsd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 nfsd_unit_file_t:file read_file_perms;
allow $1 nfsd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, nfsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_systemctl_nfsd'($*)) dnl
')
########################################
##
## Send kill signals to rpcd.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_kill_rpcd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_kill_rpcd'($*)) dnl
gen_require(`
type rpcd_t;
')
allow $1 rpcd_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_kill_rpcd'($*)) dnl
')
########################################
##
## Execute domain in rpcd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpc_domtrans_rpcd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_domtrans_rpcd'($*)) dnl
gen_require(`
type rpcd_t, rpcd_exec_t;
')
domtrans_pattern($1, rpcd_exec_t, rpcd_t)
allow rpcd_t $1:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_domtrans_rpcd'($*)) dnl
')
########################################
##
## Execute rpcd in the rcpd domain, and
## allow the specified role the rpcd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rpc_run_rpcd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_run_rpcd'($*)) dnl
gen_require(`
type rpcd_t;
')
rpc_domtrans_rpcd($1)
role $2 types rpcd_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_run_rpcd'($*)) dnl
')
#######################################
##
## Execute domain in rpcd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpc_initrc_domtrans_rpcd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_initrc_domtrans_rpcd'($*)) dnl
gen_require(`
type rpcd_initrc_exec_t;
')
init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_initrc_domtrans_rpcd'($*)) dnl
')
########################################
##
## Execute rpcd server in the rpcd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpc_systemctl_rpcd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_systemctl_rpcd'($*)) dnl
gen_require(`
type rpcd_unit_file_t;
type rpcd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 rpcd_unit_file_t:file read_file_perms;
allow $1 rpcd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rpcd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_systemctl_rpcd'($*)) dnl
')
########################################
##
## Allow domain to read and write to an NFS UDP socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_udp_rw_nfs_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_udp_rw_nfs_sockets'($*)) dnl
gen_require(`
type nfsd_t;
')
allow $1 nfsd_t:udp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_udp_rw_nfs_sockets'($*)) dnl
')
########################################
##
## Send UDP traffic to NFSd. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_udp_send_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_udp_send_nfs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_udp_send_nfs'($*)) dnl
')
########################################
##
## Search NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_search_nfs_state_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_search_nfs_state_data'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_search_nfs_state_data'($*)) dnl
')
########################################
##
## List NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_list_nfs_state_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_list_nfs_state_data'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_list_nfs_state_data'($*)) dnl
')
########################################
##
## Manage NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_manage_nfs_state_data_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_state_data_dir'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_state_data_dir'($*)) dnl
')
########################################
##
## Read NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_read_nfs_state_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_read_nfs_state_data'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
read_lnk_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_read_nfs_state_data'($*)) dnl
')
########################################
##
## Manage NFS state data in /var/lib/nfs.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_manage_nfs_state_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_state_data'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
allow $1 var_lib_nfs_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_state_data'($*)) dnl
')
########################################
##
## Execute domain in gssd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpc_domtrans_gssd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_domtrans_gssd'($*)) dnl
gen_require(`
type gssd_t, gssd_exec_t;
')
domtrans_pattern($1, gssd_exec_t, gssd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_domtrans_gssd'($*)) dnl
')
########################################
##
## Write keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_rw_gssd_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_rw_gssd_keys'($*)) dnl
gen_require(`
type gssd_t;
')
allow $1 gssd_t:key { read search setattr view write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_rw_gssd_keys'($*)) dnl
')
########################################
##
## Transition to alsa named content
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_filetrans_var_lib_nfs_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_filetrans_var_lib_nfs_content'($*)) dnl
gen_require(`
type var_lib_nfs_t;
')
files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_filetrans_var_lib_nfs_content'($*)) dnl
')
#######################################
##
## All of the rules required to
## administrate an rpc environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rpc_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_admin'($*)) dnl
gen_require(`
attribute rpc_domain;
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
type nfsd_rw_t, gssd_keytab_t;
')
allow $1 rpc_domain:process { ptrace signal_perms };
ps_process_pattern($1, rpc_domain)
init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
domain_system_change_exemption($1)
role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { gssd_keytab_t exports_t })
files_list_var_lib($1)
admin_pattern($1, var_lib_nfs_t)
files_list_pids($1)
admin_pattern($1, rpcd_var_run_t)
files_list_all($1)
admin_pattern($1, nfsd_rw_t )
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
fs_search_nfsd_fs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_admin'($*)) dnl
')
########################################
##
## Read gssd process state files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_read_gssd_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_read_gssd_state'($*)) dnl
gen_require(`
type gssd_t;
')
ps_process_pattern($1, gssd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_read_gssd_state'($*)) dnl
')
########################################
##
## Read and write to svirt_image devices.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_gssd_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_gssd_noatsecure'($*)) dnl
gen_require(`
type gssd_t;
')
allow $1 gssd_t:process { noatsecure rlimitinh };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_gssd_noatsecure'($*)) dnl
')
########################################
##
## Send and receive messages from
## ganesha over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rpc_dbus_chat_nfsd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpc_dbus_chat_nfsd'($*)) dnl
gen_require(`
type nfsd_t;
class dbus send_msg;
')
allow $1 nfsd_t:dbus send_msg;
allow nfsd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpc_dbus_chat_nfsd'($*)) dnl
')
## Universal Addresses to RPC Program Number Mapper
########################################
##
## Execute a domain transition to run rpcbind.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpcbind_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_domtrans'($*)) dnl
gen_require(`
type rpcbind_t, rpcbind_exec_t;
')
domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_domtrans'($*)) dnl
')
########################################
##
## Connect to rpcbindd over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rpcbind_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_stream_connect'($*)) dnl
gen_require(`
type rpcbind_t, rpcbind_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_stream_connect'($*)) dnl
')
########################################
##
## Read rpcbind PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpcbind_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_read_pid_files'($*)) dnl
gen_require(`
type rpcbind_var_run_t;
')
files_search_pids($1)
allow $1 rpcbind_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_read_pid_files'($*)) dnl
')
########################################
##
## Search rpcbind lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rpcbind_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_search_lib'($*)) dnl
gen_require(`
type rpcbind_var_lib_t;
')
allow $1 rpcbind_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_search_lib'($*)) dnl
')
########################################
##
## Read rpcbind lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpcbind_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_read_lib_files'($*)) dnl
gen_require(`
type rpcbind_var_lib_t;
')
read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## rpcbind lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpcbind_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_manage_lib_files'($*)) dnl
gen_require(`
type rpcbind_var_lib_t;
')
manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_manage_lib_files'($*)) dnl
')
########################################
##
## Send a null signal to rpcbind.
##
##
##
## Domain allowed access.
##
##
#
define(`rpcbind_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_signull'($*)) dnl
gen_require(`
type rpcbind_t;
')
allow $1 rpcbind_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_signull'($*)) dnl
')
########################################
##
## Transition to rpcbind named content
##
##
##
## Domain allowed access.
##
##
#
define(`rpcbind_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_filetrans_named_content'($*)) dnl
gen_require(`
type rpcbind_var_run_t;
')
files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_filetrans_named_content'($*)) dnl
')
########################################
##
## Relabel from rpcbind sock file.
##
##
##
## Domain allowed access.
##
##
#
define(`rpcbind_relabel_sock_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_relabel_sock_file'($*)) dnl
gen_require(`
type rpcbind_var_run_t;
')
allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_relabel_sock_file'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rpcbind environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the rpcbind domain.
##
##
##
#
define(`rpcbind_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpcbind_admin'($*)) dnl
gen_require(`
type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t;
type rpcbind_initrc_exec_t;
')
allow $1 rpcbind_t:process signal_perms;
ps_process_pattern($1, rpcbind_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rpcbind_t:process ptrace;
')
init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, rpcbind_var_lib_t)
files_list_pids($1)
admin_pattern($1, rpcbind_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpcbind_admin'($*)) dnl
')
## Policy for the RPM package manager.
########################################
##
## Execute rpm programs in the rpm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpm_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_domtrans'($*)) dnl
gen_require(`
type rpm_t, rpm_exec_t;
attribute rpm_transition_domain;
')
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
typeattribute $1 rpm_transition_domain;
rpm_debuginfo_domtrans($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_domtrans'($*)) dnl
')
########################################
##
## Execute debuginfo_install programs in the rpm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpm_debuginfo_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_debuginfo_domtrans'($*)) dnl
gen_require(`
type rpm_t, debuginfo_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, debuginfo_exec_t, rpm_t)
read_lnk_files_pattern($1, debuginfo_exec_t, debuginfo_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_debuginfo_domtrans'($*)) dnl
')
########################################
##
## Execute rpm_script programs in the rpm_script domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpm_domtrans_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_domtrans_script'($*)) dnl
gen_require(`
type rpm_script_t;
')
# transition to rpm script:
corecmd_shell_domtrans($1, rpm_script_t)
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_domtrans_script'($*)) dnl
')
########################################
##
## Execute RPM programs in the RPM domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the RPM domain.
##
##
##
#
define(`rpm_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_run'($*)) dnl
gen_require(`
type rpm_t, rpm_script_t;
attribute_role rpm_script_roles;
')
rpm_domtrans($1)
roleattribute $2 rpm_script_roles;
domain_system_change_exemption($1)
rpm_transition_script($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_run'($*)) dnl
')
########################################
##
## Execute the rpm client in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_exec'($*)) dnl
gen_require(`
type rpm_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rpm_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_exec'($*)) dnl
')
########################################
##
## Execute rpmdb in the rpmdb domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rpmdb_domtrans_rpmdb',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpmdb_domtrans_rpmdb'($*)) dnl
gen_require(`
type rpmdb_t, rpmdb_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rpmdb_exec_t, rpmdb_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpmdb_domtrans_rpmdb'($*)) dnl
')
########################################
##
## Execute rpmdb in the rpmdb domain,
## and allow the specified role the rpmdb domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`rpmdb_run_rpmdb',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpmdb_run_rpmdb'($*)) dnl
gen_require(`
attribute_role rpmdb_roles;
')
rpmdb_domtrans_rpmdb($1)
roleattribute $2 rpmdb_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpmdb_run_rpmdb'($*)) dnl
')
########################################
##
## Do not audit to execute a rpm.
##
##
##
## Domain to not audit.
##
##
#
define(`rpm_dontaudit_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_exec'($*)) dnl
gen_require(`
type rpm_exec_t;
')
dontaudit $1 rpm_exec_t:file exec_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_exec'($*)) dnl
')
########################################
##
## Send a null signal to rpm.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_signull'($*)) dnl
gen_require(`
type rpm_t;
')
allow $1 rpm_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_signull'($*)) dnl
')
########################################
##
## Send a signals to rpm.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_script_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_script_signal'($*)) dnl
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_script_signal'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from RPM.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_use_fds'($*)) dnl
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_use_fds'($*)) dnl
')
########################################
##
## Read from an unnamed RPM pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_pipes'($*)) dnl
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_pipes'($*)) dnl
')
########################################
##
## Read and write an unnamed RPM pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_rw_pipes'($*)) dnl
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_rw_pipes'($*)) dnl
')
########################################
##
## Read and write an unnamed RPM script pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_rw_script_inherited_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_rw_script_inherited_pipes'($*)) dnl
gen_require(`
type rpm_script_tmp_t;
')
allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_rw_script_inherited_pipes'($*)) dnl
')
########################################
##
## dontaudit read and write an leaked file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`rpm_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_leaks'($*)) dnl
gen_require(`
type rpm_t, rpm_var_cache_t;
type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
')
dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_t:tcp_socket { read write };
dontaudit $1 rpm_t:unix_dgram_socket { read write };
dontaudit $1 rpm_t:shm rw_shm_perms;
dontaudit $1 rpm_script_t:fd use;
dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_lib_t:dir getattr;
dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_leaks'($*)) dnl
')
########################################
##
## Send and receive messages from
## rpm over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_dbus_chat'($*)) dnl
gen_require(`
type rpm_t;
class dbus send_msg;
')
allow $1 rpm_t:dbus send_msg;
allow rpm_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_dbus_chat'($*)) dnl
')
########################################
##
## Do not audit attempts to send and
## receive messages from rpm over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`rpm_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type rpm_t;
class dbus send_msg;
')
dontaudit $1 rpm_t:dbus send_msg;
dontaudit rpm_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## rpm_script over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_script_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_script_dbus_chat'($*)) dnl
gen_require(`
type rpm_script_t;
class dbus send_msg;
')
allow $1 rpm_script_t:dbus send_msg;
allow rpm_script_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_script_dbus_chat'($*)) dnl
')
########################################
##
## Search RPM log directory.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_search_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_search_log'($*)) dnl
gen_require(`
type rpm_log_t;
')
logging_search_logs($1)
allow $1 rpm_log_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_search_log'($*)) dnl
')
#####################################
##
## Allow the specified domain to append
## to rpm log files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_append_log'($*)) dnl
gen_require(`
type rpm_log_t;
')
allow $1 rpm_log_t:file append_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_append_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete the RPM log.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_log'($*)) dnl
gen_require(`
type rpm_log_t;
')
read_files_pattern($1, rpm_log_t, rpm_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete the RPM log.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_log'($*)) dnl
gen_require(`
type rpm_log_t;
')
logging_rw_generic_log_dirs($1)
allow $1 rpm_log_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_log'($*)) dnl
')
########################################
##
## Create rpm logs with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_named_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_named_filetrans'($*)) dnl
gen_require(`
type rpm_log_t;
type rpm_var_cache_t;
type rpm_var_lib_t;
')
logging_log_named_filetrans($1, rpm_log_t, file, "dnf.log")
logging_log_named_filetrans($1, rpm_log_t, file, "dnf.librepo.log")
logging_log_named_filetrans($1, rpm_log_t, file, "dnf.rpm.log")
logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
files_var_filetrans($1, rpm_var_cache_t, dir, "dnf")
files_var_filetrans($1, rpm_var_cache_t, dir, "yum")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpmrebuilddb")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_named_filetrans'($*)) dnl
')
########################################
##
## Create rpm hawkey logs with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_hawkey_named_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_hawkey_named_filetrans'($*)) dnl
gen_require(`
type rpm_log_t;
')
allow $1 rpm_log_t:file manage_file_perms;
logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_hawkey_named_filetrans'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from RPM scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_use_script_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_use_script_fds'($*)) dnl
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_use_script_fds'($*)) dnl
')
########################################
##
## Create, read, write, and delete RPM
## script temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_manage_script_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_script_tmp_files'($*)) dnl
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_script_tmp_files'($*)) dnl
')
#####################################
##
## Allow the specified domain to append
## to rpm tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_append_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_append_tmp_files'($*)) dnl
gen_require(`
type rpm_tmp_t;
')
allow $1 rpm_tmp_t:file append_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_append_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete RPM
## temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_tmp_files'($*)) dnl
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_tmp_files'($*)) dnl
')
########################################
##
## Read rpm temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_tmp_files'($*)) dnl
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
list_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
read_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_tmp_files'($*)) dnl
')
########################################
##
## Read RPM script temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_read_script_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_script_tmp_files'($*)) dnl
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_script_tmp_files'($*)) dnl
')
########################################
##
## Read the RPM cache.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_read_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_cache'($*)) dnl
gen_require(`
type rpm_var_cache_t;
')
files_search_var($1)
allow $1 rpm_var_cache_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_cache'($*)) dnl
')
########################################
##
## Create, read, write, and delete the RPM package database.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_manage_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_cache'($*)) dnl
gen_require(`
type rpm_var_cache_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_cache'($*)) dnl
')
########################################
##
## Read the RPM package database.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_read_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_db'($*)) dnl
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
allow $1 rpm_var_lib_t:file map;
rpm_read_cache($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_db'($*)) dnl
')
########################################
##
## Delete the RPM package database.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_delete_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_delete_db'($*)) dnl
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_delete_db'($*)) dnl
')
########################################
##
## Create, read, write, and delete the RPM package database.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_db'($*)) dnl
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
allow $1 rpm_var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_db'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,the RPM package database.
##
##
##
## Domain to not audit.
##
##
#
define(`rpm_dontaudit_read_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_read_db'($*)) dnl
gen_require(`
type rpm_var_lib_t;
')
dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
dontaudit $1 rpm_var_lib_t:file read_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_read_db'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
##
##
##
## Domain to not audit.
##
##
#
define(`rpm_dontaudit_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_manage_db'($*)) dnl
gen_require(`
type rpm_var_lib_t;
')
dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
dontaudit $1 rpm_var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_dontaudit_manage_db'($*)) dnl
')
#####################################
##
## Read rpm pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_read_pid_files'($*)) dnl
gen_require(`
type rpm_var_run_t;
')
read_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_read_pid_files'($*)) dnl
')
#####################################
##
## Create, read, write, and delete rpm pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_manage_pid_files'($*)) dnl
gen_require(`
type rpm_var_run_t;
')
manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_manage_pid_files'($*)) dnl
')
######################################
##
## Create files in /var/run with the rpm pid file type.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_pid_filetrans'($*)) dnl
gen_require(`
type rpm_var_run_t;
')
files_pid_filetrans($1, rpm_var_run_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_pid_filetrans'($*)) dnl
')
########################################
##
## Send a null signal to rpm.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_inherited_fifo',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_inherited_fifo'($*)) dnl
gen_require(`
attribute rpm_transition_domain;
')
allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_inherited_fifo'($*)) dnl
')
########################################
##
## Make rpm_exec_t an entry point for
## the specified domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rpm_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_entry_type'($*)) dnl
gen_require(`
type rpm_exec_t;
')
domain_entry_file($1, rpm_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_entry_type'($*)) dnl
')
########################################
##
## Allow application to transition to rpm_script domain.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
#
define(`rpm_transition_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_transition_script'($*)) dnl
gen_require(`
type rpm_script_t;
attribute rpm_transition_domain;
attribute_role rpm_script_roles;
')
typeattribute $1 rpm_transition_domain;
allow $1 rpm_script_t:process transition;
roleattribute $2 rpm_script_roles;
allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
allow rpm_script_t $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_transition_script'($*)) dnl
')
#######################################
##
## All of the rules required to
## administrate an rpm environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rpm_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rpm_admin'($*)) dnl
gen_require(`
type rpm_t, rpm_script_t, rpm_initrc_exec_t;
type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
type rpm_var_run_t;
')
allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rpm_t rpm_script_t })
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpm_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, rpm_file_t)
files_list_tmp($1)
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
files_list_var_lib($1)
admin_pattern($1, rpm_var_lib_t)
files_search_locks($1)
admin_pattern($1, rpm_lock_t)
logging_list_logs($1)
admin_pattern($1, rpm_log_t)
files_list_pids($1)
admin_pattern($1, rpm_var_run_t)
fs_search_tmpfs($1)
admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t })
rpm_run($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rpm_admin'($*)) dnl
')
## rrdcached - Daemon that receives updates to existing RRD files, accumulates them and writes the updates to the RRD file.
########################################
##
## Execute rrdcached_exec_t in the rrdcached domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rrdcached_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rrdcached_domtrans'($*)) dnl
gen_require(`
type rrdcached_t, rrdcached_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rrdcached_exec_t, rrdcached_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rrdcached_domtrans'($*)) dnl
')
######################################
##
## Execute rrdcached in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rrdcached_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rrdcached_exec'($*)) dnl
gen_require(`
type rrdcached_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rrdcached_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rrdcached_exec'($*)) dnl
')
########################################
##
## Read rrdcached PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`rrdcached_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rrdcached_read_pid_files'($*)) dnl
gen_require(`
type rrdcached_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, rrdcached_var_run_t, rrdcached_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rrdcached_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rrdcached environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rrdcached_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rrdcached_admin'($*)) dnl
gen_require(`
type rrdcached_t;
type rrdcached_var_run_t;
')
allow $1 rrdcached_t:process { signal_perms };
ps_process_pattern($1, rrdcached_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rrdcached_t:process ptrace;
')
files_search_pids($1)
admin_pattern($1, rrdcached_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rrdcached_admin'($*)) dnl
')
## Remote shell service.
########################################
##
## Domain transition to rshd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rshd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rshd_domtrans'($*)) dnl
gen_require(`
type rshd_exec_t, rshd_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rshd_exec_t, rshd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rshd_domtrans'($*)) dnl
')
## Restricted (scp/sftp) only shell.
########################################
##
## Role access for rssh.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`rssh_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rssh_role'($*)) dnl
gen_require(`
attribute_role rssh_roles;
type rssh_t, rssh_exec_t, rssh_ro_t;
type rssh_rw_t;
')
roleattribute $1 rssh_roles;
domtrans_pattern($2, rssh_exec_t, rssh_t)
allow $2 rssh_t:process { ptrace signal_perms };
ps_process_pattern($2, rssh_t)
allow $2 { rssh_ro_t rssh_rw_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { rssh_ro_t rssh_rw_t }:file { manage_file_perms relabel_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rssh_role'($*)) dnl
')
########################################
##
## Execute rssh in the rssh domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rssh_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rssh_spec_domtrans'($*)) dnl
gen_require(`
type rssh_t, rssh_exec_t;
')
corecmd_search_bin($1)
spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rssh_spec_domtrans'($*)) dnl
')
########################################
##
## Execute the rssh program
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`rssh_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rssh_exec'($*)) dnl
gen_require(`
type rssh_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rssh_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rssh_exec'($*)) dnl
')
########################################
##
## Execute a domain transition to
## run rssh chroot helper.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rssh_domtrans_chroot_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rssh_domtrans_chroot_helper'($*)) dnl
gen_require(`
type rssh_chroot_helper_t, rssh_chroot_helper_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rssh_domtrans_chroot_helper'($*)) dnl
')
########################################
##
## Read users rssh read-only content.
##
##
##
## Domain allowed access.
##
##
#
define(`rssh_read_ro_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rssh_read_ro_content'($*)) dnl
gen_require(`
type rssh_ro_t;
')
allow $1 rssh_ro_t:dir list_dir_perms;
allow $1 rssh_ro_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rssh_read_ro_content'($*)) dnl
')
## Fast incremental file transfer for synchronization
#######################################
##
## Sendmail stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`rsync_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_stub'($*)) dnl
gen_require(`
type rsync_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_stub'($*)) dnl
')
########################################
##
## Make rsync an entry point for
## the specified domain.
##
##
##
## The domain for which init scripts are an entrypoint.
##
##
# cjp: added for portage
define(`rsync_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_entry_type'($*)) dnl
gen_require(`
type rsync_exec_t;
')
domain_entry_file($1, rsync_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_entry_type'($*)) dnl
')
########################################
##
## Execute a rsync in a specified domain.
##
##
##
## Execute a rsync in a specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Domain to transition to.
##
##
# cjp: added for portage
define(`rsync_entry_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_entry_spec_domtrans'($*)) dnl
gen_require(`
type rsync_exec_t;
')
domain_trans($1, rsync_exec_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_entry_spec_domtrans'($*)) dnl
')
########################################
##
## Execute a rsync in a specified domain.
##
##
##
## Execute a rsync in a specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Domain to transition to.
##
##
# cjp: added for portage
define(`rsync_entry_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_entry_domtrans'($*)) dnl
gen_require(`
type rsync_exec_t;
')
domain_auto_trans($1, rsync_exec_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_entry_domtrans'($*)) dnl
')
########################################
##
## Execute rsync in the caller domain domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rsync_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_exec'($*)) dnl
gen_require(`
type rsync_exec_t;
')
can_exec($1, rsync_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_exec'($*)) dnl
')
##
## Allow the specified domain to ioctl an
## rsync with a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`rsync_ioctl_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_ioctl_stream_sockets'($*)) dnl
gen_require(`
type rsync_t;
')
allow $1 rsync_t:unix_stream_socket ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_ioctl_stream_sockets'($*)) dnl
')
########################################
##
## Read rsync config files.
##
##
##
## Domain allowed access.
##
##
#
define(`rsync_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_read_config'($*)) dnl
gen_require(`
type rsync_etc_t;
')
read_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_read_config'($*)) dnl
')
########################################
##
## Read rsync data files.
##
##
##
## Domain allowed access.
##
##
#
define(`rsync_read_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_read_data'($*)) dnl
gen_require(`
type rsync_data_t;
')
read_files_pattern($1, rsync_data_t, rsync_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_read_data'($*)) dnl
')
########################################
##
## Read and write rsync unix_stream_sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`rsync_rw_unix_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_rw_unix_stream_sockets'($*)) dnl
gen_require(`
type rsync_t;
')
allow $1 rsync_t:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_rw_unix_stream_sockets'($*)) dnl
')
########################################
##
## Write to rsync config files.
##
##
##
## Domain allowed access.
##
##
#
define(`rsync_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_write_config'($*)) dnl
gen_require(`
type rsync_etc_t;
')
write_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_write_config'($*)) dnl
')
########################################
##
## Manage rsync config files.
##
##
##
## Domain allowed access.
##
##
#
define(`rsync_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_manage_config'($*)) dnl
gen_require(`
type rsync_etc_t;
')
manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_manage_config'($*)) dnl
')
########################################
##
## Create objects in etc directories
## with rsync etc type.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`rsync_etc_filetrans_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_etc_filetrans_config'($*)) dnl
gen_require(`
type rsync_etc_t;
')
files_etc_filetrans($1, rsync_etc_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_etc_filetrans_config'($*)) dnl
')
########################################
##
## Transition to rsync named content
##
##
##
## Domain allowed access.
##
##
#
define(`rsync_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rsync_filetrans_named_content'($*)) dnl
gen_require(`
type rsync_etc_t;
type rsync_var_run_t;
')
files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.conf")
files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock")
files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rsync_filetrans_named_content'($*)) dnl
')
## Platform diagnostics report firmware events.
########################################
##
## Execute rtas_errd in the rtas_errd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rtas_errd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_domtrans'($*)) dnl
gen_require(`
type rtas_errd_t, rtas_errd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_domtrans'($*)) dnl
')
########################################
##
## Read rtas_errd's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rtas_errd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_read_log'($*)) dnl
gen_require(`
type rtas_errd_log_t;
')
logging_search_logs($1)
read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_read_log'($*)) dnl
')
########################################
##
## Append to rtas_errd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`rtas_errd_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_append_log'($*)) dnl
gen_require(`
type rtas_errd_log_t;
')
logging_search_logs($1)
append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_append_log'($*)) dnl
')
########################################
##
## Manage rtas_errd log files
##
##
##
## Domain allowed access.
##
##
#
define(`rtas_errd_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_manage_log'($*)) dnl
gen_require(`
type rtas_errd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_manage_log'($*)) dnl
')
########################################
##
## Read rtas_errd's lock files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rtas_errd_read_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_read_lock'($*)) dnl
gen_require(`
type rtas_errd_var_lock_t;
')
logging_search_logs($1)
read_files_pattern($1, rtas_errd_var_lock_t, rtas_errd_var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_read_lock'($*)) dnl
')
########################################
##
## Read and Write rtas_errd's lock files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`rtas_errd_rw_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_rw_lock'($*)) dnl
gen_require(`
type rtas_errd_var_lock_t;
')
rw_files_pattern($1, rtas_errd_var_lock_t, rtas_errd_var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_rw_lock'($*)) dnl
')
########################################
##
## Read rtas_errd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`rtas_errd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_read_pid_files'($*)) dnl
gen_require(`
type rtas_errd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_read_pid_files'($*)) dnl
')
########################################
##
## Execute rtas_errd server in the rtas_errd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rtas_errd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_systemctl'($*)) dnl
gen_require(`
type rtas_errd_t;
type rtas_errd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 rtas_errd_unit_file_t:file read_file_perms;
allow $1 rtas_errd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rtas_errd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an rtas_errd environment
##
##
##
## Domain allowed access.
##
##
#
define(`rtas_errd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtas_errd_admin'($*)) dnl
gen_require(`
type rtas_errd_t;
type rtas_errd_log_t, rtas_errd_var_run_t;
type rtas_errd_unit_file_t;
')
allow $1 rtas_errd_t:process { ptrace signal_perms };
ps_process_pattern($1, rtas_errd_t)
logging_search_logs($1)
admin_pattern($1, rtas_errd_log_t)
files_search_pids($1)
admin_pattern($1, rtas_errd_var_run_t)
rtas_errd_systemctl($1)
admin_pattern($1, rtas_errd_unit_file_t)
allow $1 rtas_errd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtas_errd_admin'($*)) dnl
')
## Realtime scheduling for user processes.
########################################
##
## Execute a domain transition to run rtkit_daemon.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rtkit_daemon_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtkit_daemon_domtrans'($*)) dnl
gen_require(`
type rtkit_daemon_t, rtkit_daemon_exec_t;
')
domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtkit_daemon_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## rtkit_daemon over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`rtkit_daemon_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtkit_daemon_dbus_chat'($*)) dnl
gen_require(`
type rtkit_daemon_t;
class dbus send_msg;
')
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtkit_daemon_dbus_chat'($*)) dnl
')
########################################
##
## Do not audit send and receive messages from
## rtkit_daemon over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`rtkit_daemon_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtkit_daemon_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type rtkit_daemon_t;
class dbus send_msg;
')
dontaudit $1 rtkit_daemon_t:dbus send_msg;
dontaudit rtkit_daemon_t $1:dbus send_msg;
dontaudit rtkit_daemon_t $1:process { getsched setsched };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtkit_daemon_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## Allow rtkit to control scheduling for your process
##
##
##
## Domain allowed access.
##
##
#
define(`rtkit_scheduled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rtkit_scheduled'($*)) dnl
gen_require(`
type rtkit_daemon_t;
')
allow rtkit_daemon_t $1:process { getsched setsched };
kernel_search_proc($1)
ps_process_pattern(rtkit_daemon_t, $1)
optional_policy(`
rtkit_daemon_dbus_chat($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rtkit_scheduled'($*)) dnl
')
## Who is logged in on other machines?
########################################
##
## Execute a domain transition to run rwho.
##
##
##
## Domain allowed to transition.
##
##
#
define(`rwho_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rwho_domtrans'($*)) dnl
gen_require(`
type rwho_t, rwho_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rwho_exec_t, rwho_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rwho_domtrans'($*)) dnl
')
########################################
##
## Search rwho log directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rwho_search_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rwho_search_log'($*)) dnl
gen_require(`
type rwho_log_t;
')
logging_search_logs($1)
allow $1 rwho_log_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rwho_search_log'($*)) dnl
')
########################################
##
## Read rwho log files.
##
##
##
## Domain allowed access.
##
##
#
define(`rwho_read_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rwho_read_log_files'($*)) dnl
gen_require(`
type rwho_log_t;
')
logging_search_logs($1)
allow $1 rwho_log_t:dir list_dir_perms;
allow $1 rwho_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rwho_read_log_files'($*)) dnl
')
########################################
##
## Search rwho spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`rwho_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rwho_search_spool'($*)) dnl
gen_require(`
type rwho_spool_t;
')
files_search_spool($1)
allow $1 rwho_spool_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rwho_search_spool'($*)) dnl
')
########################################
##
## Read rwho spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`rwho_read_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rwho_read_spool_files'($*)) dnl
gen_require(`
type rwho_spool_t;
')
files_search_spool($1)
read_files_pattern($1, rwho_spool_t, rwho_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rwho_read_spool_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## rwho spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`rwho_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rwho_manage_spool_files'($*)) dnl
gen_require(`
type rwho_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rwho_manage_spool_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an rwho environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`rwho_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `rwho_admin'($*)) dnl
gen_require(`
type rwho_t, rwho_log_t, rwho_spool_t;
type rwho_initrc_exec_t;
')
allow $1 rwho_t:process signal_perms;
ps_process_pattern($1, rwho_t)
tunable_policy(`deny_ptrace',`',`
allow $1 rwho_t:process ptrace;
')
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rwho_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, rwho_log_t)
files_list_spool($1)
admin_pattern($1, rwho_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `rwho_admin'($*)) dnl
')
##
## SMB and CIFS client/server programs for UNIX and
## name Service Switch daemon for resolving names
## from Windows NT servers.
##
########################################
##
## Execute nmbd net in the nmbd_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_domtrans_nmbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_nmbd'($*)) dnl
gen_require(`
type nmbd_t, nmbd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, nmbd_exec_t, nmbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_nmbd'($*)) dnl
')
#######################################
##
## Allow domain to signal samba
##
##
##
## Domain allowed access.
##
##
#
define(`samba_signal_nmbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_signal_nmbd'($*)) dnl
gen_require(`
type nmbd_t;
')
allow $1 nmbd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_signal_nmbd'($*)) dnl
')
########################################
##
## Search the samba pid directory.
##
##
##
## Domain to not audit.
##
##
#
define(`samba_search_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_search_pid'($*)) dnl
gen_require(`
type smbd_var_run_t;
')
files_search_pids($1)
allow $1 smbd_var_run_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_search_pid'($*)) dnl
')
########################################
##
## Connect to nmbd.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_stream_connect_nmbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_stream_connect_nmbd'($*)) dnl
gen_require(`
type nmbd_t, nmbd_var_run_t;
')
samba_search_pid($1)
stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_stream_connect_nmbd'($*)) dnl
')
########################################
##
## Execute samba server in the samba domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_initrc_domtrans'($*)) dnl
gen_require(`
type samba_initrc_exec_t;
')
init_labeled_script_domtrans($1, samba_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute samba server in the samba domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_systemctl'($*)) dnl
gen_require(`
type samba_unit_file_t;
type smbd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 samba_unit_file_t:file read_file_perms;
allow $1 samba_unit_file_t:service manage_service_perms;
ps_process_pattern($1, smbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_systemctl'($*)) dnl
')
#######################################
##
## Get samba services status
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_service_status',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_service_status'($*)) dnl
gen_require(`
type samba_unit_file_t;
')
allow $1 samba_unit_file_t:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_service_status'($*)) dnl
')
########################################
##
## Execute samba net in the samba_net domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_domtrans_net',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_net'($*)) dnl
gen_require(`
type samba_net_t, samba_net_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, samba_net_exec_t, samba_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_net'($*)) dnl
')
########################################
##
## Execute samba net in the samba_unconfined_net domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_domtrans_unconfined_net',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_unconfined_net'($*)) dnl
gen_require(`
type samba_unconfined_net_t, samba_net_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_unconfined_net'($*)) dnl
')
########################################
##
## Execute samba net in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_exec_net',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_exec_net'($*)) dnl
gen_require(`
type samba_net_exec_t;
')
corecmd_search_bin($1)
can_exec($1, samba_net_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_exec_net'($*)) dnl
')
########################################
##
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`samba_run_net',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_run_net'($*)) dnl
gen_require(`
type samba_net_t;
')
samba_domtrans_net($1)
role $2 types samba_net_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_run_net'($*)) dnl
')
#######################################
##
## The role for the samba module.
##
##
##
## The role to be allowed the samba_net domain.
##
##
##
#
define(`samba_role_notrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_role_notrans'($*)) dnl
gen_require(`
type smbd_t;
')
role $1 types smbd_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_role_notrans'($*)) dnl
')
########################################
##
## Execute samba net in the samba_unconfined_net domain, and
## allow the specified role the samba_unconfined_net domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to be allowed the samba_unconfined_net domain.
##
##
##
#
define(`samba_run_unconfined_net',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_run_unconfined_net'($*)) dnl
gen_require(`
type samba_unconfined_net_t;
')
samba_domtrans_unconfined_net($1)
role $2 types samba_unconfined_net_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_run_unconfined_net'($*)) dnl
')
########################################
##
## Execute smbmount in the smbmount domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_domtrans_smbmount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbmount'($*)) dnl
gen_require(`
type smbmount_t, smbmount_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, smbmount_exec_t, smbmount_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_smbmount'($*)) dnl
')
########################################
##
## Execute smbmount interactively and do
## a domain transition to the smbmount domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`samba_run_smbmount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_run_smbmount'($*)) dnl
gen_require(`
type smbmount_t;
')
samba_domtrans_smbmount($1)
role $2 types smbmount_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_run_smbmount'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## samba configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_read_config'($*)) dnl
gen_require(`
type samba_etc_t;
')
files_search_etc($1)
list_dirs_pattern($1, samba_etc_t, samba_etc_t)
read_files_pattern($1, samba_etc_t, samba_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_read_config'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## and write samba configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_rw_config'($*)) dnl
gen_require(`
type samba_etc_t;
')
files_search_etc($1)
rw_files_pattern($1, samba_etc_t, samba_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_rw_config'($*)) dnl
')
########################################
##
## Allow the specified domain to read
## and write samba configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_manage_config'($*)) dnl
gen_require(`
type samba_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
manage_files_pattern($1, samba_etc_t, samba_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_manage_config'($*)) dnl
')
########################################
##
## Allow the specified domain to read samba's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_read_log'($*)) dnl
gen_require(`
type samba_log_t;
')
logging_search_logs($1)
allow $1 samba_log_t:dir list_dir_perms;
read_files_pattern($1, samba_log_t, samba_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append to samba's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`samba_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_append_log'($*)) dnl
gen_require(`
type samba_log_t;
')
logging_search_logs($1)
allow $1 samba_log_t:dir list_dir_perms;
allow $1 samba_log_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_append_log'($*)) dnl
')
########################################
##
## Execute samba log in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_exec_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_exec_log'($*)) dnl
gen_require(`
type samba_log_t;
')
logging_search_logs($1)
can_exec($1, samba_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_exec_log'($*)) dnl
')
########################################
##
## Allow the specified domain to read samba's secrets.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_read_secrets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_read_secrets'($*)) dnl
gen_require(`
type samba_secrets_t;
')
files_search_etc($1)
allow $1 samba_secrets_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_read_secrets'($*)) dnl
')
########################################
##
## Allow the specified domain to read samba's shares
##
##
##
## Domain allowed access.
##
##
#
define(`samba_read_share_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_read_share_files'($*)) dnl
gen_require(`
type samba_share_t;
')
allow $1 samba_share_t:filesystem getattr;
read_files_pattern($1, samba_share_t, samba_share_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_read_share_files'($*)) dnl
')
########################################
##
## Allow the specified domain to search
## samba /var directories.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_search_var',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_search_var'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var($1)
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_search_var'($*)) dnl
')
########################################
##
## Allow the specified domain to
## read samba /var files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_read_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_read_var_files'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var($1)
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_read_var_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write samba
## /var files.
##
##
##
## Domain to not audit.
##
##
#
define(`samba_dontaudit_write_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_dontaudit_write_var_files'($*)) dnl
gen_require(`
type samba_var_t;
')
dontaudit $1 samba_var_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_dontaudit_write_var_files'($*)) dnl
')
########################################
##
## Allow the specified domain to
## read and write samba /var files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_rw_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_rw_var_files'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var($1)
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
allow $1 samba_var_t:file { map};
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_rw_var_files'($*)) dnl
')
########################################
##
## Allow the specified domain to
## read and write samba /var files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_manage_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_manage_var_files'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var_lib($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
manage_sock_files_pattern($1, samba_var_t, samba_var_t)
allow $1 samba_var_t:file { map };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_manage_var_files'($*)) dnl
')
########################################
##
## Allow the specified domain to
## read and write samba /var directories.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_manage_var_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_manage_var_dirs'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_var_lib($1)
files_search_var_lib($1)
manage_dirs_pattern($1, samba_var_t, samba_var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_manage_var_dirs'($*)) dnl
')
#####################################
##
## Manage samba var sock files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_manage_var_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_manage_var_sock_files'($*)) dnl
gen_require(`
type samba_var_t;
')
files_search_pids($1)
manage_sock_files_pattern($1, samba_var_t, samba_var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_manage_var_sock_files'($*)) dnl
')
########################################
##
## Execute a domain transition to run smbcontrol.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_domtrans_smbcontrol',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbcontrol'($*)) dnl
gen_require(`
type smbcontrol_t;
type smbcontrol_exec_t;
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_smbcontrol'($*)) dnl
')
########################################
##
## Execute smbcontrol in the smbcontrol domain, and
## allow the specified role the smbcontrol domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`samba_run_smbcontrol',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_run_smbcontrol'($*)) dnl
gen_require(`
type smbcontrol_t;
')
samba_domtrans_smbcontrol($1)
role $2 types smbcontrol_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_run_smbcontrol'($*)) dnl
')
########################################
##
## Execute smbd in the smbd_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_domtrans_smbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbd'($*)) dnl
gen_require(`
type smbd_t, smbd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, smbd_exec_t, smbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_smbd'($*)) dnl
')
########################################
##
## Set attributes of samba_share directories.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_setattr_samba_share_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_setattr_samba_share_dirs'($*)) dnl
gen_require(`
type samba_share_t;
')
allow $1 samba_share_t:dir setattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_setattr_samba_share_dirs'($*)) dnl
')
######################################
##
## Allow domain to signal samba
##
##
##
## Domain allowed access.
##
##
#
define(`samba_signal_smbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_signal_smbd'($*)) dnl
gen_require(`
type smbd_t;
')
allow $1 smbd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_signal_smbd'($*)) dnl
')
######################################
##
## Allow domain to signull samba
##
##
##
## Domain allowed access.
##
##
#
define(`samba_signull_smbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_signull_smbd'($*)) dnl
gen_require(`
type smbd_t;
')
allow $1 smbd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_signull_smbd'($*)) dnl
')
########################################
##
## Do not audit attempts to use file descriptors from samba.
##
##
##
## Domain to not audit.
##
##
#
define(`samba_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_dontaudit_use_fds'($*)) dnl
gen_require(`
type smbd_t;
')
dontaudit $1 smbd_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Allow the specified domain to write to smbmount tcp sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_write_smbmount_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_write_smbmount_tcp_sockets'($*)) dnl
gen_require(`
type smbmount_t;
')
allow $1 smbmount_t:tcp_socket write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_write_smbmount_tcp_sockets'($*)) dnl
')
########################################
##
## Allow the specified domain to read and write to smbmount tcp sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_rw_smbmount_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_rw_smbmount_tcp_sockets'($*)) dnl
gen_require(`
type smbmount_t;
')
allow $1 smbmount_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_rw_smbmount_tcp_sockets'($*)) dnl
')
#######################################
##
## Allow to getattr on winbind binary.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_getattr_winbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_getattr_winbind'($*)) dnl
gen_require(`
type winbind_exec_t;
')
allow $1 winbind_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_getattr_winbind'($*)) dnl
')
########################################
##
## Execute winbind_helper in the winbind_helper domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`samba_domtrans_winbind_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_domtrans_winbind_helper'($*)) dnl
gen_require(`
type winbind_helper_t, winbind_helper_exec_t;
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
allow $1 winbind_helper_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_domtrans_winbind_helper'($*)) dnl
')
########################################
##
## Execute winbind_helper in the winbind_helper domain, and
## allow the specified role the winbind_helper domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`samba_run_winbind_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_run_winbind_helper'($*)) dnl
gen_require(`
type winbind_helper_t;
')
samba_domtrans_winbind_helper($1)
role $2 types winbind_helper_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_run_winbind_helper'($*)) dnl
')
########################################
##
## Allow the specified domain to read the winbind pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_read_winbind_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_read_winbind_pid'($*)) dnl
gen_require(`
type winbind_var_run_t;
')
samba_search_pid($1)
allow $1 winbind_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_read_winbind_pid'($*)) dnl
')
########################################
##
## Manage winbind PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_manage_winbind_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_manage_winbind_pid'($*)) dnl
gen_require(`
type winbind_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t)
manage_files_pattern($1, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern($1, winbind_var_run_t, winbind_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_manage_winbind_pid'($*)) dnl
')
######################################
##
## Allow domain to signull winbind
##
##
##
## Domain allowed access.
##
##
#
define(`samba_signull_winbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_signull_winbind'($*)) dnl
gen_require(`
type winbind_t;
')
allow $1 winbind_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_signull_winbind'($*)) dnl
')
######################################
##
## Allow domain to signull samba_unconfined_net
##
##
##
## Domain allowed access.
##
##
#
define(`samba_signull_unconfined_net',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_signull_unconfined_net'($*)) dnl
gen_require(`
type samba_unconfined_net_t;
')
allow $1 samba_unconfined_net_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_signull_unconfined_net'($*)) dnl
')
########################################
##
## Connect to winbind.
##
##
##
## Domain allowed access.
##
##
#
define(`samba_stream_connect_winbind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_stream_connect_winbind'($*)) dnl
gen_require(`
type samba_var_t, winbind_t, winbind_var_run_t;
')
samba_search_pid($1)
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
samba_read_config($1)
ifndef(`distro_redhat',`
gen_require(`
type winbind_tmp_t;
')
# the default for the socket is (poorly named):
# /tmp/.winbindd/pipe
files_search_tmp($1)
stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_stream_connect_winbind'($*)) dnl
')
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
define(`samba_helper_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_helper_template'($*)) dnl
gen_require(`
type smbd_t;
role system_r;
')
#This type is for samba helper scripts
type samba_$1_script_t;
domain_type(samba_$1_script_t)
role system_r types samba_$1_script_t;
# This type is used for executable scripts files
type samba_$1_script_exec_t;
corecmd_shell_entry_type(samba_$1_script_t)
domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
allow smbd_t samba_$1_script_exec_t:file ioctl;
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_helper_template'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an samba environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the samba domain.
##
##
##
#
define(`samba_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samba_admin'($*)) dnl
gen_require(`
type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
type smbd_t, smbd_tmp_t, smbd_spool_t;
type samba_log_t, samba_var_t, samba_secrets_t;
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t;
type smbd_keytab_t, samba_unit_file_t;
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
')
allow $1 smbd_t:process signal_perms;
ps_process_pattern($1, smbd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 smbd_t:process ptrace;
allow $1 nmbd_t:process ptrace;
allow $1 samba_unconfined_script_t:process ptrace;
')
allow $1 nmbd_t:process signal_perms;
ps_process_pattern($1, nmbd_t)
allow $1 samba_unconfined_script_t:process signal_perms;
ps_process_pattern($1, samba_unconfined_script_t)
samba_run_smbcontrol($1, $2)
samba_run_winbind_helper($1, $2)
samba_run_smbmount($1, $2)
samba_run_net($1, $2)
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 samba_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t })
admin_pattern($1, samba_log_t)
logging_list_logs($1)
admin_pattern($1, samba_secrets_t)
admin_pattern($1, samba_share_t)
admin_pattern($1, samba_var_t)
files_list_var($1)
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
admin_pattern($1, smbd_tmp_t)
files_list_tmp($1)
admin_pattern($1, swat_var_run_t)
admin_pattern($1, swat_tmp_t)
admin_pattern($1, winbind_log_t)
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
admin_pattern($1, samba_unconfined_script_exec_t)
samba_systemctl($1)
admin_pattern($1, samba_unit_file_t)
allow $1 samba_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samba_admin'($*)) dnl
')
## system-config-samba dbus service.
## Check file integrity.
#######################################
##
## The template to define a samhain domain.
##
##
##
## Domain prefix to be used.
##
##
#
define(`samhain_service_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_service_template'($*)) dnl
gen_require(`
attribute samhain_domain;
type samhain_exec_t;
')
type $1_t;
domain_type($1_t)
domain_entry_file($1_t, samhain_exec_t)
files_read_all_files($1_t)
mls_file_write_all_levels($1_t)
logging_send_syslog_msg($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_service_template'($*)) dnl
')
########################################
##
## Execute samhain in the samhain domain
##
##
##
## Domain allowed to transition.
##
##
#
define(`samhain_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_domtrans'($*)) dnl
gen_require(`
type samhain_t, samhain_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, samhain_exec_t, samhain_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_domtrans'($*)) dnl
')
########################################
##
## Execute samhain in the samhain
## domain with the clearance security
## level and allow the specifiled role
## the samhain domain.
##
##
##
## Execute samhain in the samhain
## domain with the clearance security
## level and allow the specifiled role
## the samhain domain.
##
##
## The range_transition rule used in
## this interface requires that the
## calling domain should have the
## clearance security level otherwise
## the MLS constraint for process
## transition would fail.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed to access.
##
##
##
#
define(`samhain_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_run'($*)) dnl
gen_require(`
attribute_role samhain_roles;
type samhain_exec_t;
')
samhain_domtrans($1)
roleattribute $2 samhain_roles;
ifdef(`enable_mls', `
range_transition $1 samhain_exec_t:process mls_systemhigh;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_run'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## samhain configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`samhain_manage_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_manage_config_files'($*)) dnl
gen_require(`
type samhain_etc_t;
')
files_rw_etc_dirs($1)
allow $1 samhain_etc_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_manage_config_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## samhain database files.
##
##
##
## Domain allowed access.
##
##
#
define(`samhain_manage_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_manage_db_files'($*)) dnl
gen_require(`
type samhain_db_t;
')
files_search_var_lib($1)
manage_files_pattern($1, samhain_db_t, samhain_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_manage_db_files'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## samhain init script files.
##
##
##
## Domain allowed access.
##
##
#
define(`samhain_manage_init_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_manage_init_script_files'($*)) dnl
gen_require(`
type samhain_initrc_exec_t;
')
files_search_etc($1)
manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_manage_init_script_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## samhain log and log.lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`samhain_manage_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_manage_log_files'($*)) dnl
gen_require(`
type samhain_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, samhain_log_t, samhain_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_manage_log_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## samhain pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`samhain_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_manage_pid_files'($*)) dnl
gen_require(`
type samhain_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_manage_pid_files'($*)) dnl
')
#######################################
##
## All of the rules required to
## administrate the samhain environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`samhain_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `samhain_admin'($*)) dnl
gen_require(`
attribute samhain_domain;
type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
')
allow $1 samhain_domain:process { ptrace signal_perms };
ps_process_pattern($1, samhain_domain)
# pending
# init_labeled_script_domtrans($1, samhain_initrc_exec_t)
# domain_system_change_exemption($1)
# role_transition $2 samhain_initrc_exec_t system_r;
# allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, samhain_db_t)
files_list_etc($1)
admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t })
logging_list_logs($1)
admin_pattern($1, samhain_log_t)
files_list_pids($1)
admin_pattern($1, samhain_var_run_t)
# samhain_run($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `samhain_admin'($*)) dnl
')
## policy for sandbox
########################################
##
## Execute sandbox in the sandbox domain, and
## allow the specified role the sandbox domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the sandbox domain.
##
##
#
define(`sandbox_transition',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_transition'($*)) dnl
gen_require(`
attribute sandbox_domain;
')
sandbox_dyntransition($1) #885288
allow $1 sandbox_domain:process transition;
dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
role $2 types sandbox_domain;
allow sandbox_domain $1:process { sigchld signull };
allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
dontaudit sandbox_domain $1:process signal;
dontaudit sandbox_domain $1:key { link read search view };
dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_transition'($*)) dnl
')
########################################
##
## Execute sandbox in the sandbox domain, and
## allow the specified role the sandbox domain.
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_dyntransition',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_dyntransition'($*)) dnl
gen_require(`
attribute sandbox_domain;
')
allow $1 sandbox_domain:process dyntransition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_dyntransition'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## sandbox process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`sandbox_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_domain_template'($*)) dnl
gen_require(`
attribute sandbox_domain;
')
type $1_t, sandbox_domain;
application_type($1_t)
# this is to satisfy the assertion:
dev_raw_memory_reader($1_t)
dev_raw_memory_writer($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
# this is to satisfy the assertion:
storage_rw_inherited_fixed_disk_dev($1_t)
storage_rw_inherited_scsi_generic($1_t)
# this is to satisfy the assertion:
auth_reader_shadow($1_t)
auth_writer_shadow($1_t)
#optional_policy(`
# unconfined_typebounds($1_t)
#')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_domain_template'($*)) dnl
')
## policy for sandboxX
########################################
##
## Execute sandbox in the sandbox domain, and
## allow the specified role the sandbox domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the sandbox domain.
##
##
#
define(`sandbox_x_transition',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_x_transition'($*)) dnl
gen_require(`
type sandbox_xserver_t;
type sandbox_file_t;
attribute sandbox_x_domain;
attribute sandbox_tmpfs_type;
')
allow $1 sandbox_x_domain:process { signal_perms transition };
allow $1 sandbox_x_domain:process dyntransition;
dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
allow sandbox_x_domain $1:process { sigchld signull };
allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
role $2 types sandbox_x_domain;
role $2 types sandbox_xserver_t;
allow $1 sandbox_xserver_t:process signal_perms;
dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
dontaudit sandbox_xserver_t $1:file read;
allow sandbox_x_domain sandbox_x_domain:process signal;
# Dontaudit leaked file descriptors
dontaudit sandbox_x_domain $1:key { link read search view };
dontaudit sandbox_x_domain $1:fifo_file { read write };
dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:process { signal sigkill };
allow $1 sandbox_tmpfs_type:file manage_file_perms;
dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
can_exec($1, sandbox_file_t)
allow $1 sandbox_file_t:filesystem getattr;
manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_x_transition'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## sandbox process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`sandbox_x_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_x_domain_template'($*)) dnl
gen_require(`
type xserver_exec_t, sandbox_devpts_t;
type sandbox_xserver_t;
type sandbox_exec_t;
attribute sandbox_x_domain;
attribute sandbox_tmpfs_type;
attribute sandbox_type;
attribute sandbox_web_type;
')
type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;
application_type($1_t)
mcs_constrained($1_t)
kernel_read_system_state($1_t)
selinux_get_fs_mount($1_t)
auth_use_nsswitch($1_t)
logging_send_syslog_msg($1_t)
# window manager
miscfiles_setattr_fonts_cache_dirs($1_t)
allow $1_t self:capability setuid;
type $1_client_t, sandbox_x_domain;
application_type($1_client_t)
kernel_read_system_state($1_client_t)
mcs_constrained($1_t)
type $1_client_tmpfs_t, sandbox_tmpfs_type;
files_tmpfs_file($1_client_tmpfs_t)
manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
# Pulseaudio tmpfs files with different MCS labels
dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
dontaudit $1_t $1_client_tmpfs_t:file { read write map };
allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
allow $1_client_t $1_client_tmpfs_t:file { map };
domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
allow $1_t sandbox_xserver_t:process signal_perms;
domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
domain_entry_file($1_client_t, sandbox_exec_t)
allow $1_client_t $1_t:shm { unix_read unix_write };
ps_process_pattern(sandbox_xserver_t, $1_client_t)
ps_process_pattern(sandbox_xserver_t, $1_t)
allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
allow sandbox_xserver_t $1_t:shm rw_shm_perms;
allow $1_client_t $1_t:unix_stream_socket connectto;
allow $1_t $1_client_t:unix_stream_socket connectto;
#optional_policy(`
# unconfined_typebounds($1_t)
# unconfined_typebounds($1_client_t)
#')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_x_domain_template'($*)) dnl
')
########################################
##
## allow domain to read,
## write sandbox_xserver tmp files
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_rw_xserver_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_rw_xserver_tmpfs_files'($*)) dnl
gen_require(`
type sandbox_xserver_tmpfs_t;
')
allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_rw_xserver_tmpfs_files'($*)) dnl
')
########################################
##
## allow domain to read
## sandbox tmpfs files
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_read_tmpfs_files'($*)) dnl
gen_require(`
attribute sandbox_tmpfs_type;
')
allow $1 sandbox_tmpfs_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_read_tmpfs_files'($*)) dnl
')
########################################
##
## allow domain to manage
## sandbox tmpfs files
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_manage_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_manage_tmpfs_files'($*)) dnl
gen_require(`
attribute sandbox_tmpfs_type;
')
allow $1 sandbox_tmpfs_type:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_manage_tmpfs_files'($*)) dnl
')
########################################
##
## Delete sandbox files
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_delete_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_delete_files'($*)) dnl
gen_require(`
type sandbox_file_t;
')
delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_delete_files'($*)) dnl
')
########################################
##
## Manage sandbox content
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_manage_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_manage_content'($*)) dnl
gen_require(`
type sandbox_file_t;
')
allow $1 sandbox_file_t:filesystem getattr;
manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_manage_content'($*)) dnl
')
########################################
##
## Delete sandbox symbolic links
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_delete_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_delete_lnk_files'($*)) dnl
gen_require(`
type sandbox_file_t;
')
delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_delete_lnk_files'($*)) dnl
')
########################################
##
## Delete sandbox fifo files
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_delete_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_delete_pipes'($*)) dnl
gen_require(`
type sandbox_file_t;
')
delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_delete_pipes'($*)) dnl
')
########################################
##
## Delete sandbox sock files
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_delete_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_delete_sock_files'($*)) dnl
gen_require(`
type sandbox_file_t;
')
delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_delete_sock_files'($*)) dnl
')
########################################
##
## Allow domain to set the attributes
## of the sandbox directory.
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_setattr_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_setattr_dirs'($*)) dnl
gen_require(`
type sandbox_file_t;
')
allow $1 sandbox_file_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_setattr_dirs'($*)) dnl
')
########################################
##
## Delete sandbox directories
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_delete_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_delete_dirs'($*)) dnl
gen_require(`
type sandbox_file_t;
')
delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_delete_dirs'($*)) dnl
')
########################################
##
## allow domain to list sandbox dirs
##
##
##
## Domain allowed access
##
##
#
define(`sandbox_list',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_list'($*)) dnl
gen_require(`
type sandbox_file_t;
')
allow $1 sandbox_file_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_list'($*)) dnl
')
########################################
##
## Read and write a sandbox domain pty.
##
##
##
## Domain allowed access.
##
##
#
define(`sandbox_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_use_ptys'($*)) dnl
gen_require(`
type sandbox_devpts_t;
')
allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_use_ptys'($*)) dnl
')
#######################################
##
## Allow domain to execute sandbox_file_t in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sandbox_exec_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_exec_file'($*)) dnl
gen_require(`
type sandbox_file_t;
')
can_exec($1, sandbox_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_exec_file'($*)) dnl
')
######################################
##
## Allow domain to execute sandbox_file_t in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sandbox_dontaudit_mounton',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sandbox_dontaudit_mounton'($*)) dnl
gen_require(`
type sandbox_file_t;
')
dontaudit $1 sandbox_file_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sandbox_dontaudit_mounton'($*)) dnl
')
## Sanlock - lock manager built on shared storage.
########################################
##
## Execute a domain transition to run sanlock.
##
##
##
## Domain allowed access.
##
##
#
define(`sanlock_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_domtrans'($*)) dnl
gen_require(`
type sanlock_t, sanlock_exec_t;
')
domtrans_pattern($1, sanlock_exec_t, sanlock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_domtrans'($*)) dnl
')
########################################
##
## Execute sanlock server in the sanlock domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`sanlock_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_initrc_domtrans'($*)) dnl
gen_require(`
type sanlock_initrc_exec_t;
')
init_labeled_script_domtrans($1, sanlock_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_initrc_domtrans'($*)) dnl
')
######################################
##
## Create, read, write, and delete sanlock PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`sanlock_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_manage_pid_files'($*)) dnl
gen_require(`
type sanlock_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, sanlock_var_run_t, sanlock_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_manage_pid_files'($*)) dnl
')
########################################
##
## Connect to sanlock over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`sanlock_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_stream_connect'($*)) dnl
gen_require(`
type sanlock_t, sanlock_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_stream_connect'($*)) dnl
')
########################################
##
## Execute virt server in the virt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sanlock_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_systemctl'($*)) dnl
gen_require(`
type sanlock_unit_file_t;
type sanlock_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 sanlock_unit_file_t:file read_file_perms;
allow $1 sanlock_unit_file_t:service manage_service_perms;
ps_process_pattern($1, sanlock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an sanlock environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sanlock_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_admin'($*)) dnl
gen_require(`
type sanlock_t;
type sanlock_initrc_exec_t;
type sanlock_unit_file_t;
')
allow $1 sanlock_t:process signal_perms;
ps_process_pattern($1, sanlock_t)
tunable_policy(`deny_ptrace',`',`
allow $1 sanlock_t:process ptrace;
')
sanlock_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sanlock_initrc_exec_t system_r;
allow $2 system_r;
virt_systemctl($1)
admin_pattern($1, sanlock_unit_file_t)
allow $1 sanlock_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_admin'($*)) dnl
')
########################################
##
## Execute sanlk_resetd_exec_t in the sanlk_resetd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sanlock_domtrans_sanlk_resetd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_domtrans_sanlk_resetd'($*)) dnl
gen_require(`
type sanlk_resetd_t, sanlk_resetd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sanlk_resetd_exec_t, sanlk_resetd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_domtrans_sanlk_resetd'($*)) dnl
')
######################################
##
## Execute sanlk_resetd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sanlock_exec_sanlk_resetd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_exec_sanlk_resetd'($*)) dnl
gen_require(`
type sanlk_resetd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, sanlk_resetd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_exec_sanlk_resetd'($*)) dnl
')
########################################
##
## Execute sanlk_resetd server in the sanlk_resetd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sanlock_systemctl_sanlk_resetd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_systemctl_sanlk_resetd'($*)) dnl
gen_require(`
type sanlk_resetd_t;
type sanlk_resetd_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 sanlk_resetd_unit_file_t:file read_file_perms;
allow $1 sanlk_resetd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, sanlk_resetd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_systemctl_sanlk_resetd'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an sanlk_resetd environment
##
##
##
## Domain allowed access.
##
##
#
define(`sanlock_admin_sanlk_resetd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_admin_sanlk_resetd'($*)) dnl
gen_require(`
type sanlk_resetd_t;
type sanlk_resetd_unit_file_t;
type sanlk_resetd_unit_file_t;
')
allow $1 sanlk_resetd_t:process { signal_perms };
ps_process_pattern($1, sanlk_resetd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 sanlk_resetd_t:process ptrace;
')
files_search_pids($1)
sanlock_systemctl_sanlk_resetd($1)
admin_pattern($1, sanlk_resetd_unit_file_t)
allow $1 sanlk_resetd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_admin_sanlk_resetd'($*)) dnl
')
########################################
##
## Read sanlock process state files.
##
##
##
## Domain allowed access.
##
##
#
define(`sanlock_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sanlock_read_state'($*)) dnl
gen_require(`
type sanlock_t;
')
ps_process_pattern($1, sanlock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sanlock_read_state'($*)) dnl
')
## SASL authentication server
########################################
##
## Connect to SASL.
##
##
##
## Domain allowed access.
##
##
#
define(`sasl_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sasl_connect'($*)) dnl
gen_require(`
type saslauthd_t, saslauthd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sasl_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an sasl environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sasl_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sasl_admin'($*)) dnl
gen_require(`
type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
type saslauthd_keytab_t;
')
allow $1 saslauthd_t:process signal_perms;
ps_process_pattern($1, saslauthd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 saslauthd_t:process ptrace;
')
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 saslauthd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, saslauthd_keytab_t)
files_list_pids($1)
admin_pattern($1, saslauthd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sasl_admin'($*)) dnl
')
## policy for sbd
########################################
##
## Execute sbd_exec_t in the sbd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sbd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sbd_domtrans'($*)) dnl
gen_require(`
type sbd_t, sbd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sbd_exec_t, sbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sbd_domtrans'($*)) dnl
')
######################################
##
## Execute sbd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sbd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sbd_exec'($*)) dnl
gen_require(`
type sbd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, sbd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sbd_exec'($*)) dnl
')
########################################
##
## Read sbd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`sbd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sbd_read_pid_files'($*)) dnl
gen_require(`
type sbd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, sbd_var_run_t, sbd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sbd_read_pid_files'($*)) dnl
')
########################################
##
## Execute sbd server in the sbd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sbd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sbd_systemctl'($*)) dnl
gen_require(`
type sbd_t;
type sbd_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 sbd_unit_file_t:file read_file_perms;
allow $1 sbd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, sbd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sbd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an sbd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sbd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sbd_admin'($*)) dnl
gen_require(`
type sbd_t;
type sbd_var_run_t;
type sbd_unit_file_t;
')
allow $1 sbd_t:process { signal_perms };
ps_process_pattern($1, sbd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 sbd_t:process ptrace;
')
files_search_pids($1)
admin_pattern($1, sbd_var_run_t)
sbd_systemctl($1)
admin_pattern($1, sbd_unit_file_t)
allow $1 sbd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sbd_admin'($*)) dnl
')
## Standards Based Linux Instrumentation for Manageability.
######################################
##
## Creates types and rules for a basic
## sblim daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`sblim_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_domain_template'($*)) dnl
gen_require(`
attribute sblim_domain;
')
type sblim_$1_t, sblim_domain;
type sblim_$1_exec_t;
init_daemon_domain(sblim_$1_t, sblim_$1_exec_t)
kernel_read_system_state(sblim_$1_t)
corenet_all_recvfrom_unlabeled(sblim_$1_t)
corenet_all_recvfrom_netlabel(sblim_$1_t)
logging_send_syslog_msg(sblim_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_domain_template'($*)) dnl
')
########################################
##
## Transition to gatherd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sblim_domtrans_gatherd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_domtrans_gatherd'($*)) dnl
gen_require(`
type sblim_gatherd_t, sblim_gatherd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_domtrans_gatherd'($*)) dnl
')
########################################
##
## Read gatherd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`sblim_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_read_pid_files'($*)) dnl
gen_require(`
type sblim_var_run_t;
')
files_search_pids($1)
allow $1 sblim_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_read_pid_files'($*)) dnl
')
########################################
##
## Transition to sblim named content
##
##
##
## Domain allowed access.
##
##
#
define(`sblim_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_filetrans_named_content'($*)) dnl
gen_require(`
type sblim_var_run_t;
')
files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_filetrans_named_content'($*)) dnl
')
########################################
##
## Connect to sblim_sfcb over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`sblim_stream_connect_sfcbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_stream_connect_sfcbd'($*)) dnl
gen_require(`
type sblim_sfcb_t, sblim_var_lib_t;
type sblim_tmp_t;
')
files_search_pids($1)
stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_stream_connect_sfcbd'($*)) dnl
')
#######################################
##
## Getattr on sblim executable.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sblim_getattr_exec_sfcbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_getattr_exec_sfcbd'($*)) dnl
gen_require(`
type sblim_sfcbd_exec_t;
')
allow $1 sblim_sfcbd_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_getattr_exec_sfcbd'($*)) dnl
')
########################################
##
## Connect to sblim_sfcb over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`sblim_stream_connect_sfcb',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_stream_connect_sfcb'($*)) dnl
gen_require(`
type sblim_sfcb_t, sblim_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_stream_connect_sfcb'($*)) dnl
')
#######################################
##
## Allow read and write access to sblim semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`sblim_rw_semaphores_sfcbd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_rw_semaphores_sfcbd'($*)) dnl
gen_require(`
type sblim_sfcbd_t;
')
allow $1 sblim_sfcbd_t:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_rw_semaphores_sfcbd'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an gatherd environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`sblim_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sblim_admin'($*)) dnl
gen_require(`
type sblim_gatherd_t;
type sblim_reposd_t;
type sblim_var_run_t;
')
allow $1 sblim_gatherd_t:process signal_perms;
ps_process_pattern($1, sblim_gatherd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 sblim_gatherd_t:process ptrace;
allow $1 sblim_reposd_t:process ptrace;
')
allow $1 sblim_reposd_t:process signal_perms;
ps_process_pattern($1, sblim_reposd_t)
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sblim_admin'($*)) dnl
')
## GNU terminal multiplexer
#######################################
##
## The role template for the screen module.
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`screen_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `screen_role_template'($*)) dnl
gen_require(`
type screen_exec_t, screen_tmp_t;
type screen_home_t, screen_var_run_t;
attribute screen_domain;
')
########################################
#
# Declarations
#
type $1_screen_t, screen_domain;
application_domain($1_screen_t, screen_exec_t)
domain_interactive_fd($1_screen_t)
ubac_constrained($1_screen_t)
role $2 types $1_screen_t;
tunable_policy(`deny_ptrace',`',`
allow $3 $1_screen_t:process ptrace;
')
userdom_list_user_home_dirs($1_screen_t)
userdom_home_reader($1_screen_t)
domtrans_pattern($3, screen_exec_t, $1_screen_t)
allow $3 $1_screen_t:process { signal sigchld };
dontaudit $3 $1_screen_t:unix_stream_socket { ioctl read write };
allow $1_screen_t $3:unix_stream_socket { connectto };
allow $1_screen_t $3:process signal;
allow $3 screen_exec_t:file entrypoint;
ps_process_pattern($1_screen_t, $3)
manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
manage_files_pattern($3, screen_home_t, screen_home_t)
manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_sock_files_pattern($3, screen_home_t, screen_home_t)
relabel_dirs_pattern($3, screen_home_t, screen_home_t)
relabel_files_pattern($3, screen_home_t, screen_home_t)
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
relabel_sock_files_pattern($3, screen_home_t, screen_home_t)
userdom_user_home_content_filetrans($1_screen_t, screen_home_t, dir, ".screen")
userdom_user_home_content_filetrans($1_screen_t, screen_home_t, file, ".screenrc")
userdom_user_home_content_filetrans($1_screen_t, screen_home_t, file, ".tmux.conf")
userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_sock_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t)
# Revert to the user domain when a shell is executed.
corecmd_shell_domtrans($1_screen_t, $3)
corecmd_bin_domtrans($1_screen_t, $3)
auth_domtrans_chk_passwd($1_screen_t)
auth_domtrans_utempter($1_screen_t)
auth_use_nsswitch($1_screen_t)
logging_send_syslog_msg($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
userdom_manage_tmp_role($2, $1_screen_t)
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
')
tunable_policy(`use_nfs_home_dirs',`
fs_nfs_domtrans($1_screen_t, $3)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `screen_role_template'($*)) dnl
')
#######################################
##
## Execute the rssh program
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`screen_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `screen_exec'($*)) dnl
gen_require(`
type screen_exec_t;
')
can_exec($1, screen_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `screen_exec'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the screen domain.
##
##
##
## Domain allowed access.
##
##
#
define(`screen_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `screen_sigchld'($*)) dnl
gen_require(`
attribute screen_domain;
')
allow $1 screen_domain:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `screen_sigchld'($*)) dnl
')
## Sectool security audit tool
## Policy for sendmail.
########################################
##
## Sendmail stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_stub'($*)) dnl
gen_require(`
type sendmail_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_stub'($*)) dnl
')
########################################
##
## Allow attempts to read and write to
## sendmail unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_rw_pipes'($*)) dnl
gen_require(`
type sendmail_t;
')
allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_rw_pipes'($*)) dnl
')
########################################
##
## Domain transition to sendmail.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sendmail_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_domtrans'($*)) dnl
gen_require(`
type sendmail_t;
')
mta_sendmail_domtrans($1, sendmail_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_domtrans'($*)) dnl
')
#######################################
##
## Execute sendmail in the sendmail domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_initrc_domtrans'($*)) dnl
gen_require(`
type sendmail_initrc_exec_t;
')
init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute the sendmail program in the sendmail domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the sendmail domain.
##
##
##
#
define(`sendmail_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_run'($*)) dnl
gen_require(`
attribute_role sendmail_roles;
')
sendmail_domtrans($1)
roleattribute $2 sendmail_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_run'($*)) dnl
')
########################################
##
## Send generic signals to sendmail.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_signal'($*)) dnl
gen_require(`
type sendmail_t;
')
allow $1 sendmail_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_signal'($*)) dnl
')
########################################
##
## Execute sendmail in the sendmail_unconfined domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sendmail_domtrans_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_domtrans_unconfined'($*)) dnl
gen_require(`
type unconfined_sendmail_t, sendmail_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_domtrans_unconfined'($*)) dnl
')
#######################################
##
## Execute sendmail in the unconfined
## sendmail domain, and allow the
## specified role the unconfined
## sendmail domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sendmail_run_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_run_unconfined'($*)) dnl
gen_require(`
attribute_role sendmail_unconfined_roles;
')
sendmail_domtrans_unconfined($1)
roleattribute $2 sendmail_unconfined_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_run_unconfined'($*)) dnl
')
########################################
##
## Read and write sendmail TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_rw_tcp_sockets'($*)) dnl
gen_require(`
type sendmail_t;
')
allow $1 sendmail_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## sendmail TCP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`sendmail_dontaudit_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type sendmail_t;
')
dontaudit $1 sendmail_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Read and write sendmail unix_stream_sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_rw_unix_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_rw_unix_stream_sockets'($*)) dnl
gen_require(`
type sendmail_t;
')
allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_rw_unix_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## sendmail unix_stream_sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`sendmail_dontaudit_rw_unix_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_dontaudit_rw_unix_stream_sockets'($*)) dnl
gen_require(`
type sendmail_t;
')
dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_dontaudit_rw_unix_stream_sockets'($*)) dnl
')
########################################
##
## Read sendmail logs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sendmail_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_read_log'($*)) dnl
gen_require(`
type sendmail_log_t;
')
logging_search_logs($1)
read_files_pattern($1, sendmail_log_t, sendmail_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_read_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete sendmail logs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sendmail_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_manage_log'($*)) dnl
gen_require(`
type sendmail_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, sendmail_log_t, sendmail_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_manage_log'($*)) dnl
')
########################################
##
## Create sendmail logs with the correct type.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_create_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_create_log'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_create_log'($*)) dnl
')
########################################
##
## Create specified objects in generic
## log directories sendmail log file type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`sendmail_log_filetrans_sendmail_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_log_filetrans_sendmail_log'($*)) dnl
gen_require(`
type sendmail_log_t;
')
logging_log_filetrans($1, sendmail_log_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_log_filetrans_sendmail_log'($*)) dnl
')
########################################
##
## Manage sendmail tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_manage_tmp_files'($*)) dnl
gen_require(`
type sendmail_tmp_t;
')
files_search_tmp($1)
manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_manage_tmp_files'($*)) dnl
')
########################################
##
## Set the attributes of sendmail pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`sendmail_setattr_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_setattr_pid_files'($*)) dnl
gen_require(`
type sendmail_var_run_t;
')
allow $1 sendmail_var_run_t:file setattr_file_perms;
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_setattr_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an sendmail environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sendmail_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sendmail_admin'($*)) dnl
gen_require(`
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
type sendmail_keytab_t;
type mail_spool_t;
')
allow $1 sendmail_t:process signal_perms;
ps_process_pattern($1, sendmail_t)
tunable_policy(`deny_ptrace',`',`
allow $1 sendmail_t:process ptrace;
')
sendmail_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sendmail_initrc_exec_t system_r;
files_list_etc($1)
admin_pattern($1, sendmail_keytab_t)
logging_list_logs($1)
admin_pattern($1, sendmail_log_t)
files_list_tmp($1)
admin_pattern($1, sendmail_tmp_t)
files_list_pids($1)
admin_pattern($1, sendmail_var_run_t)
files_list_spool($1)
admin_pattern($1, mail_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sendmail_admin'($*)) dnl
')
## Sensor information logging daemon
########################################
##
## Execute sensord in the sensord domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sensord_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sensord_domtrans'($*)) dnl
gen_require(`
type sensord_t, sensord_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sensord_exec_t, sensord_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sensord_domtrans'($*)) dnl
')
########################################
##
## Execute sensord server in the sensord domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sensord_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sensord_systemctl'($*)) dnl
gen_require(`
type sensord_t;
type sensord_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 sensord_unit_file_t:file read_file_perms;
allow $1 sensord_unit_file_t:service manage_service_perms;
ps_process_pattern($1, sensord_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sensord_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an sensord environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`sensord_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sensord_admin'($*)) dnl
gen_require(`
type sensord_t;
type sensord_unit_file_t;
type sensord_log_t;
type sensord_var_run_t;
')
allow $1 sensord_t:process { ptrace signal_perms };
ps_process_pattern($1, sensord_t)
sensord_systemctl($1)
admin_pattern($1, sensord_unit_file_t)
allow $1 sensord_unit_file_t:service all_service_perms;
admin_pattern($1, sensord_log_t)
admin_pattern($1, sensord_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sensord_admin'($*)) dnl
')
## SELinux troubleshooting service
########################################
##
## Connect to setroubleshootd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`setroubleshoot_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_stream_connect'($*)) dnl
gen_require(`
type setroubleshootd_t, setroubleshoot_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t)
allow $1 setroubleshoot_var_run_t:sock_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_stream_connect'($*)) dnl
')
########################################
##
## Dontaudit attempts to connect to setroubleshootd
## over a unix stream socket.
##
##
##
## Domain to not audit.
##
##
#
define(`setroubleshoot_dontaudit_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_dontaudit_stream_connect'($*)) dnl
gen_require(`
type setroubleshootd_t, setroubleshoot_var_run_t;
')
dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_dontaudit_stream_connect'($*)) dnl
')
#######################################
##
## Send null signals to setroubleshoot.
##
##
##
## Domain allowed access.
##
##
#
define(`setroubleshoot_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_signull'($*)) dnl
gen_require(`
type setroubleshootd_t;
')
allow $1 setroubleshootd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_signull'($*)) dnl
')
########################################
##
## Send and receive messages from
## setroubleshoot over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`setroubleshoot_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_dbus_chat'($*)) dnl
gen_require(`
type setroubleshootd_t;
class dbus send_msg;
')
allow $1 setroubleshootd_t:dbus send_msg;
allow setroubleshootd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_dbus_chat'($*)) dnl
')
########################################
##
## Do not audit send and receive messages from
## setroubleshoot over dbus.
##
##
##
## Domain to not audit.
##
##
#
define(`setroubleshoot_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type setroubleshootd_t;
class dbus send_msg;
')
dontaudit $1 setroubleshootd_t:dbus send_msg;
dontaudit setroubleshootd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## setroubleshoot fixit over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`setroubleshoot_dbus_chat_fixit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_dbus_chat_fixit'($*)) dnl
gen_require(`
type setroubleshoot_fixit_t;
class dbus send_msg;
')
allow $1 setroubleshoot_fixit_t:dbus send_msg;
allow setroubleshoot_fixit_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_dbus_chat_fixit'($*)) dnl
')
########################################
##
## Dontaudit read/write to a setroubleshoot leaked sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`setroubleshoot_fixit_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_fixit_dontaudit_leaks'($*)) dnl
gen_require(`
type setroubleshoot_fixit_t;
')
dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_fixit_dontaudit_leaks'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an setroubleshoot environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`setroubleshoot_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setroubleshoot_admin'($*)) dnl
gen_require(`
type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
type setroubleshoot_var_lib_t;
')
allow $1 setroubleshootd_t:process signal_perms;
ps_process_pattern($1, setroubleshootd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 setroubleshootd_t:process ptrace;
')
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
files_list_pids($1)
admin_pattern($1, setroubleshoot_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setroubleshoot_admin'($*)) dnl
')
## Policy for gridengine MPI jobs
######################################
##
## Creates types and rules for a basic
## sge domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`sge_basic_types_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sge_basic_types_template'($*)) dnl
gen_require(`
attribute sge_domain;
')
type $1_t, sge_domain;
type $1_exec_t;
kernel_read_system_state($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sge_basic_types_template'($*)) dnl
')
########################################
##
## read/write sge_shepherd per tcp_socket
##
##
##
## Domain allowed access.
##
##
#
define(`sge_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sge_rw_tcp_sockets'($*)) dnl
gen_require(`
type sge_shepherd_t;
type sge_job_ssh_t;
')
allow $1 sge_shepherd_t:tcp_socket rw_socket_perms;
allow $1 sge_job_ssh_t:tcp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sge_rw_tcp_sockets'($*)) dnl
')
## Shoreline Firewall high-level tool for configuring netfilter
########################################
##
## Execute a domain transition to run shorewall.
##
##
##
## Domain allowed to transition.
##
##
#
define(`shorewall_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shorewall_domtrans'($*)) dnl
gen_require(`
type shorewall_t, shorewall_exec_t;
')
domtrans_pattern($1, shorewall_exec_t, shorewall_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shorewall_domtrans'($*)) dnl
')
######################################
##
## Execute a domain transition to run shorewall.
##
##
##
## Domain allowed to transition.
##
##
#
define(`shorewall_lib_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shorewall_lib_domtrans'($*)) dnl
gen_require(`
type shorewall_t, shorewall_var_lib_t;
')
domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shorewall_lib_domtrans'($*)) dnl
')
#######################################
##
## Read shorewall etc configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`shorewall_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shorewall_read_config'($*)) dnl
gen_require(`
type shorewall_etc_t;
')
files_search_etc($1)
read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shorewall_read_config'($*)) dnl
')
######################################
##
## Read shorewall /var/lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`shorewall_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shorewall_read_lib_files'($*)) dnl
gen_require(`
type shorewall_var_lib_t;
')
files_search_var_lib($1)
search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shorewall_read_lib_files'($*)) dnl
')
#######################################
##
## Read and write shorewall /var/lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`shorewall_rw_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shorewall_rw_lib_files'($*)) dnl
gen_require(`
type shorewall_var_lib_t;
')
files_search_var_lib($1)
search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shorewall_rw_lib_files'($*)) dnl
')
#######################################
##
## Read shorewall tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`shorewall_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shorewall_read_tmp_files'($*)) dnl
gen_require(`
type shorewall_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shorewall_read_tmp_files'($*)) dnl
')
#######################################
##
## All of the rules required to administrate
## an shorewall environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
#
define(`shorewall_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shorewall_admin'($*)) dnl
gen_require(`
type shorewall_t, shorewall_lock_t;
type shorewall_log_t;
type shorewall_initrc_exec_t, shorewall_var_lib_t;
type shorewall_tmp_t, shorewall_etc_t;
')
allow $1 shorewall_t:process signal_perms;
ps_process_pattern($1, shorewall_t)
tunable_policy(`deny_ptrace',`',`
allow $1 shorewall_t:process ptrace;
')
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 shorewall_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, shorewall_etc_t)
files_list_locks($1)
admin_pattern($1, shorewall_lock_t)
logging_list_logs($1)
admin_pattern($1, shorewall_log_t)
files_list_var_lib($1)
admin_pattern($1, shorewall_var_lib_t)
files_list_tmp($1)
admin_pattern($1, shorewall_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shorewall_admin'($*)) dnl
')
## System shutdown command
########################################
##
## Execute a domain transition to run shutdown.
##
##
##
## Domain allowed to transition.
##
##
#
define(`shutdown_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shutdown_domtrans'($*)) dnl
gen_require(`
type shutdown_t, shutdown_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
init_reboot($1)
init_halt($1)
optional_policy(`
systemd_exec_systemctl($1)
init_reload_services($1)
init_stream_connect($1)
systemd_login_reboot($1)
systemd_login_halt($1)
')
ifdef(`hide_broken_symptoms', `
dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shutdown_domtrans'($*)) dnl
')
########################################
##
## Execute shutdown in the shutdown domain, and
## allow the specified role the shutdown domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`shutdown_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shutdown_run'($*)) dnl
gen_require(`
type shutdown_t;
attribute_role shutdown_roles;
')
shutdown_domtrans($1)
roleattribute $2 shutdown_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shutdown_run'($*)) dnl
')
########################################
##
## Role access for shutdown
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`shutdown_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shutdown_role'($*)) dnl
gen_require(`
type shutdown_t;
')
shutdown_run($2, $1)
allow $2 shutdown_t:process { ptrace signal_perms };
ps_process_pattern($2, shutdown_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shutdown_role'($*)) dnl
')
########################################
##
## Recieve sigchld from shutdown
##
##
##
## Domain allowed access
##
##
#
define(`shutdown_send_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shutdown_send_sigchld'($*)) dnl
gen_require(`
type shutdown_t;
')
allow shutdown_t $1:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shutdown_send_sigchld'($*)) dnl
')
########################################
##
## Send and receive messages from
## shutdown over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`shutdown_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shutdown_dbus_chat'($*)) dnl
gen_require(`
type shutdown_t;
class dbus send_msg;
')
allow $1 shutdown_t:dbus send_msg;
allow shutdown_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shutdown_dbus_chat'($*)) dnl
')
########################################
##
## Get attributes of shutdown executable.
##
##
##
## Domain allowed access.
##
##
#
define(`shutdown_getattr_exec_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `shutdown_getattr_exec_files'($*)) dnl
gen_require(`
type shutdown_exec_t;
')
corecmd_search_bin($1)
allow $1 shutdown_exec_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `shutdown_getattr_exec_files'($*)) dnl
')
## Update database for mlocate.
########################################
##
## Create the locate log with append mode.
##
##
##
## Domain allowed access.
##
##
#
define(`slocate_create_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `slocate_create_append_log'($*)) dnl
refpolicywarn(`$0($*) has been deprecated')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `slocate_create_append_log'($*)) dnl
')
########################################
##
## Read locate lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`locate_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locate_read_lib_files'($*)) dnl
gen_require(`
type locate_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, locate_var_lib_t, locate_var_lib_t)
allow $1 locate_var_lib_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locate_read_lib_files'($*)) dnl
')
## OpenSLP server daemon to dynamically register services.
########################################
##
## Transition to slpd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`slpd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `slpd_domtrans'($*)) dnl
gen_require(`
type slpd_t, slpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, slpd_exec_t, slpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `slpd_domtrans'($*)) dnl
')
########################################
##
## Execute slpd server in the slpd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`slpd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `slpd_initrc_domtrans'($*)) dnl
gen_require(`
type slpd_initrc_exec_t;
')
init_labeled_script_domtrans($1, slpd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `slpd_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an slpd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`slpd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `slpd_admin'($*)) dnl
gen_require(`
type slpd_t, slpd_initrc_exec_t, slpd_log_t;
type slpd_var_run_t;
')
allow $1 slpd_t:process { ptrace signal_perms };
ps_process_pattern($1, slpd_t)
slpd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 slpd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, slpd_log_t)
files_search_pids($1)
admin_pattern($1, slpd_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `slpd_admin'($*)) dnl
')
## Service for downloading news feeds the slrn newsreader.
########################################
##
## Search slrnpull spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`slrnpull_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `slrnpull_search_spool'($*)) dnl
gen_require(`
type slrnpull_spool_t;
')
files_search_spool($1)
allow $1 slrnpull_spool_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `slrnpull_search_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## slrnpull spool content.
##
##
##
## Domain allowed access.
##
##
#
define(`slrnpull_manage_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `slrnpull_manage_spool'($*)) dnl
gen_require(`
type slrnpull_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `slrnpull_manage_spool'($*)) dnl
')
## Smart disk monitoring daemon.
#######################################
##
## Read smartmon temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`smartmon_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smartmon_read_tmp_files'($*)) dnl
gen_require(`
type fsdaemon_tmp_t;
')
files_search_tmp($1)
allow $1 fsdaemon_tmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smartmon_read_tmp_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an smartmon environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`smartmon_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smartmon_admin'($*)) dnl
gen_require(`
type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t;
')
allow $1 fsdaemon_t:process signal_perms;
ps_process_pattern($1, fsdaemon_t)
tunable_policy(`deny_ptrace',`',`
allow $1 fsdaemon_t:process ptrace;
')
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, fsdaemon_tmp_t)
files_list_pids($1)
admin_pattern($1, fsdaemon_var_run_t)
files_list_var_lib($1)
admin_pattern($1, fsdaemon_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smartmon_admin'($*)) dnl
')
## Smokeping network latency measurement.
########################################
##
## Execute a domain transition to run smokeping.
##
##
##
## Domain allowed to transition.
##
##
#
define(`smokeping_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smokeping_domtrans'($*)) dnl
gen_require(`
type smokeping_t, smokeping_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, smokeping_exec_t, smokeping_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smokeping_domtrans'($*)) dnl
')
########################################
##
## Execute smokeping init scripts in
## the initrc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`smokeping_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smokeping_initrc_domtrans'($*)) dnl
gen_require(`
type smokeping_initrc_exec_t;
')
init_labeled_script_domtrans($1, smokeping_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smokeping_initrc_domtrans'($*)) dnl
')
########################################
##
## Read smokeping pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`smokeping_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smokeping_read_pid_files'($*)) dnl
gen_require(`
type smokeping_var_run_t;
')
files_search_pids($1)
allow $1 smokeping_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smokeping_read_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## smokeping pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`smokeping_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smokeping_manage_pid_files'($*)) dnl
gen_require(`
type smokeping_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smokeping_manage_pid_files'($*)) dnl
')
########################################
##
## Get attributes of smokeping lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`smokeping_getattr_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smokeping_getattr_lib_files'($*)) dnl
gen_require(`
type smokeping_var_lib_t;
')
files_search_var_lib($1)
getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smokeping_getattr_lib_files'($*)) dnl
')
########################################
##
## Read smokeping lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`smokeping_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smokeping_read_lib_files'($*)) dnl
gen_require(`
type smokeping_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smokeping_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## smokeping lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`smokeping_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smokeping_manage_lib_files'($*)) dnl
gen_require(`
type smokeping_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smokeping_manage_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate a smokeping environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`smokeping_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smokeping_admin'($*)) dnl
gen_require(`
type smokeping_t, smokeping_initrc_exec_t, smokeping_var_lib_t;
type smokeping_var_run_t;
')
allow $1 smokeping_t:process signal_perms;
ps_process_pattern($1, smokeping_t)
tunable_policy(`deny_ptrace',`',`
allow $1 smokeping_t:process ptrace;
')
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 smokeping_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, smokeping_var_lib_t)
files_search_pids($1)
admin_pattern($1, smokeping_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smokeping_admin'($*)) dnl
')
## The Fedora hardware profiler client.
## The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions.
########################################
##
## Execute smsd in the smsd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`smsd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_domtrans'($*)) dnl
gen_require(`
type smsd_t, smsd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, smsd_exec_t, smsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_domtrans'($*)) dnl
')
########################################
##
## Execute smsd server in the smsd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_initrc_domtrans'($*)) dnl
gen_require(`
type smsd_initrc_exec_t;
')
init_labeled_script_domtrans($1, smsd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_initrc_domtrans'($*)) dnl
')
########################################
##
## Read smsd's log files.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_read_log'($*)) dnl
gen_require(`
type smsd_log_t;
')
logging_search_logs($1)
read_files_pattern($1, smsd_log_t, smsd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_read_log'($*)) dnl
')
########################################
##
## Append to smsd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_append_log'($*)) dnl
gen_require(`
type smsd_log_t;
')
logging_search_logs($1)
append_files_pattern($1, smsd_log_t, smsd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_append_log'($*)) dnl
')
########################################
##
## Manage smsd log files
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_manage_log'($*)) dnl
gen_require(`
type smsd_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, smsd_log_t, smsd_log_t)
manage_files_pattern($1, smsd_log_t, smsd_log_t)
manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_manage_log'($*)) dnl
')
########################################
##
## Read smsd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_read_pid_files'($*)) dnl
gen_require(`
type smsd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, smsd_var_run_t, smsd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_read_pid_files'($*)) dnl
')
########################################
##
## Search smsd spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_search_spool'($*)) dnl
gen_require(`
type smsd_spool_t;
')
allow $1 smsd_spool_t:dir search_dir_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_search_spool'($*)) dnl
')
########################################
##
## Read smsd spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_read_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_read_spool_files'($*)) dnl
gen_require(`
type smsd_spool_t;
')
files_search_spool($1)
read_files_pattern($1, smsd_spool_t, smsd_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_read_spool_files'($*)) dnl
')
########################################
##
## Manage smsd spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_manage_spool_files'($*)) dnl
gen_require(`
type smsd_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, smsd_spool_t, smsd_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_manage_spool_files'($*)) dnl
')
########################################
##
## Manage smsd spool dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_manage_spool_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_manage_spool_dirs'($*)) dnl
gen_require(`
type smsd_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_manage_spool_dirs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an smsd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`smsd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_admin'($*)) dnl
gen_require(`
type smsd_t;
type smsd_initrc_exec_t;
type smsd_log_t;
type smsd_var_run_t;
type smsd_spool_t;
')
allow $1 smsd_t:process { ptrace signal_perms };
ps_process_pattern($1, smsd_t)
smsd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 smsd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, smsd_log_t)
files_search_pids($1)
admin_pattern($1, smsd_var_run_t)
files_search_spool($1)
admin_pattern($1, smsd_spool_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_admin'($*)) dnl
')
## Tools to send and receive short messages through GSM modems or mobile phones.
#######################################
##
## Search smsd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_search_lib'($*)) dnl
gen_require(`
type smsd_var_lib_t;
')
allow $1 smsd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_search_lib'($*)) dnl
')
#######################################
##
## Read smsd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_read_lib_files'($*)) dnl
gen_require(`
type smsd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_read_lib_files'($*)) dnl
')
#######################################
##
## Manage smsd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_manage_lib_files'($*)) dnl
gen_require(`
type smsd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_manage_lib_files'($*)) dnl
')
#######################################
##
## Manage smsd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`smsd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smsd_manage_lib_dirs'($*)) dnl
gen_require(`
type smsd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smsd_manage_lib_dirs'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an smstools environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`smstools_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `smstools_admin'($*)) dnl
gen_require(`
type smsd_t, smsd_initrc_exec_t, smsd_conf_t;
type smsd_log_t, smsd_var_lib_t, smsd_var_run_t;
type smsd_spool_t;
')
allow $1 smsd_t:process { ptrace signal_perms };
ps_process_pattern($1, smsd_t)
init_labeled_script_domtrans($1, smsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 smsd_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, smsd_conf_t)
files_search_var_lib($1)
admin_pattern($1, smsd_var_lib_t)
files_search_spool($1)
admin_pattern($1, smsd_spool_t)
files_search_pids($1)
admin_pattern($1, smsd_var_run_t)
logging_search_logs($1)
admin_pattern($1, smsd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `smstools_admin'($*)) dnl
')
## policy for snapperd
########################################
##
## Execute TEMPLATE in the snapperd domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`snapper_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snapper_domtrans'($*)) dnl
gen_require(`
type snapperd_t, snapperd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, snapperd_exec_t, snapperd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snapper_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## snapperd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`snapper_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snapper_dbus_chat'($*)) dnl
gen_require(`
type snapperd_t;
class dbus send_msg;
')
allow $1 snapperd_t:dbus send_msg;
allow snapperd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snapper_dbus_chat'($*)) dnl
')
########################################
##
## Allow a domain to read inherited snapper pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`snapper_read_inherited_pipe',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snapper_read_inherited_pipe'($*)) dnl
gen_require(`
type snapperd_t;
')
allow $1 snapperd_t:fifo_file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snapper_read_inherited_pipe'($*)) dnl
')
########################################
##
## Allow a domain to relabel snapshots to snapperd_data_t
##
##
##
## Domain allowed access.
##
##
#
define(`snapper_relabel_snapshots',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snapper_relabel_snapshots'($*)) dnl
gen_require(`
type snapperd_data_t;
')
kernel_relabelfrom_unlabeled_dirs($1)
allow $1 snapperd_data_t:dir relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snapper_relabel_snapshots'($*)) dnl
')
#######################################
##
## Allow domain to create .smapshot
##
##
##
## Domain allowed access.
##
##
#
define(`snapper_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snapper_filetrans_named_content'($*)) dnl
gen_require(`
type snapperd_data_t;
')
files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snapper_filetrans_named_content'($*)) dnl
')
## Simple network management protocol services.
########################################
##
## Send null signals to snmp.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_signull'($*)) dnl
gen_require(`
type snmpd_t;
')
allow $1 snmpd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_signull'($*)) dnl
')
########################################
##
## Connect to snmpd with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_stream_connect'($*)) dnl
gen_require(`
type snmpd_t, snmpd_var_lib_t;
')
files_search_var_lib($1)
stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_stream_connect'($*)) dnl
')
########################################
##
## Connect to snmp over the TCP network.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_tcp_connect'($*)) dnl
gen_require(`
type snmpd_t;
')
corenet_tcp_recvfrom_labeled($1, snmpd_t)
corenet_tcp_sendrecv_snmp_port($1)
corenet_tcp_connect_snmp_port($1)
corenet_sendrecv_snmp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_tcp_connect'($*)) dnl
')
########################################
##
## Send and receive UDP traffic to SNMP (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_udp_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_udp_chat'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_udp_chat'($*)) dnl
')
########################################
##
## Read snmpd lib content.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_read_snmp_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_read_snmp_var_lib_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_read_snmp_var_lib_files'($*)) dnl
')
#######################################
##
## Read snmpd libraries directories
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_read_snmp_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_read_snmp_var_lib_dirs'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_read_snmp_var_lib_dirs'($*)) dnl
')
########################################
##
## Manage snmpd libraries directories
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_manage_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_manage_var_lib_dirs'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
allow $1 snmpd_var_lib_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_manage_var_lib_dirs'($*)) dnl
')
########################################
##
## Manage snmpd libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_manage_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_manage_var_lib_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_manage_var_lib_files'($*)) dnl
')
########################################
##
## Manage snmpd libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`snmp_manage_var_lib_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_manage_var_lib_sock_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
files_search_var_lib($1)
allow $1 snmpd_var_lib_t:dir list_dir_perms;
manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_manage_var_lib_sock_files'($*)) dnl
')
########################################
##
## Do not audit attempts to manage
## snmpd lib content.
##
##
##
## Domain to not audit.
##
##
#
define(`snmp_dontaudit_manage_snmp_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_manage_snmp_var_lib_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
dontaudit $1 snmpd_var_lib_t:dir manage_dir_perms;
dontaudit $1 snmpd_var_lib_t:file manage_file_perms;
dontaudit $1 snmpd_var_lib_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_dontaudit_manage_snmp_var_lib_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## snmpd lib content.
##
##
##
## Domain to not audit.
##
##
#
define(`snmp_dontaudit_read_snmp_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_read_snmp_var_lib_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_dontaudit_read_snmp_var_lib_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write
## snmpd lib files.
##
##
##
## Domain to not audit.
##
##
#
define(`snmp_dontaudit_write_snmp_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_write_snmp_var_lib_files'($*)) dnl
gen_require(`
type snmpd_var_lib_t;
')
dontaudit $1 snmpd_var_lib_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_dontaudit_write_snmp_var_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an snmp environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`snmp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snmp_admin'($*)) dnl
gen_require(`
type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
type snmpd_var_lib_t, snmpd_var_run_t;
')
allow $1 snmpd_t:process signal_perms;
ps_process_pattern($1, snmpd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 snmpd_t:process ptrace;
')
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 snmpd_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, snmpd_log_t)
files_list_var_lib($1)
admin_pattern($1, snmpd_var_lib_t)
files_list_pids($1)
admin_pattern($1, snmpd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snmp_admin'($*)) dnl
')
## Snort network intrusion detection system.
########################################
##
## Execute a domain transition to run snort.
##
##
##
## Domain allowed to transition.
##
##
#
define(`snort_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snort_domtrans'($*)) dnl
gen_require(`
type snort_t, snort_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, snort_exec_t, snort_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snort_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an snort environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`snort_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `snort_admin'($*)) dnl
gen_require(`
type snort_t, snort_var_run_t, snort_log_t;
type snort_etc_t, snort_initrc_exec_t;
')
allow $1 snort_t:process signal_perms;
ps_process_pattern($1, snort_t)
tunable_policy(`deny_ptrace',`',`
allow $1 snort_t:process ptrace;
')
init_labeled_script_domtrans($1, snort_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 snort_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, snort_etc_t)
files_list_etc($1)
admin_pattern($1, snort_log_t)
logging_list_logs($1)
admin_pattern($1, snort_var_run_t)
files_list_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `snort_admin'($*)) dnl
')
## Generate debugging information for system.
########################################
##
## Execute a domain transition to run sosreport.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sosreport_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sosreport_domtrans'($*)) dnl
gen_require(`
type sosreport_t, sosreport_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sosreport_exec_t, sosreport_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sosreport_domtrans'($*)) dnl
')
########################################
##
## Execute sosreport in the sosreport
## domain, and allow the specified
## role the sosreport domain.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
#
define(`sosreport_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sosreport_run'($*)) dnl
gen_require(`
attribute_role sosreport_roles;
')
sosreport_domtrans($1)
roleattribute $2 sosreport_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sosreport_run'($*)) dnl
')
########################################
##
## Role access for sosreport.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`sosreport_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sosreport_role'($*)) dnl
gen_require(`
type sosreport_t;
')
sosreport_run($2, $1)
allow $2 sosreport_t:process { ptrace signal_perms };
ps_process_pattern($2, sosreport_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sosreport_role'($*)) dnl
')
########################################
##
## Read sosreport temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`sosreport_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sosreport_read_tmp_files'($*)) dnl
gen_require(`
type sosreport_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sosreport_read_tmp_files'($*)) dnl
')
########################################
##
## Append sosreport temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`sosreport_append_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sosreport_append_tmp_files'($*)) dnl
gen_require(`
type sosreport_tmp_t;
')
files_search_tmp($1)
append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sosreport_append_tmp_files'($*)) dnl
')
########################################
##
## Delete sosreport temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`sosreport_delete_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sosreport_delete_tmp_files'($*)) dnl
gen_require(`
type sosreport_tmp_t;
')
files_delete_tmp_dir_entry($1)
delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sosreport_delete_tmp_files'($*)) dnl
')
########################################
##
## Send a null signal to sosreport.
##
##
##
## Domain allowed access.
##
##
#
define(`sosreport_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sosreport_signull'($*)) dnl
gen_require(`
type sosreport_t;
')
allow $1 sosreport_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sosreport_signull'($*)) dnl
')
## sound server for network audio server programs, nasd, yiff, etc
########################################
##
## Connect to the sound server over a TCP socket (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`soundserver_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `soundserver_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `soundserver_tcp_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an soundd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`soundserver_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `soundserver_admin'($*)) dnl
gen_require(`
type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
type soundd_tmp_t, soundd_var_run_t, soundd_tmpfs_t;
type soundd_state_t;
')
allow $1 soundd_t:process signal_perms;
ps_process_pattern($1, soundd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 soundd_t:process ptrace;
')
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 soundd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, soundd_etc_t)
files_list_tmp($1)
admin_pattern($1, soundd_tmp_t)
fs_list_tmpfs($1)
admin_pattern($1, soundd_tmpfs_t)
files_list_var($1)
admin_pattern($1, soundd_state_t)
files_list_pids($1)
admin_pattern($1, soundd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `soundserver_admin'($*)) dnl
')
## Filter used for removing unsolicited email.
########################################
##
## Role access for spamassassin
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
##
#
define(`spamassassin_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_role'($*)) dnl
gen_require(`
type spamc_t, spamc_exec_t, spamc_tmp_t;
type spamassassin_t, spamassassin_exec_t;
type spamassassin_home_t, spamassassin_tmp_t;
')
role $1 types { spamc_t spamassassin_t };
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
allow $2 spamassassin_t:process signal_perms;
ps_process_pattern($2, spamassassin_t)
domtrans_pattern($2, spamc_exec_t, spamc_t)
allow $2 spamc_t:process signal_perms;
ps_process_pattern($2, spamc_t)
manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_role'($*)) dnl
')
########################################
##
## Execute the standalone spamassassin
## program in the caller directory.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_exec'($*)) dnl
gen_require(`
type spamassassin_exec_t;
')
can_exec($1, spamassassin_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_exec'($*)) dnl
')
########################################
##
## Singnal the spam assassin daemon
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_signal_spamd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_signal_spamd'($*)) dnl
gen_require(`
type spamd_t;
')
allow $1 spamd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_signal_spamd'($*)) dnl
')
########################################
##
## Execute the spamassassin daemon
## program in the caller directory.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_exec_spamd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_exec_spamd'($*)) dnl
gen_require(`
type spamd_exec_t;
')
can_exec($1, spamd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_exec_spamd'($*)) dnl
')
########################################
##
## Execute spamassassin client in the spamassassin client domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`spamassassin_domtrans_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_client'($*)) dnl
gen_require(`
type spamc_t, spamc_exec_t;
')
domtrans_pattern($1, spamc_exec_t, spamc_t)
allow $1 spamc_exec_t:file ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_client'($*)) dnl
')
########################################
##
## Send kill signal to spamassassin client
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_kill_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_kill_client'($*)) dnl
gen_require(`
type spamc_t;
')
allow $1 spamc_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_kill_client'($*)) dnl
')
########################################
##
## Manage spamc home files.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_manage_home_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_manage_home_client'($*)) dnl
gen_require(`
type spamc_home_t;
')
userdom_search_user_home_dirs($1)
manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
manage_files_pattern($1, spamc_home_t, spamc_home_t)
manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_manage_home_client'($*)) dnl
')
########################################
##
## Read spamc home files.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_read_home_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_read_home_client'($*)) dnl
gen_require(`
type spamc_home_t;
')
userdom_search_user_home_dirs($1)
list_dirs_pattern($1, spamc_home_t, spamc_home_t)
read_files_pattern($1, spamc_home_t, spamc_home_t)
read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_read_home_client'($*)) dnl
')
########################################
##
## Execute the spamassassin client
## program in the caller directory.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_exec_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_exec_client'($*)) dnl
gen_require(`
type spamc_exec_t;
')
can_exec($1, spamc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_exec_client'($*)) dnl
')
########################################
##
## Execute spamassassin standalone client in the user spamassassin domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`spamassassin_domtrans_local_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_local_client'($*)) dnl
gen_require(`
type spamassassin_t, spamassassin_exec_t;
')
domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_local_client'($*)) dnl
')
########################################
##
## read spamd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_read_lib_files'($*)) dnl
gen_require(`
type spamd_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## spamd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_manage_lib_files'($*)) dnl
gen_require(`
type spamd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_manage_lib_files'($*)) dnl
')
########################################
##
## Read temporary spamd file.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_read_spamd_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_read_spamd_tmp_files'($*)) dnl
gen_require(`
type spamd_tmp_t;
')
files_search_tmp($1)
allow $1 spamd_tmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_read_spamd_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get attributes of temporary
## spamd sockets/
##
##
##
## Domain to not audit.
##
##
#
define(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_dontaudit_getattr_spamd_tmp_sockets'($*)) dnl
gen_require(`
type spamd_tmp_t;
')
dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_dontaudit_getattr_spamd_tmp_sockets'($*)) dnl
')
########################################
##
## Connect to run spamd.
##
##
##
## Domain allowed to connect.
##
##
#
define(`spamd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamd_stream_connect'($*)) dnl
gen_require(`
type spamd_t, spamd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamd_stream_connect'($*)) dnl
')
########################################
##
## Read spamd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_read_pid_files'($*)) dnl
gen_require(`
type spamd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_read_pid_files'($*)) dnl
')
######################################
##
## Transition to spamassassin named content
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_filetrans_home_content'($*)) dnl
gen_require(`
type spamc_home_t;
')
userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin")
userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_filetrans_home_content'($*)) dnl
')
######################################
##
## Transition to spamassassin named content
##
##
##
## Domain allowed access.
##
##
#
define(`spamassassin_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_filetrans_admin_home_content'($*)) dnl
gen_require(`
type spamc_home_t;
')
userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin")
userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_filetrans_admin_home_content'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an spamassassin environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the spamassassin domain.
##
##
#
define(`spamassassin_spamd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `spamassassin_spamd_admin'($*)) dnl
gen_require(`
type spamd_t, spamd_tmp_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
type spamd_initrc_exec_t;
')
allow $1 spamd_t:process signal_perms;
ps_process_pattern($1, spamd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 spamd_t:process ptrace;
')
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 spamd_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, spamd_tmp_t)
logging_list_logs($1)
admin_pattern($1, spamd_log_t)
files_list_spool($1)
admin_pattern($1, spamd_spool_t)
files_list_var_lib($1)
admin_pattern($1, spamd_var_lib_t)
files_list_pids($1)
admin_pattern($1, spamd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `spamassassin_spamd_admin'($*)) dnl
')
## speech-dispatcher - server process managing speech requests in Speech Dispatcher
########################################
##
## Execute speech-dispatcher in the speech_dispatcher domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`speech_dispatcher_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `speech_dispatcher_domtrans'($*)) dnl
gen_require(`
type speech_dispatcher_t, speech_dispatcher_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, speech_dispatcher_exec_t, speech_dispatcher_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `speech_dispatcher_domtrans'($*)) dnl
')
########################################
##
## Read speech-dispatcher's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`speech_dispatcher_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `speech_dispatcher_read_log'($*)) dnl
gen_require(`
type speech_dispatcher_log_t;
')
logging_search_logs($1)
read_files_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `speech_dispatcher_read_log'($*)) dnl
')
########################################
##
## Append to speech-dispatcher log files.
##
##
##
## Domain allowed access.
##
##
#
define(`speech_dispatcher_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `speech_dispatcher_append_log'($*)) dnl
gen_require(`
type speech_dispatcher_log_t;
')
logging_search_logs($1)
append_files_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `speech_dispatcher_append_log'($*)) dnl
')
########################################
##
## Manage speech-dispatcher log files
##
##
##
## Domain allowed access.
##
##
#
define(`speech_dispatcher_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `speech_dispatcher_manage_log'($*)) dnl
gen_require(`
type speech_dispatcher_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t)
manage_files_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t)
manage_lnk_files_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `speech_dispatcher_manage_log'($*)) dnl
')
########################################
##
## Execute speech-dispatcher server in the speech_dispatcher domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`speech_dispatcher_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `speech_dispatcher_systemctl'($*)) dnl
gen_require(`
type speech_dispatcher_t;
type speech_dispatcher_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 speech_dispatcher_unit_file_t:file read_file_perms;
allow $1 speech_dispatcher_unit_file_t:service manage_service_perms;
ps_process_pattern($1, speech_dispatcher_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `speech_dispatcher_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an speech-dispatcher environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`speech_dispatcher_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `speech_dispatcher_admin'($*)) dnl
gen_require(`
type speech_dispatcher_t;
type speech_dispatcher_log_t;
type speech_dispatcher_unit_file_t;
')
allow $1 speech_dispatcher_t:process { signal_perms };
ps_process_pattern($1, speech_dispatcher_t)
tunable_policy(`deny_ptrace',`',`
allow $1 speech_dispatcher_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, speech_dispatcher_log_t)
speech_dispatcher_systemctl($1)
admin_pattern($1, speech_dispatcher_unit_file_t)
allow $1 speech_dispatcher_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `speech_dispatcher_admin'($*)) dnl
')
## Squid caching http proxy server.
########################################
##
## Execute squid in the squid domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`squid_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_domtrans'($*)) dnl
gen_require(`
type squid_t, squid_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, squid_exec_t, squid_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_domtrans'($*)) dnl
')
########################################
##
## Execute squid in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`squid_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_exec'($*)) dnl
gen_require(`
type squid_exec_t;
')
corecmd_search_bin($1)
can_exec($1, squid_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_exec'($*)) dnl
')
########################################
##
## Send generic signals to squid.
##
##
##
## Domain allowed access.
##
##
#
define(`squid_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_signal'($*)) dnl
gen_require(`
type squid_t;
')
allow $1 squid_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_signal'($*)) dnl
')
########################################
##
## Read and write squid unix
## domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`squid_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_rw_stream_sockets'($*)) dnl
gen_require(`
type squid_t;
')
allow $1 squid_t:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_rw_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## squid cache directories.
##
##
##
## Domain to not audit.
##
##
#
define(`squid_dontaudit_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_dontaudit_search_cache'($*)) dnl
gen_require(`
type squid_cache_t;
')
dontaudit $1 squid_cache_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_dontaudit_search_cache'($*)) dnl
')
########################################
##
## Read squid configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`squid_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_read_config'($*)) dnl
gen_require(`
type squid_conf_t;
')
files_search_etc($1)
read_files_pattern($1, squid_conf_t, squid_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_read_config'($*)) dnl
')
########################################
##
## Read squid log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`squid_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_read_log'($*)) dnl
gen_require(`
type squid_log_t;
')
logging_search_logs($1)
read_files_pattern($1, squid_log_t, squid_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_read_log'($*)) dnl
')
########################################
##
## Append squid log files.
##
##
##
## Domain allowed access.
##
##
#
define(`squid_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_append_log'($*)) dnl
gen_require(`
type squid_log_t;
')
logging_search_logs($1)
append_files_pattern($1, squid_log_t, squid_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_append_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## squid log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`squid_manage_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_manage_logs'($*)) dnl
gen_require(`
type squid_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, squid_log_t, squid_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_manage_logs'($*)) dnl
')
########################################
##
## Use squid services by connecting over TCP. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`squid_use',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_use'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_use'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an squid environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`squid_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `squid_admin'($*)) dnl
gen_require(`
type squid_t, squid_cache_t, squid_conf_t;
type squid_log_t, squid_var_run_t, squid_tmpfs_t;
type squid_initrc_exec_t, squid_tmp_t;
')
allow $1 squid_t:process signal_perms;
ps_process_pattern($1, squid_t)
tunable_policy(`deny_ptrace',`',`
allow $1 squid_t:process ptrace;
')
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
allow $2 system_r;
files_list_var($1)
admin_pattern($1, squid_cache_t)
files_list_etc($1)
admin_pattern($1, squid_conf_t)
logging_list_logs($1)
admin_pattern($1, squid_log_t)
files_list_pids($1)
admin_pattern($1, squid_var_run_t)
fs_list_tmpfs($1)
admin_pattern($1, squid_tmpfs_t)
files_list_tmp($1)
admin_pattern($1, squid_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `squid_admin'($*)) dnl
')
## policy for sslh
########################################
##
## Execute sslh in the sslh domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sslh_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sslh_domtrans'($*)) dnl
gen_require(`
type sslh_t, sslh_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sslh_exec_t, sslh_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sslh_domtrans'($*)) dnl
')
#######################################
##
## Execute tor server in the tor domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sslh_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sslh_systemctl'($*)) dnl
gen_require(`
type sslh_t;
type sslh_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 sslh_unit_file_t:file read_file_perms;
allow $1 sslh_unit_file_t:service manage_service_perms;
ps_process_pattern($1, sslh_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sslh_systemctl'($*)) dnl
')
########################################
##
## Permit the reading of sslh config files
##
##
##
## Domain allowed to access.
##
##
#
define(`sslh_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sslh_read_config'($*)) dnl
gen_require(`
type sslh_config_t;
')
files_search_etc($1)
allow $1 sslh_config_t:dir list_dir_perms;
allow $1 sslh_config_t:file read_file_perms;
allow $1 sslh_config_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sslh_read_config'($*)) dnl
')
########################################
##
## Permit the creation and writing of sslh config files
##
##
##
## Domain allowed to configure.
##
##
#
define(`sslh_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sslh_write_config'($*)) dnl
gen_require(`
type sslh_config_t;
')
files_search_etc($1)
allow $1 sslh_config_t:dir rw_dir_perms;
allow $1 sslh_config_t:file { rw_file_perms create };
allow $1 sslh_config_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sslh_write_config'($*)) dnl
')
#######################################
##
## All of the rules required to
## administrate an sslh environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sslh_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sslh_admin'($*)) dnl
gen_require(`
type sslh_t, sslh_config_t;
type sslh_var_run_t;
type sslh_initrc_exec_t;
')
allow $1 sslh_t:process signal_perms;
ps_process_pattern($1, sslh_t)
init_labeled_script_domtrans($1, sslh_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 sslh_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, sslh_config_t)
files_list_pids($1)
admin_pattern($1, sslh_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sslh_admin'($*)) dnl
')
## System Security Services Daemon
#######################################
##
## Allow a domain to getattr on sssd binary.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sssd_getattr_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_getattr_exec'($*)) dnl
gen_require(`
type sssd_t, sssd_exec_t;
')
allow $1 sssd_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_getattr_exec'($*)) dnl
')
########################################
##
## Execute a domain transition to run sssd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sssd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_domtrans'($*)) dnl
gen_require(`
type sssd_t, sssd_exec_t;
')
domtrans_pattern($1, sssd_exec_t, sssd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_domtrans'($*)) dnl
')
########################################
##
## Execute sssd server in the sssd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sssd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_initrc_domtrans'($*)) dnl
gen_require(`
type sssd_initrc_exec_t;
')
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute sssd server in the sssd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sssd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_systemctl'($*)) dnl
gen_require(`
type sssd_t;
type sssd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 sssd_unit_file_t:file read_file_perms;
allow $1 sssd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, sssd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_systemctl'($*)) dnl
')
#######################################
##
## Read sssd configuration.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_read_config'($*)) dnl
gen_require(`
type sssd_conf_t;
')
files_search_etc($1)
list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
read_files_pattern($1, sssd_conf_t, sssd_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_read_config'($*)) dnl
')
######################################
##
## Write sssd configuration.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_write_config'($*)) dnl
gen_require(`
type sssd_conf_t;
')
files_search_etc($1)
write_files_pattern($1, sssd_conf_t, sssd_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_write_config'($*)) dnl
')
#####################################
##
## Write sssd configuration.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_create_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_create_config'($*)) dnl
gen_require(`
type sssd_conf_t;
')
files_search_etc($1)
create_files_pattern($1, sssd_conf_t, sssd_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_create_config'($*)) dnl
')
####################################
##
## Manage sssd configuration.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_manage_config'($*)) dnl
gen_require(`
type sssd_conf_t;
')
files_search_etc($1)
manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_manage_config'($*)) dnl
')
########################################
##
## Read sssd public files.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_read_public_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_read_public_files'($*)) dnl
gen_require(`
type sssd_public_t;
')
sssd_search_lib($1)
list_dirs_pattern($1, sssd_public_t, sssd_public_t)
read_files_pattern($1, sssd_public_t, sssd_public_t)
allow $1 sssd_public_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_read_public_files'($*)) dnl
')
########################################
##
## Delete sssd public files.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_delete_public_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_delete_public_files'($*)) dnl
gen_require(`
type sssd_public_t;
')
sssd_search_lib($1)
allow $1 sssd_public_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_delete_public_files'($*)) dnl
')
########################################
##
## Dontaudit read sssd public files.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_dontaudit_read_public_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_read_public_files'($*)) dnl
gen_require(`
type sssd_public_t;
')
dontaudit $1 sssd_public_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_dontaudit_read_public_files'($*)) dnl
')
#######################################
##
## Manage sssd public files.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_manage_public_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_manage_public_files'($*)) dnl
gen_require(`
type sssd_public_t;
')
sssd_search_lib($1)
manage_files_pattern($1, sssd_public_t, sssd_public_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_manage_public_files'($*)) dnl
')
########################################
##
## Read sssd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_read_pid_files'($*)) dnl
gen_require(`
type sssd_var_run_t;
')
files_search_pids($1)
allow $1 sssd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_read_pid_files'($*)) dnl
')
########################################
##
## Manage sssd var_run files.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_manage_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_manage_pids'($*)) dnl
gen_require(`
type sssd_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_manage_pids'($*)) dnl
')
########################################
##
## Search sssd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_search_lib'($*)) dnl
gen_require(`
type sssd_var_lib_t;
')
allow $1 sssd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_search_lib'($*)) dnl
')
########################################
##
## Do not audit attempts to search sssd lib directories.
##
##
##
## Domain to not audit.
##
##
#
define(`sssd_dontaudit_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_search_lib'($*)) dnl
gen_require(`
type sssd_var_lib_t;
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_dontaudit_search_lib'($*)) dnl
')
########################################
##
## Do not audit attempts to read sssd lib files.
##
##
##
## Domain to not audit.
##
##
#
define(`sssd_dontaudit_read_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_read_lib'($*)) dnl
gen_require(`
type sssd_var_lib_t;
')
dontaudit $1 sssd_var_lib_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_dontaudit_read_lib'($*)) dnl
')
########################################
##
## Read sssd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_read_lib_files'($*)) dnl
gen_require(`
type sssd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## sssd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_manage_lib_files'($*)) dnl
gen_require(`
type sssd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
allow $1 sssd_var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_manage_lib_files'($*)) dnl
')
########################################
##
## Send and receive messages from
## sssd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_dbus_chat'($*)) dnl
gen_require(`
type sssd_t;
class dbus send_msg;
')
allow $1 sssd_t:dbus send_msg;
allow sssd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_dbus_chat'($*)) dnl
')
########################################
##
## Connect to sssd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_stream_connect'($*)) dnl
gen_require(`
type sssd_t, sssd_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_stream_connect'($*)) dnl
')
########################################
##
## Dontaudit attempts to connect to sssd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_dontaudit_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_stream_connect'($*)) dnl
gen_require(`
type sssd_t, sssd_var_lib_t;
')
dontaudit $1 sssd_t:unix_stream_socket connectto;
dontaudit $1 sssd_var_lib_t:sock_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_dontaudit_stream_connect'($*)) dnl
')
########################################
##
## Connect to sssd over a unix stream socket in /var/run.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_run_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_run_stream_connect'($*)) dnl
gen_require(`
type sssd_t, sssd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, sssd_var_run_t, sssd_var_run_t, sssd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_run_stream_connect'($*)) dnl
')
########################################
##
## Dontaudit attempts to connect to sssd over a unix stream socket in /var/run.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_dontaudit_run_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_run_stream_connect'($*)) dnl
gen_require(`
type sssd_t, sssd_var_lib_t;
')
dontaudit $1 sssd_t:unix_stream_socket connectto;
dontaudit $1 sssd_var_run_t:sock_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_dontaudit_run_stream_connect'($*)) dnl
')
#######################################
##
## Manage keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_manage_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_manage_keys'($*)) dnl
gen_require(`
type sssd_t;
')
allow $1 sssd_t:key manage_key_perms;
allow sssd_t $1:key manage_key_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_manage_keys'($*)) dnl
')
#######################################
##
## Allow attempts to read and write to
## sssd pipes
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_rw_inherited_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_rw_inherited_pipes'($*)) dnl
gen_require(`
type sssd_t;
')
allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_rw_inherited_pipes'($*)) dnl
')
########################################
##
## Allow caller to signal sssd.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_signal'($*)) dnl
gen_require(`
type sssd_t;
')
allow $1 sssd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_signal'($*)) dnl
')
########################################
##
## Allow caller to signull sssd.
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_signull'($*)) dnl
gen_require(`
type sssd_t;
')
allow $1 sssd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_signull'($*)) dnl
')
########################################
##
## Transition to sssd named content
##
##
##
## Domain allowed access.
##
##
#
define(`sssd_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_filetrans_named_content'($*)) dnl
gen_require(`
type sssd_var_run_t;
type sssd_var_log_t;
type sssd_var_lib_t;
type sssd_public_t;
type sssd_conf_t;
')
files_pid_filetrans($1, sssd_var_run_t, sock_file, "secrets.socket")
files_pid_filetrans($1, sssd_var_run_t, sock_file, ".heim_org.h5l.kcm-socket")
logging_log_filetrans($1, sssd_var_log_t, dir, "sssd")
files_var_lib_filetrans($1, sssd_var_lib_t, dir, "sss")
filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "mc")
filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "pubconf")
files_etc_filetrans($1, sssd_conf_t, dir, "sssd")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_filetrans_named_content'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an sssd environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the sssd domain.
##
##
##
#
define(`sssd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sssd_admin'($*)) dnl
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
type sssd_unit_file_t;
')
allow $1 sssd_t:process signal_perms;
ps_process_pattern($1, sssd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 sssd_t:process ptrace;
')
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sssd_initrc_exec_t system_r;
allow $2 system_r;
sssd_manage_pids($1)
sssd_manage_lib_files($1)
admin_pattern($1, sssd_public_t)
sssd_systemctl($1)
admin_pattern($1, sssd_unit_file_t)
allow $1 sssd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sssd_admin'($*)) dnl
')
## Instrumentation System Server
########################################
##
## Execute stapserver in the stapserver domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`stapserver_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stapserver_domtrans'($*)) dnl
gen_require(`
type stapserver_t, stapserver_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, stapserver_exec_t, stapserver_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stapserver_domtrans'($*)) dnl
')
########################################
##
## Read stapserver's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`stapserver_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stapserver_read_log'($*)) dnl
gen_require(`
type stapserver_log_t;
')
logging_search_logs($1)
read_files_pattern($1, stapserver_log_t, stapserver_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stapserver_read_log'($*)) dnl
')
########################################
##
## Append to stapserver log files.
##
##
##
## Domain allowed access.
##
##
#
define(`stapserver_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stapserver_append_log'($*)) dnl
gen_require(`
type stapserver_log_t;
')
logging_search_logs($1)
append_files_pattern($1, stapserver_log_t, stapserver_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stapserver_append_log'($*)) dnl
')
########################################
##
## Manage stapserver log files
##
##
##
## Domain allowed access.
##
##
#
define(`stapserver_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stapserver_manage_log'($*)) dnl
gen_require(`
type stapserver_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t)
manage_files_pattern($1, stapserver_log_t, stapserver_log_t)
manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stapserver_manage_log'($*)) dnl
')
########################################
##
## Read stapserver PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`stapserver_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stapserver_read_pid_files'($*)) dnl
gen_require(`
type stapserver_var_run_t;
')
files_search_pids($1)
allow $1 stapserver_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stapserver_read_pid_files'($*)) dnl
')
#######################################
##
## Manage stapserver lib files
##
##
##
## Domain allowed access.
##
##
#
define(`stapserver_manage_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stapserver_manage_lib'($*)) dnl
gen_require(`
type stapserver_var_lib_t;
')
manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stapserver_manage_lib'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an stapserver environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`stapserver_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stapserver_admin'($*)) dnl
gen_require(`
type stapserver_t;
type stapserver_log_t;
type stapserver_var_run_t;
')
allow $1 stapserver_t:process { ptrace signal_perms };
ps_process_pattern($1, stapserver_t)
logging_search_logs($1)
admin_pattern($1, stapserver_log_t)
files_search_pids($1)
admin_pattern($1, stapserver_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stapserver_admin'($*)) dnl
')
## Daemon to create and monitor storage pools
########################################
##
## Send and receive messages from
## stratisd over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`stratisd_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stratisd_dbus_chat'($*)) dnl
gen_require(`
type stratisd_t;
class dbus send_msg;
')
allow $1 stratisd_t:dbus send_msg;
allow stratisd_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stratisd_dbus_chat'($*)) dnl
')
########################################
##
## Execute stratisd_exec_t in the stratisd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`stratisd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stratisd_domtrans'($*)) dnl
gen_require(`
type stratisd_t, stratisd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, stratisd_exec_t, stratisd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stratisd_domtrans'($*)) dnl
')
######################################
##
## Execute stratisd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`stratisd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stratisd_exec'($*)) dnl
gen_require(`
type stratisd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, stratisd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stratisd_exec'($*)) dnl
')
########################################
##
## Read stratisd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`stratisd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stratisd_read_pid_files'($*)) dnl
gen_require(`
type stratisd_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, stratisd_var_run_t, stratisd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stratisd_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an stratisd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`stratisd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stratisd_admin'($*)) dnl
gen_require(`
type stratisd_t;
type stratisd_var_run_t;
')
allow $1 stratisd_t:process { signal_perms };
ps_process_pattern($1, stratisd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 stratisd_t:process ptrace;
')
files_search_pids($1)
admin_pattern($1, stratisd_var_run_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stratisd_admin'($*)) dnl
')
## SSL Tunneling Proxy.
########################################
##
## Define the specified domain as a stunnel inetd service.
##
##
##
## The type associated with the stunnel inetd service process.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`stunnel_service_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stunnel_service_domain'($*)) dnl
gen_require(`
type stunnel_t;
')
domtrans_pattern(stunnel_t, $2, $1)
allow $1 stunnel_t:tcp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stunnel_service_domain'($*)) dnl
')
########################################
##
## Read stunnel configuration content.
##
##
##
## Domain allowed access.
##
##
#
define(`stunnel_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `stunnel_read_config'($*)) dnl
gen_require(`
type stunnel_etc_t;
')
files_search_etc($1)
allow $1 stunnel_etc_t:dir list_dir_perms;
allow $1 stunnel_etc_t:file read_file_perms;
allow $1 stunnel_etc_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `stunnel_read_config'($*)) dnl
')
## policy for svnserve
########################################
##
## Transition to svnserve.
##
##
##
## Domain allowed to transition.
##
##
#
define(`svnserve_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `svnserve_domtrans'($*)) dnl
gen_require(`
type svnserve_t, svnserve_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, svnserve_exec_t, svnserve_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `svnserve_domtrans'($*)) dnl
')
########################################
##
## Execute svnserve server in the svnserve domain.
##
##
##
## Domain allowed access.
##
##
#
define(`svnserve_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `svnserve_initrc_domtrans'($*)) dnl
gen_require(`
type svnserve_initrc_exec_t;
')
init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `svnserve_initrc_domtrans'($*)) dnl
')
#######################################
##
## Execute svnserve server in the svnserve domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`svnserve_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `svnserve_systemctl'($*)) dnl
gen_require(`
type svnserve_t;
type svnserve_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 svnserve_unit_file_t:file read_file_perms;
allow $1 svnserve_unit_file_t:service manage_service_perms;
ps_process_pattern($1, svnserve_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `svnserve_systemctl'($*)) dnl
')
########################################
##
## Read svnserve PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`svnserve_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `svnserve_read_pid_files'($*)) dnl
gen_require(`
type svnserve_var_run_t;
')
files_search_pids($1)
allow $1 svnserve_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `svnserve_read_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an svnserve environment
##
##
##
## Domain allowed access.
##
##
#
define(`svnserve_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `svnserve_admin'($*)) dnl
gen_require(`
type svnserve_t;
type svnserve_var_run_t;
type svnserve_unit_file_t;
')
allow $1 svnserve_t:process { ptrace signal_perms };
ps_process_pattern($1, svnserve_t)
files_search_pids($1)
admin_pattern($1, svnserve_var_run_t)
svnserve_systemctl($1)
admin_pattern($1, svnserve_unit_file_t)
allow $1 svnserve_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `svnserve_admin'($*)) dnl
')
## policy for swift
########################################
##
## Execute TEMPLATE in the swift domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`swift_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `swift_domtrans'($*)) dnl
gen_require(`
type swift_t, swift_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, swift_exec_t, swift_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `swift_domtrans'($*)) dnl
')
########################################
##
## Read swift PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`swift_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `swift_read_pid_files'($*)) dnl
gen_require(`
type swift_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, swift_var_run_t, swift_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `swift_read_pid_files'($*)) dnl
')
########################################
##
## Manage swift data files.
##
##
##
## Domain allowed access.
##
##
#
define(`swift_manage_data_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `swift_manage_data_files'($*)) dnl
gen_require(`
type swift_data_t;
')
files_search_pids($1)
manage_files_pattern($1, swift_data_t, swift_data_t)
manage_dirs_pattern($1, swift_data_t, swift_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `swift_manage_data_files'($*)) dnl
')
#####################################
##
## Read and write swift lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`swift_manage_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `swift_manage_lock'($*)) dnl
gen_require(`
type swift_lock_t;
')
files_search_locks($1)
manage_files_pattern($1, swift_lock_t, swift_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `swift_manage_lock'($*)) dnl
')
#######################################
##
## Transition content labels to swift named content
##
##
##
## Domain allowed access.
##
##
#
define(`swift_filetrans_named_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `swift_filetrans_named_lock'($*)) dnl
gen_require(`
type swift_lock_t;
')
files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `swift_filetrans_named_lock'($*)) dnl
')
########################################
##
## Execute swift server in the swift domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`swift_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `swift_systemctl'($*)) dnl
gen_require(`
type swift_t;
type swift_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 swift_unit_file_t:file read_file_perms;
allow $1 swift_unit_file_t:service manage_service_perms;
ps_process_pattern($1, swift_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `swift_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an swift environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`swift_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `swift_admin'($*)) dnl
gen_require(`
type swift_t;
type swift_var_run_t;
type swift_unit_file_t;
')
allow $1 swift_t:process { ptrace signal_perms };
ps_process_pattern($1, swift_t)
files_search_pids($1)
admin_pattern($1, swift_var_run_t)
swift_systemctl($1)
admin_pattern($1, swift_unit_file_t)
allow $1 swift_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `swift_admin'($*)) dnl
')
## SUID/SGID program monitoring.
########################################
##
## Read sxid log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sxid_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sxid_read_log'($*)) dnl
gen_require(`
type sxid_log_t;
')
logging_search_logs($1)
allow $1 sxid_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sxid_read_log'($*)) dnl
')
## Reports on various system states.
########################################
##
## Create, read, write, and delete
## sysstat log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysstat_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysstat_manage_log'($*)) dnl
gen_require(`
type sysstat_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, sysstat_log_t, sysstat_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysstat_manage_log'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an sysstat environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sysstat_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysstat_admin'($*)) dnl
gen_require(`
type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t;
')
allow $1 sysstat_t:process { ptrace signal_perms };
ps_process_pattern($1, sysstat_t)
init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 sysstat_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, sysstat_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysstat_admin'($*)) dnl
')
########################################
##
## Execute sysstat_exec_t in the sysstat domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sysstat_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysstat_domtrans'($*)) dnl
gen_require(`
type sysstat_t, sysstat_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sysstat_exec_t, sysstat_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysstat_domtrans'($*)) dnl
')
## policy for tangd
########################################
##
## Execute tangd_exec_t in the tangd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tangd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tangd_domtrans'($*)) dnl
gen_require(`
type tangd_t, tangd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tangd_exec_t, tangd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tangd_domtrans'($*)) dnl
')
######################################
##
## Execute tangd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`tangd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tangd_exec'($*)) dnl
gen_require(`
type tangd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, tangd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tangd_exec'($*)) dnl
')
########################################
##
## Read the contents of the tangd
## database files.
##
##
##
## Domain allowed access.
##
##
#
define(`tangd_read_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tangd_read_db_files'($*)) dnl
gen_require(`
type tangd_db_t;
')
read_files_pattern($1, tangd_db_t, tangd_db_t)
list_dirs_pattern($1, tangd_db_t, tangd_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tangd_read_db_files'($*)) dnl
')
## Targetd is a service to allow the remote configuration of block device volumes and file systems within dedicated pools
########################################
##
## Execute targetd_exec_t in the targetd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`targetd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `targetd_domtrans'($*)) dnl
gen_require(`
type targetd_t, targetd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, targetd_exec_t, targetd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `targetd_domtrans'($*)) dnl
')
######################################
##
## Execute targetd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`targetd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `targetd_exec'($*)) dnl
gen_require(`
type targetd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, targetd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `targetd_exec'($*)) dnl
')
########################################
##
## Search targetd conf directories.
##
##
##
## Domain allowed access.
##
##
#
define(`targetd_search_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `targetd_search_conf'($*)) dnl
gen_require(`
type targetd_etc_rw_t;
')
allow $1 targetd_etc_rw_t:dir search_dir_perms;
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `targetd_search_conf'($*)) dnl
')
########################################
##
## Read targetd conf files.
##
##
##
## Domain allowed access.
##
##
#
define(`targetd_read_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `targetd_read_conf_files'($*)) dnl
gen_require(`
type targetd_etc_rw_t;
')
allow $1 targetd_etc_rw_t:dir list_dir_perms;
read_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `targetd_read_conf_files'($*)) dnl
')
########################################
##
## Manage targetd conf files.
##
##
##
## Domain allowed access.
##
##
#
define(`targetd_manage_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `targetd_manage_conf_files'($*)) dnl
gen_require(`
type targetd_etc_rw_t;
')
manage_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `targetd_manage_conf_files'($*)) dnl
')
########################################
##
## Execute targetd server in the targetd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`targetd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `targetd_systemctl'($*)) dnl
gen_require(`
type targetd_t;
type targetd_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 targetd_unit_file_t:file read_file_perms;
allow $1 targetd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, targetd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `targetd_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an targetd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`targetd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `targetd_admin'($*)) dnl
gen_require(`
type targetd_t;
type targetd_etc_rw_t;
type targetd_unit_file_t;
')
allow $1 targetd_t:process { signal_perms };
ps_process_pattern($1, targetd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 targetd_t:process ptrace;
')
files_search_etc($1)
admin_pattern($1, targetd_etc_rw_t)
targetd_systemctl($1)
admin_pattern($1, targetd_unit_file_t)
allow $1 targetd_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `targetd_admin'($*)) dnl
')
## TCP daemon.
########################################
##
## Execute tcpd in the tcpd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tcpd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcpd_domtrans'($*)) dnl
gen_require(`
type tcpd_t, tcpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tcpd_exec_t, tcpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcpd_domtrans'($*)) dnl
')
########################################
##
## Create a domain for services that
## utilize tcp wrappers.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`tcpd_wrapped_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcpd_wrapped_domain'($*)) dnl
gen_require(`
type tcpd_t;
role system_r;
')
domtrans_pattern(tcpd_t, $2, $1)
allow $1 tcpd_t:tcp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcpd_wrapped_domain'($*)) dnl
')
#######################################
##
## Read and write tcpd server TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`tcpd_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcpd_rw_tcp_sockets'($*)) dnl
gen_require(`
type tcpd_t;
')
allow $1 tcpd_t:tcp_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcpd_rw_tcp_sockets'($*)) dnl
')
## TSS Core Services daemon.
########################################
##
## Execute a domain transition to run tcsd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tcsd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcsd_domtrans'($*)) dnl
gen_require(`
type tcsd_t, tcsd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tcsd_exec_t, tcsd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcsd_domtrans'($*)) dnl
')
########################################
##
## Execute tcsd init scripts in the
## initrc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tcsd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcsd_initrc_domtrans'($*)) dnl
gen_require(`
type tcsd_initrc_exec_t;
')
init_labeled_script_domtrans($1, tcsd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcsd_initrc_domtrans'($*)) dnl
')
########################################
##
## Search tcsd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`tcsd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcsd_search_lib'($*)) dnl
gen_require(`
type tcsd_var_lib_t;
')
files_search_var_lib($1)
allow $1 tcsd_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcsd_search_lib'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## tcsd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`tcsd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcsd_manage_lib_dirs'($*)) dnl
gen_require(`
type tcsd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcsd_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read tcsd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`tcsd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcsd_read_lib_files'($*)) dnl
gen_require(`
type tcsd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcsd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## tcsd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`tcsd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcsd_manage_lib_files'($*)) dnl
gen_require(`
type tcsd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcsd_manage_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an tcsd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tcsd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tcsd_admin'($*)) dnl
gen_require(`
type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t;
')
allow $1 tcsd_t:process signal_perms;
ps_process_pattern($1, tcsd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 tcsd_t:process ptrace;
')
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 tcsd_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, tcsd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tcsd_admin'($*)) dnl
')
## Telepathy communications framework.
#######################################
##
## Creates basic types for telepathy
## domain
##
##
##
## Prefix for the domain.
##
##
#
define(`telepathy_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_domain_template'($*)) dnl
gen_require(`
attribute telepathy_domain;
attribute telepathy_executable;
')
type telepathy_$1_t, telepathy_domain;
type telepathy_$1_exec_t, telepathy_executable;
application_domain(telepathy_$1_t, telepathy_$1_exec_t)
ubac_constrained(telepathy_$1_t)
type telepathy_$1_tmp_t;
userdom_user_tmp_file(telepathy_$1_tmp_t)
kernel_read_system_state(telepathy_$1_t)
auth_use_nsswitch(telepathy_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_domain_template'($*)) dnl
')
#######################################
##
## Role access for telepathy domains
## that executes via dbus-session
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
##
##
## User domain prefix to be used.
##
##
#
define(`telepathy_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_role'($*)) dnl
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
type telepathy_sofiasip_exec_t, telepathy_idle_exec_t;
type telepathy_logger_t, telepathy_logger_exec_t;
type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
')
role $1 types telepathy_domain;
allow $2 telepathy_domain:process signal_perms;
ps_process_pattern($2, telepathy_domain)
telepathy_gabble_stream_connect($2)
telepathy_msn_stream_connect($2)
telepathy_salut_stream_connect($2)
dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
telepathy_dbus_chat($2)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_role'($*)) dnl
')
########################################
##
## Stream connect to Telepathy Gabble
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_gabble_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_gabble_stream_connect'($*)) dnl
gen_require(`
type telepathy_gabble_t, telepathy_gabble_tmp_t;
')
stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_gabble_stream_connect'($*)) dnl
')
########################################
##
## Allow Telepathy Gabble to stream connect to a domain.
##
##
##
## Domain allowed access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_gabble_stream_connect_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_gabble_stream_connect_to'($*)) dnl
gen_require(`
type telepathy_gabble_t;
')
stream_connect_pattern(telepathy_gabble_t, $2, $2, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_gabble_stream_connect_to'($*)) dnl
')
########################################
##
## Send DBus messages to and from
## Telepathy Gabble.
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_gabble_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_gabble_dbus_chat'($*)) dnl
gen_require(`
type telepathy_gabble_t;
class dbus send_msg;
')
allow $1 telepathy_gabble_t:dbus send_msg;
allow telepathy_gabble_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_gabble_dbus_chat'($*)) dnl
')
########################################
##
## Read telepathy mission control state.
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_mission_control_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_mission_control_read_state'($*)) dnl
gen_require(`
type telepathy_mission_control_t;
')
kernel_search_proc($1)
ps_process_pattern($1, telepathy_mission_control_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_mission_control_read_state'($*)) dnl
')
#######################################
##
## Stream connect to telepathy MSN managers
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_msn_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_msn_stream_connect'($*)) dnl
gen_require(`
type telepathy_msn_t, telepathy_msn_tmp_t;
')
stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_msn_stream_connect'($*)) dnl
')
########################################
##
## Stream connect to Telepathy Salut
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_salut_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_salut_stream_connect'($*)) dnl
gen_require(`
type telepathy_salut_t, telepathy_salut_tmp_t;
')
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_salut_stream_connect'($*)) dnl
')
#######################################
##
## Send DBus messages to and from
## all Telepathy domain.
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_dbus_chat'($*)) dnl
gen_require(`
attribute telepathy_domain;
class dbus send_msg;
')
allow $1 telepathy_domain:dbus send_msg;
allow telepathy_domain $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_dbus_chat'($*)) dnl
')
######################################
##
## Execute telepathy executable
## in the specified domain.
##
##
##
## Execute a telepathy executable
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`telepathy_command_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_command_domtrans'($*)) dnl
gen_require(`
attribute telepathy_executable;
')
allow $2 telepathy_executable:file entrypoint;
domain_transition_pattern($1, telepathy_executable, $2)
type_transition $1 telepathy_executable:process $2;
# needs to dbus chat with unconfined_t and unconfined_dbusd_t
optional_policy(`
telepathy_dbus_chat($1)
telepathy_dbus_chat($2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_command_domtrans'($*)) dnl
')
########################################
##
## Create telepathy content in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_filetrans_home_content'($*)) dnl
gen_require(`
type telepathy_mission_control_cache_home_t;
type telepathy_mission_control_home_t;
type telepathy_logger_cache_home_t;
type telepathy_gabble_cache_home_t;
type telepathy_sunshine_home_t;
type telepathy_logger_data_home_t;
type telepathy_cache_home_t, telepathy_data_home_t;
type telepathy_mission_control_data_home_t;
')
filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
optional_policy(`
gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_filetrans_home_content'($*)) dnl
')
######################################
##
## Execute telepathy in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`telepathy_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telepathy_exec'($*)) dnl
gen_require(`
attribute telepathy_executable;
')
corecmd_search_bin($1)
can_exec($1, telepathy_executable)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telepathy_exec'($*)) dnl
')
## Telnet daemon.
########################################
##
## Read and write telnetd pty devices.
##
##
##
## Domain allowed access.
##
##
#
define(`telnet_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `telnet_use_ptys'($*)) dnl
gen_require(`
type telnetd_devpts_t;
')
term_list_ptys($1)
allow $1 telnetd_devpts_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `telnet_use_ptys'($*)) dnl
')
## Trivial file transfer protocol daemon
########################################
##
## Read tftp content
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_read_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_read_content'($*)) dnl
gen_require(`
type tftpdir_t;
type tftpdir_rw_t;
')
list_dirs_pattern($1, tftpdir_t, tftpdir_t)
read_files_pattern($1, tftpdir_t, tftpdir_t)
read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_read_content'($*)) dnl
')
########################################
##
## Search tftp /var/lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_search_rw_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_search_rw_content'($*)) dnl
gen_require(`
type tftpdir_rw_t;
')
search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_search_rw_content'($*)) dnl
')
########################################
##
## Allow read tftp /var/lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_read_rw_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_read_rw_content'($*)) dnl
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_read_rw_content'($*)) dnl
')
########################################
##
## Allow write tftp /var/lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_write_rw_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_write_rw_content'($*)) dnl
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_write_rw_content'($*)) dnl
')
########################################
##
## Manage tftp /var/lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_manage_rw_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_manage_rw_content'($*)) dnl
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_manage_rw_content'($*)) dnl
')
########################################
##
## Manage tftp /var/lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_delete_content_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_delete_content_dirs'($*)) dnl
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
delete_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_delete_content_dirs'($*)) dnl
')
########################################
##
## Read tftp config files.
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_read_config'($*)) dnl
gen_require(`
type tftpd_etc_t;
')
read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_read_config'($*)) dnl
')
########################################
##
## Manage tftp config files.
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_manage_config'($*)) dnl
gen_require(`
type tftpd_etc_t;
')
manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_manage_config'($*)) dnl
')
########################################
##
## Create objects in tftpdir directories
## with specified types.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Class of the object being created.
##
##
#
define(`tftp_filetrans_tftpdir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_filetrans_tftpdir'($*)) dnl
gen_require(`
type tftpdir_rw_t;
')
filetrans_pattern($1, tftpdir_rw_t, $2, $3)
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_filetrans_tftpdir'($*)) dnl
')
########################################
##
## Transition to tftp named content
##
##
##
## Domain allowed access.
##
##
#
define(`tftp_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_filetrans_named_content'($*)) dnl
gen_require(`
type tftpd_etc_t;
')
files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_filetrans_named_content'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an tftp environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`tftp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tftp_admin'($*)) dnl
gen_require(`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
allow $1 tftpd_t:process signal_perms;
ps_process_pattern($1, tftpd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 tftpd_t:process ptrace;
')
files_list_var_lib($1)
admin_pattern($1, tftpdir_rw_t)
admin_pattern($1, tftpdir_t)
files_list_pids($1)
admin_pattern($1, tftpd_var_run_t)
tftp_manage_config($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tftp_admin'($*)) dnl
')
## Linux Target Framework Daemon.
#####################################
##
## Read and write tgtd semaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`tgtd_rw_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tgtd_rw_semaphores'($*)) dnl
gen_require(`
type tgtd_t;
')
allow $1 tgtd_t:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tgtd_rw_semaphores'($*)) dnl
')
######################################
##
## Create, read, write, and delete
## tgtd sempaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`tgtd_manage_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tgtd_manage_semaphores'($*)) dnl
gen_require(`
type tgtd_t;
')
allow $1 tgtd_t:sem create_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tgtd_manage_semaphores'($*)) dnl
')
######################################
##
## Connect to tgtd with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`tgtd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tgtd_stream_connect'($*)) dnl
gen_require(`
type tgtd_t, tgtd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tgtd_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an tgtd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tgtd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tgtd_admin'($*)) dnl
gen_require(`
type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t;
type tgtd_var_run_t, tgtd_tmp_t, tgtd_tmpfs_t;
')
allow $1 tgtd_t:process { ptrace signal_perms };
ps_process_pattern($1, tgtd_t)
init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 tgtd_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, tgtd_var_lib_t)
files_search_pids($1)
admin_pattern($1, tgtd_var_run_t)
files_search_tmp($1)
admin_pattern($1, tgtd_tmp_t)
fs_search_tmpfs($1)
admin_pattern($1, tgtd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tgtd_admin'($*)) dnl
')
## thin policy
#######################################
##
## Creates types and rules for a basic
## thin daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`thin_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thin_domain_template'($*)) dnl
gen_require(`
attribute thin_domain;
')
type $1_t, thin_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
can_exec($1_t, $1_exec_t)
kernel_read_system_state($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thin_domain_template'($*)) dnl
')
######################################
##
## Execute mongod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`thin_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thin_exec'($*)) dnl
gen_require(`
type thin_exec_t;
')
can_exec($1, thin_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thin_exec'($*)) dnl
')
#####################################
##
## Connect to thin over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`thin_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thin_stream_connect'($*)) dnl
gen_require(`
type thin_t, thin_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thin_stream_connect'($*)) dnl
')
## policy for thumb
########################################
##
## Transition to thumb.
##
##
##
## Domain allowed to transition.
##
##
#
define(`thumb_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thumb_domtrans'($*)) dnl
gen_require(`
type thumb_t, thumb_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, thumb_exec_t, thumb_t)
dontaudit thumb_t $1:unix_stream_socket { getattr read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thumb_domtrans'($*)) dnl
')
########################################
##
## NNP Transition to thumb.
##
##
##
## Domain allowed to transition.
##
##
#
define(`thumb_nnp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thumb_nnp_domtrans'($*)) dnl
gen_require(`
type thumb_t;
')
allow $1 thumb_t:process2 { nnp_transition nosuid_transition };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thumb_nnp_domtrans'($*)) dnl
')
########################################
##
## Execute thumb in the thumb domain, and
## allow the specified role the thumb domain.
##
##
##
## Domain allowed to transition
##
##
##
##
## The role to be allowed the thumb domain.
##
##
#
define(`thumb_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thumb_run'($*)) dnl
gen_require(`
type thumb_t;
')
thumb_domtrans($1)
thumb_nnp_domtrans($1)
role $2 types thumb_t;
allow $1 thumb_t:process signal_perms;
dontaudit thumb_t $1:dir list_dir_perms;
dontaudit thumb_t $1:file read_file_perms;
dontaudit thumb_t $1:unix_stream_socket rw_socket_perms;
allow thumb_t $1:shm create_shm_perms;
allow thumb_t $1:sem create_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thumb_run'($*)) dnl
')
########################################
##
## Role access for thumb
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`thumb_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thumb_role'($*)) dnl
gen_require(`
type thumb_t;
class dbus send_msg;
')
thumb_run($2, $1)
ps_process_pattern($2, thumb_t)
allow thumb_t $2:unix_stream_socket connectto;
thumb_dbus_chat($2)
thumb_filetrans_home_content($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thumb_role'($*)) dnl
')
########################################
##
## Send and receive messages from
## thumb over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`thumb_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thumb_dbus_chat'($*)) dnl
gen_require(`
type thumb_t;
class dbus send_msg;
')
allow $1 thumb_t:dbus send_msg;
allow thumb_t $1:dbus send_msg;
ps_process_pattern(thumb_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thumb_dbus_chat'($*)) dnl
')
########################################
##
## Create thumb content in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`thumb_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thumb_filetrans_home_content'($*)) dnl
gen_require(`
type thumb_home_t;
')
userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
optional_policy(`
gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thumb_filetrans_home_content'($*)) dnl
')
## Thunderbird email client.
########################################
##
## Role access for thunderbird.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`thunderbird_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thunderbird_role'($*)) dnl
gen_require(`
attribute_role thunderbird_roles;
type thunderbird_t, thunderbird_exec_t, thunderbird_home_t;
type thunderbird_tmpfs_t;
')
roleattribute $1 thunderbird_roles;
domtrans_pattern($2, thunderbird_exec_t, thunderbird_t)
stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t)
allow thunderbird_t $2:unix_stream_socket connectto;
allow $2 thunderbird_t:process { ptrace signal_perms };
ps_process_pattern($2, thunderbird_t)
allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms };
allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thunderbird_role'($*)) dnl
')
########################################
##
## Execute thunderbird in the thunderbird domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`thunderbird_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `thunderbird_domtrans'($*)) dnl
gen_require(`
type thunderbird_t, thunderbird_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, thunderbird_exec_t, thunderbird_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `thunderbird_domtrans'($*)) dnl
')
## timedatex - D-Bus service for system clock and RTC settings
########################################
##
## Execute timedatex_exec_t in the timedatex domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`timedatex_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `timedatex_domtrans'($*)) dnl
gen_require(`
type timedatex_t, timedatex_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, timedatex_exec_t, timedatex_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `timedatex_domtrans'($*)) dnl
')
########################################
##
## Send and receive messages from
## timedatex over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`timedatex_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `timedatex_dbus_chat'($*)) dnl
gen_require(`
type timedatex_t;
class dbus send_msg;
')
allow $1 timedatex_t:dbus send_msg;
allow timedatex_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `timedatex_dbus_chat'($*)) dnl
')
######################################
##
## Execute timedatex in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`timedatex_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `timedatex_exec'($*)) dnl
gen_require(`
type timedatex_exec_t;
')
corecmd_search_bin($1)
can_exec($1, timedatex_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `timedatex_exec'($*)) dnl
')
## MIDI to WAV converter and player configured as a service.
## policy for tlp
########################################
##
## Execute tlp_exec_t in the tlp domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tlp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_domtrans'($*)) dnl
gen_require(`
type tlp_t, tlp_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tlp_exec_t, tlp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_domtrans'($*)) dnl
')
######################################
##
## Execute tlp in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`tlp_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_exec'($*)) dnl
gen_require(`
type tlp_exec_t;
')
corecmd_search_bin($1)
can_exec($1, tlp_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_exec'($*)) dnl
')
######################################
##
## Transition to tlp named content
##
##
##
## Domain allowed access.
##
##
#
define(`tlp_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_filetrans_named_content'($*)) dnl
gen_require(`
type tlp_var_run_t;
')
files_pid_filetrans($1, tlp_var_run_t, dir, "tlp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_filetrans_named_content'($*)) dnl
')
########################################
##
## Search tlp conf directories.
##
##
##
## Domain allowed access.
##
##
#
define(`tlp_search_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_search_conf'($*)) dnl
gen_require(`
type tlp_etc_rw_t;
')
allow $1 tlp_etc_rw_t:dir search_dir_perms;
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_search_conf'($*)) dnl
')
########################################
##
## Read tlp conf files.
##
##
##
## Domain allowed access.
##
##
#
define(`tlp_read_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_read_conf_files'($*)) dnl
gen_require(`
type tlp_etc_rw_t;
')
allow $1 tlp_etc_rw_t:dir list_dir_perms;
read_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_read_conf_files'($*)) dnl
')
########################################
##
## Manage tlp conf files.
##
##
##
## Domain allowed access.
##
##
#
define(`tlp_manage_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_manage_conf_files'($*)) dnl
gen_require(`
type tlp_etc_rw_t;
')
manage_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t)
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_manage_conf_files'($*)) dnl
')
########################################
##
## Execute tlp server in the tlp domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tlp_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_systemctl'($*)) dnl
gen_require(`
type tlp_t;
type tlp_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 tlp_unit_file_t:file read_file_perms;
allow $1 tlp_unit_file_t:service manage_service_perms;
ps_process_pattern($1, tlp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_systemctl'($*)) dnl
')
########################################
##
## Read all dbus pid files
##
##
##
## Domain allowed access.
##
##
#
define(`tlp_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_manage_pid_files'($*)) dnl
gen_require(`
type tlp_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_manage_pid_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an tlp environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tlp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tlp_admin'($*)) dnl
gen_require(`
type tlp_t;
type tlp_etc_rw_t;
type tlp_unit_file_t;
')
allow $1 tlp_t:process { signal_perms };
ps_process_pattern($1, tlp_t)
tunable_policy(`deny_ptrace',`',`
allow $1 tlp_t:process ptrace;
')
files_search_etc($1)
admin_pattern($1, tlp_etc_rw_t)
tlp_systemctl($1)
admin_pattern($1, tlp_unit_file_t)
allow $1 tlp_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tlp_admin'($*)) dnl
')
## Manage temporary directory sizes and file ages.
########################################
##
## Execute tmpreaper in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`tmpreaper_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tmpreaper_exec'($*)) dnl
gen_require(`
type tmpreaper_exec_t;
')
corecmd_search_bin($1)
can_exec($1, tmpreaper_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tmpreaper_exec'($*)) dnl
')
## policy for tomcat
######################################
##
## Creates types and rules for a basic
## tomcat daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`tomcat_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_domain_template'($*)) dnl
gen_require(`
attribute tomcat_domain;
')
type $1_t, tomcat_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
type $1_cache_t;
files_type($1_cache_t)
type $1_log_t;
logging_log_file($1_log_t)
type $1_var_lib_t;
files_type($1_var_lib_t)
type $1_var_run_t;
files_pid_file($1_var_run_t)
type $1_tmp_t;
files_tmp_file($1_tmp_t)
##################################
#
# Local policy
#
manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t)
manage_files_pattern($1_t, $1_cache_t, $1_cache_t)
manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t)
files_var_filetrans($1_t, $1_cache_t, { dir file })
manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
manage_files_pattern($1_t, $1_log_t, $1_log_t)
manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t)
logging_log_filetrans($1_t, $1_log_t, { dir file })
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file })
allow $1_t $1_var_lib_t:file map;
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file })
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir lnk_file })
allow $1_t $1_tmp_t:file map;
can_exec($1_t, $1_exec_t)
kernel_read_system_state($1_t)
logging_send_syslog_msg($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_domain_template'($*)) dnl
')
########################################
##
## Transition to tomcat.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tomcat_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_domtrans'($*)) dnl
gen_require(`
type tomcat_t, tomcat_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tomcat_exec_t, tomcat_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_domtrans'($*)) dnl
')
########################################
##
## Search tomcat cache directories.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_search_cache'($*)) dnl
gen_require(`
type tomcat_cache_t;
')
allow $1 tomcat_cache_t:dir search_dir_perms;
files_search_var($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_search_cache'($*)) dnl
')
########################################
##
## Read tomcat cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_read_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_read_cache_files'($*)) dnl
gen_require(`
type tomcat_cache_t;
')
files_search_var($1)
read_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_read_cache_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## tomcat cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_manage_cache_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_manage_cache_files'($*)) dnl
gen_require(`
type tomcat_cache_t;
')
files_search_var($1)
manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_manage_cache_files'($*)) dnl
')
########################################
##
## Manage tomcat cache dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_manage_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_manage_cache_dirs'($*)) dnl
gen_require(`
type tomcat_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_manage_cache_dirs'($*)) dnl
')
########################################
##
## Read tomcat's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`tomcat_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_read_log'($*)) dnl
gen_require(`
type tomcat_log_t;
')
logging_search_logs($1)
read_files_pattern($1, tomcat_log_t, tomcat_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_read_log'($*)) dnl
')
########################################
##
## Append to tomcat log files.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_append_log'($*)) dnl
gen_require(`
type tomcat_log_t;
')
logging_search_logs($1)
append_files_pattern($1, tomcat_log_t, tomcat_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_append_log'($*)) dnl
')
########################################
##
## Manage tomcat log files
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_manage_log'($*)) dnl
gen_require(`
type tomcat_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t)
manage_files_pattern($1, tomcat_log_t, tomcat_log_t)
manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_manage_log'($*)) dnl
')
########################################
##
## Search tomcat lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_search_lib'($*)) dnl
gen_require(`
type tomcat_var_lib_t;
')
allow $1 tomcat_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_search_lib'($*)) dnl
')
########################################
##
## Read tomcat lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_read_lib_files'($*)) dnl
gen_require(`
type tomcat_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_read_lib_files'($*)) dnl
')
########################################
##
## Manage tomcat lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_manage_lib_files'($*)) dnl
gen_require(`
type tomcat_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_manage_lib_files'($*)) dnl
')
########################################
##
## Manage tomcat lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_manage_lib_dirs'($*)) dnl
gen_require(`
type tomcat_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read tomcat PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`tomcat_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_read_pid_files'($*)) dnl
gen_require(`
type tomcat_var_run_t;
')
files_search_pids($1)
allow $1 tomcat_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_read_pid_files'($*)) dnl
')
########################################
##
## Execute tomcat server in the tomcat domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tomcat_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_systemctl'($*)) dnl
gen_require(`
type tomcat_t;
type tomcat_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 tomcat_unit_file_t:file read_file_perms;
allow $1 tomcat_unit_file_t:service manage_service_perms;
ps_process_pattern($1, tomcat_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an tomcat environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`tomcat_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tomcat_admin'($*)) dnl
gen_require(`
type tomcat_t;
type tomcat_cache_t;
type tomcat_log_t;
type tomcat_var_lib_t;
type tomcat_var_run_t;
type tomcat_unit_file_t;
')
allow $1 tomcat_t:process { ptrace signal_perms };
ps_process_pattern($1, tomcat_t)
files_search_var($1)
admin_pattern($1, tomcat_cache_t)
logging_search_logs($1)
admin_pattern($1, tomcat_log_t)
files_search_var_lib($1)
admin_pattern($1, tomcat_var_lib_t)
files_search_pids($1)
admin_pattern($1, tomcat_var_run_t)
tomcat_systemctl($1)
admin_pattern($1, tomcat_unit_file_t)
allow $1 tomcat_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tomcat_admin'($*)) dnl
')
## The onion router.
########################################
##
## Execute a domain transition to run tor.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tor_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tor_domtrans'($*)) dnl
gen_require(`
type tor_t, tor_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tor_exec_t, tor_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tor_domtrans'($*)) dnl
')
#######################################
##
## Execute tor server in the tor domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tor_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tor_systemctl'($*)) dnl
gen_require(`
type tor_t;
type tor_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 tor_unit_file_t:file read_file_perms;
allow $1 tor_unit_file_t:service manage_service_perms;
ps_process_pattern($1, tor_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tor_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an tor environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tor_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tor_admin'($*)) dnl
gen_require(`
type tor_t, tor_var_log_t, tor_etc_t;
type tor_var_lib_t, tor_var_run_t;
type tor_initrc_exec_t;
type tor_unit_file_t;
')
allow $1 tor_t:process signal_perms;
ps_process_pattern($1, tor_t)
tunable_policy(`deny_ptrace',`',`
allow $1 tor_t:process ptrace;
')
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 tor_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, tor_etc_t)
files_list_var_lib($1)
admin_pattern($1, tor_var_lib_t)
logging_list_logs($1)
admin_pattern($1, tor_var_log_t)
files_list_pids($1)
admin_pattern($1, tor_var_run_t)
tor_systemctl($1)
admin_pattern($1, tor_unit_file_t)
allow $1 tor_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tor_admin'($*)) dnl
')
## Portable Transparent Proxy Solution.
########################################
##
## All of the rules required to
## administrate an transproxy environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`transproxy_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `transproxy_admin'($*)) dnl
gen_require(`
type transproxy_t, transproxy_initrc_exec_t, transproxy_var_run_t;
')
allow $1 transproxy_t:process { ptrace signal_perms };
ps_process_pattern($1, transproxy_t)
init_labeled_script_domtrans($1, transproxy_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 transproxy_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, transproxy_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `transproxy_admin'($*)) dnl
')
## File integrity checker.
########################################
##
## Execute tripwire in the tripwire domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tripwire_domtrans_tripwire',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_tripwire'($*)) dnl
gen_require(`
type tripwire_t, tripwire_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tripwire_exec_t, tripwire_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tripwire_domtrans_tripwire'($*)) dnl
')
########################################
##
## Execute tripwire in the tripwire
## domain, and allow the specified
## role the tripwire domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tripwire_run_tripwire',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tripwire_run_tripwire'($*)) dnl
gen_require(`
attribute_role tripwire_roles;
')
tripwire_domtrans_tripwire($1)
roleattribute $2 tripwire_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tripwire_run_tripwire'($*)) dnl
')
########################################
##
## Execute twadmin in the twadmin domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tripwire_domtrans_twadmin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_twadmin'($*)) dnl
gen_require(`
type twadmin_t, twadmin_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, twadmin_exec_t, twadmin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tripwire_domtrans_twadmin'($*)) dnl
')
########################################
##
## Execute twadmin in the twadmin
## domain, and allow the specified
## role the twadmin domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tripwire_run_twadmin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tripwire_run_twadmin'($*)) dnl
gen_require(`
attribute_role twadmin_roles;
')
tripwire_domtrans_twadmin($1)
roleattribute $2 twadmin_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tripwire_run_twadmin'($*)) dnl
')
########################################
##
## Execute twprint in the twprint domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tripwire_domtrans_twprint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_twprint'($*)) dnl
gen_require(`
type twprint_t, twprint_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, twprint_exec_t, twprint_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tripwire_domtrans_twprint'($*)) dnl
')
########################################
##
## Execute twprint in the twprint
## domain, and allow the specified
## role the twprint domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tripwire_run_twprint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tripwire_run_twprint'($*)) dnl
gen_require(`
attribute_role twprint_roles;
')
tripwire_domtrans_twprint($1)
roleattribute $2 twprint_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tripwire_run_twprint'($*)) dnl
')
########################################
##
## Execute siggen in the siggen domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tripwire_domtrans_siggen',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_siggen'($*)) dnl
gen_require(`
type siggen_t, siggen_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, siggen_exec_t, siggen_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tripwire_domtrans_siggen'($*)) dnl
')
########################################
##
## Execute siggen in the siggen domain,
## and allow the specified role
## the siggen domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tripwire_run_siggen',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tripwire_run_siggen'($*)) dnl
gen_require(`
attribute_role siggen_roles;
')
tripwire_domtrans_siggen($1)
roleattribute $2 siggen_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tripwire_run_siggen'($*)) dnl
')
## Dynamic adaptive system tuning daemon.
########################################
##
## Execute a domain transition to run tuned.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tuned_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tuned_domtrans'($*)) dnl
gen_require(`
type tuned_t, tuned_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tuned_exec_t, tuned_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tuned_domtrans'($*)) dnl
')
#######################################
##
## Execute tuned in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`tuned_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tuned_exec'($*)) dnl
gen_require(`
type tuned_exec_t;
')
corecmd_search_bin($1)
can_exec($1, tuned_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tuned_exec'($*)) dnl
')
######################################
##
## Read tuned etc files.
##
##
##
## Domain allowed access.
##
##
#
define(`tuned_read_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tuned_read_etc_files'($*)) dnl
gen_require(`
type tuned_etc_t;
')
files_search_etc($1)
read_files_pattern($1, tuned_etc_t, tuned_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tuned_read_etc_files'($*)) dnl
')
######################################
##
## Read tuned pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`tuned_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tuned_read_pid_files'($*)) dnl
gen_require(`
type tuned_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tuned_read_pid_files'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## tuned pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`tuned_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tuned_manage_pid_files'($*)) dnl
gen_require(`
type tuned_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tuned_manage_pid_files'($*)) dnl
')
########################################
##
## Execute tuned init scripts in
## the initrc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tuned_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tuned_initrc_domtrans'($*)) dnl
gen_require(`
type tuned_initrc_exec_t;
')
init_labeled_script_domtrans($1, tuned_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tuned_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an tuned environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tuned_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tuned_admin'($*)) dnl
gen_require(`
type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
type tuned_etc_t, tuned_rw_etc_t, tuned_log_t;
')
allow $1 tuned_t:process signal_perms;
ps_process_pattern($1, tuned_t)
tunable_policy(`deny_ptrace',`',`
allow $1 tuned_t:process ptrace;
')
tuned_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })
logging_search_logs($1)
admin_pattern($1, tuned_log_t)
files_search_pids($1)
admin_pattern($1, tuned_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tuned_admin'($*)) dnl
')
########################################
##
## Send and receive messages from tuned over dbus.
##
##
##
## Domain allowed access,
##
##
#
define(`tuned_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tuned_dbus_chat'($*)) dnl
gen_require(`
type tuned_t;
class dbus send_msg;
')
allow $1 tuned_t:dbus send_msg;
allow tuned_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tuned_dbus_chat'($*)) dnl
')
## High quality television application.
#######################################
##
## Transition to alsa named content
##
##
##
## Domain allowed access.
##
##
#
define(`tvtime_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tvtime_filetrans_home_content'($*)) dnl
gen_require(`
type tvtime_home_t;
')
userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tvtime_filetrans_home_content'($*)) dnl
')
########################################
##
## Role access for tvtime
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`tvtime_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tvtime_role'($*)) dnl
gen_require(`
attribute_role tvtime_roles;
type tvtime_t, tvtime_exec_t, tvtime_tmp_t;
type tvtime_home_t, tvtime_tmpfs_t;
')
roleattribute $1 tvtime_roles;
domtrans_pattern($2, tvtime_exec_t, tvtime_t)
ps_process_pattern($2, tvtime_t)
allow $2 tvtime_t:process { ptrace signal_perms };
allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms };
allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tvtime_role'($*)) dnl
')
## Time zone updater.
########################################
##
## Execute a domain transition to run tzdata.
##
##
##
## Domain allowed to transition.
##
##
#
define(`tzdata_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tzdata_domtrans'($*)) dnl
gen_require(`
type tzdata_t, tzdata_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tzdata_exec_t, tzdata_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tzdata_domtrans'($*)) dnl
')
########################################
##
## Execute tzdata in the tzdata domain,
## and allow the specified role
## the tzdata domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`tzdata_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `tzdata_run'($*)) dnl
gen_require(`
attribute_role tzdata_roles;
')
tzdata_domtrans($1)
roleattribute $2 tzdata_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `tzdata_run'($*)) dnl
')
## UNIX Client-Server Program Interface for TCP.
########################################
##
## Define a specified domain as a ucspitcp service.
##
##
##
## Domain allowed access.
##
##
##
##
## The type associated with the process program.
##
##
#
define(`ucspitcp_service_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ucspitcp_service_domain'($*)) dnl
gen_require(`
type ucspitcp_t;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(ucspitcp_t, $2, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ucspitcp_service_domain'($*)) dnl
')
## Iptables/netfilter userspace logging daemon.
########################################
##
## Execute a domain transition to run ulogd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ulogd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ulogd_domtrans'($*)) dnl
gen_require(`
type ulogd_t, ulogd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ulogd_exec_t, ulogd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ulogd_domtrans'($*)) dnl
')
########################################
##
## Read ulogd configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ulogd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ulogd_read_config'($*)) dnl
gen_require(`
type ulogd_etc_t;
')
files_search_etc($1)
read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ulogd_read_config'($*)) dnl
')
########################################
##
## Read ulogd log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ulogd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ulogd_read_log'($*)) dnl
gen_require(`
type ulogd_var_log_t;
')
logging_search_logs($1)
allow $1 ulogd_var_log_t:dir list_dir_perms;
read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ulogd_read_log'($*)) dnl
')
#######################################
##
## Search ulogd log files.
##
##
##
## Domain allowed access.
##
##
#
define(`ulogd_search_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ulogd_search_log'($*)) dnl
gen_require(`
type ulogd_var_log_t;
')
logging_search_logs($1)
allow $1 ulogd_var_log_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ulogd_search_log'($*)) dnl
')
########################################
##
## Append to ulogd log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`ulogd_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ulogd_append_log'($*)) dnl
gen_require(`
type ulogd_var_log_t;
')
logging_search_logs($1)
allow $1 ulogd_var_log_t:dir list_dir_perms;
allow $1 ulogd_var_log_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ulogd_append_log'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an ulogd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ulogd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ulogd_admin'($*)) dnl
gen_require(`
type ulogd_t, ulogd_etc_t, ulogd_modules_t;
type ulogd_var_log_t, ulogd_initrc_exec_t;
')
allow $1 ulogd_t:process signal_perms;
ps_process_pattern($1, ulogd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 ulogd_t:process ptrace;
')
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ulogd_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, ulogd_etc_t)
logging_list_logs($1)
admin_pattern($1, ulogd_var_log_t)
files_list_usr($1)
admin_pattern($1, ulogd_modules_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ulogd_admin'($*)) dnl
')
## User mode linux tools and services.
########################################
##
## Role access for uml.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`uml_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uml_role'($*)) dnl
gen_require(`
attribute_role uml_roles;
type uml_t, uml_exec_t;
type uml_ro_t, uml_rw_t, uml_tmp_t;
type uml_devpts_t, uml_tmpfs_t;
')
roleattribute $1 uml_roles;
domtrans_pattern($2, uml_exec_t, uml_t)
dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t)
allow uml_t $2:unix_dgram_socket sendto;
ps_process_pattern($2, uml_t)
allow $2 uml_t:process signal_perms;
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uml_role'($*)) dnl
')
########################################
##
## Set attributes of uml pid sock files.
##
##
##
## Domain allowed access.
##
##
#
define(`uml_setattr_util_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uml_setattr_util_sockets'($*)) dnl
gen_require(`
type uml_switch_var_run_t;
')
allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uml_setattr_util_sockets'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## uml pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`uml_manage_util_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uml_manage_util_files'($*)) dnl
gen_require(`
type uml_switch_var_run_t;
')
manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uml_manage_util_files'($*)) dnl
')
## Red Hat utility to change fstab.
########################################
##
## Execute updfstab in the updfstab domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`updfstab_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `updfstab_domtrans'($*)) dnl
gen_require(`
type updfstab_t, updfstab_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, updfstab_exec_t, updfstab_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `updfstab_domtrans'($*)) dnl
')
## Daemon to record and keep track of system up times.
########################################
##
## All of the rules required to
## administrate an uptime environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`uptime_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uptime_admin'($*)) dnl
gen_require(`
type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
type uptimed_spool_t, uptimed_var_run_t;
')
allow $1 uptimed_t:process { ptrace signal_perms };
ps_process_pattern($1, uptimed_t)
init_labeled_script_domtrans($1, uptimed_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 uptimed_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, uptimed_etc_t)
files_search_spool($1)
admin_pattern($1, uptimed_spool_t)
files_search_pids($1)
admin_pattern($1, uptimed_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uptime_admin'($*)) dnl
')
## List kernel modules of USB devices.
########################################
##
## Execute usbmodules in the usbmodules domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usbmodules_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usbmodules_domtrans'($*)) dnl
gen_require(`
type usbmodules_t, usbmodules_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, usbmodules_exec_t, usbmodules_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usbmodules_domtrans'($*)) dnl
')
########################################
##
## Execute usbmodules in the usbmodules
## domain, and allow the specified
## role the usbmodules domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`usbmodules_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usbmodules_run'($*)) dnl
gen_require(`
attribute_role usbmodules_roles;
')
usbmodules_domtrans($1)
roleattribute $2 usbmodules_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usbmodules_run'($*)) dnl
')
## USB multiplexing daemon for communicating with Apple iPod Touch and iPhone.
########################################
##
## Execute a domain transition to run usbmuxd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usbmuxd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usbmuxd_domtrans'($*)) dnl
gen_require(`
type usbmuxd_t, usbmuxd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usbmuxd_domtrans'($*)) dnl
')
#####################################
##
## Connect to usbmuxd with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`usbmuxd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usbmuxd_stream_connect'($*)) dnl
gen_require(`
type usbmuxd_t, usbmuxd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usbmuxd_stream_connect'($*)) dnl
')
########################################
##
## Execute usbmuxd server in the usbmuxd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usbmuxd_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usbmuxd_systemctl'($*)) dnl
gen_require(`
type usbmuxd_t;
type usbmuxd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 usbmuxd_unit_file_t:file read_file_perms;
allow $1 usbmuxd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, usbmuxd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usbmuxd_systemctl'($*)) dnl
')
#####################################
##
## All of the rules required to administrate
## an usbmuxd environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the usbmuxd domain.
##
##
##
#
define(`usbmuxd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usbmuxd_admin'($*)) dnl
gen_require(`
type usbmuxd_t,usbmuxd_var_run_t;
type usbmuxd_unit_file_t;
')
allow $1 usbmuxd_t:process { signal_perms };
ps_process_pattern($1, usbmuxd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 usbmuxd_t:process ptrace;
')
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, usbmuxd_var_run_t)
usbmuxd_systemctl($1)
admin_pattern($1, usbmuxd_unit_file_t)
allow $1 usbmuxd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usbmuxd_admin'($*)) dnl
')
## SELinux utility to run a shell with a new role
#######################################
##
## The role template for the userhelper module.
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## The user role.
##
##
##
##
## The user domain associated with the role.
##
##
#
define(`userhelper_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_role_template'($*)) dnl
gen_require(`
attribute userhelper_type;
type userhelper_exec_t, userhelper_conf_t;
class dbus send_msg;
')
########################################
#
# Declarations
#
type $1_userhelper_t, userhelper_type;
userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
domain_role_change_exemption($1_userhelper_t)
domain_obj_id_change_exemption($1_userhelper_t)
domain_interactive_fd($1_userhelper_t)
domain_subj_id_change_exemption($1_userhelper_t)
role $2 types $1_userhelper_t;
########################################
#
# Local policy
#
allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search chown sys_tty_config };
allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_userhelper_t self:process setexec;
allow $1_userhelper_t self:fd use;
allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
allow $1_userhelper_t self:shm create_shm_perms;
allow $1_userhelper_t self:sem create_sem_perms;
allow $1_userhelper_t self:msgq create_msgq_perms;
allow $1_userhelper_t self:msg { send receive };
allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_userhelper_t self:unix_dgram_socket sendto;
allow $1_userhelper_t self:unix_stream_socket connectto;
allow $1_userhelper_t self:sock_file read_sock_file_perms;
#Transition to the derived domain.
domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
can_exec($1_userhelper_t, userhelper_exec_t)
dontaudit $3 $1_userhelper_t:process signal;
kernel_read_all_sysctls($1_userhelper_t)
kernel_getattr_debugfs($1_userhelper_t)
kernel_read_system_state($1_userhelper_t)
# Execute shells
corecmd_exec_shell($1_userhelper_t)
# By default, revert to the calling domain when a program is executed
corecmd_bin_domtrans($1_userhelper_t, $3)
# Inherit descriptors from the current session.
domain_use_interactive_fds($1_userhelper_t)
# for when the user types "exec userhelper" at the command line
domain_sigchld_interactive_fds($1_userhelper_t)
dev_read_urand($1_userhelper_t)
# Read /dev directories and any symbolic links.
dev_list_all_dev_nodes($1_userhelper_t)
files_list_var_lib($1_userhelper_t)
# Read the /etc/security/default_type file
files_read_etc_files($1_userhelper_t)
# Read /var.
files_read_var_files($1_userhelper_t)
files_read_var_symlinks($1_userhelper_t)
# for some PAM modules and for cwd
files_search_home($1_userhelper_t)
fs_search_auto_mountpoints($1_userhelper_t)
fs_read_nfs_files($1_userhelper_t)
fs_read_nfs_symlinks($1_userhelper_t)
# Allow $1_userhelper to obtain contexts to relabel TTYs
selinux_get_fs_mount($1_userhelper_t)
selinux_validate_context($1_userhelper_t)
selinux_compute_access_vector($1_userhelper_t)
selinux_compute_create_context($1_userhelper_t)
selinux_compute_relabel_context($1_userhelper_t)
selinux_compute_user_contexts($1_userhelper_t)
# Read the devpts root directory.
term_list_ptys($1_userhelper_t)
# Relabel terminals.
term_relabel_all_ttys($1_userhelper_t)
term_relabel_all_ptys($1_userhelper_t)
# Access terminals.
term_use_all_ttys($1_userhelper_t)
term_use_all_ptys($1_userhelper_t)
auth_domtrans_chk_passwd($1_userhelper_t)
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
auth_use_nsswitch($1_userhelper_t)
logging_send_syslog_msg($1_userhelper_t)
# Inherit descriptors from the current session.
init_use_fds($1_userhelper_t)
# Write to utmp.
init_manage_utmp($1_userhelper_t)
init_pid_filetrans_utmp($1_userhelper_t)
seutil_read_config($1_userhelper_t)
seutil_read_default_contexts($1_userhelper_t)
# Allow $1_userhelper_t to transition to user domains.
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
ifdef(`distro_redhat',`
optional_policy(`
# Allow transitioning to rpm_t, for up2date
rpm_domtrans($1_userhelper_t)
')
')
optional_policy(`
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
sysadm_entry_spec_domtrans($1_userhelper_t)
')
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_role_template'($*)) dnl
')
########################################
##
## Search the userhelper configuration directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userhelper_search_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_search_config'($*)) dnl
gen_require(`
type userhelper_conf_t;
')
allow $1 userhelper_conf_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_search_config'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## the userhelper configuration directory.
##
##
##
## Domain to not audit.
##
##
#
define(`userhelper_dontaudit_search_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_dontaudit_search_config'($*)) dnl
gen_require(`
type userhelper_conf_t;
')
dontaudit $1 userhelper_conf_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_dontaudit_search_config'($*)) dnl
')
########################################
##
## Do not audit attempts to write
## the userhelper configuration files.
##
##
##
## Domain to not audit.
##
##
#
define(`userhelper_dontaudit_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_dontaudit_write_config'($*)) dnl
gen_require(`
type userhelper_conf_t;
')
dontaudit $1 userhelper_conf_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_dontaudit_write_config'($*)) dnl
')
########################################
##
## Allow domain to use userhelper file descriptor.
##
##
##
## Domain allowed access.
##
##
#
define(`userhelper_use_fd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_use_fd'($*)) dnl
gen_require(`
attribute userhelper_type;
')
allow $1 userhelper_type:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_use_fd'($*)) dnl
')
########################################
##
## Allow domain to send sigchld to userhelper.
##
##
##
## Domain allowed access.
##
##
#
define(`userhelper_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_sigchld'($*)) dnl
gen_require(`
attribute userhelper_type;
')
allow $1 userhelper_type:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_sigchld'($*)) dnl
')
########################################
##
## Execute the userhelper program in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`userhelper_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_exec'($*)) dnl
gen_require(`
type userhelper_exec_t;
')
can_exec($1, userhelper_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_exec'($*)) dnl
')
#######################################
##
## The role template for the consolehelper module.
##
##
##
## This template creates a derived domains which are used
## for consolehelper applications.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`userhelper_console_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_console_role_template'($*)) dnl
gen_require(`
type consolehelper_exec_t;
attribute consolehelper_domain;
class dbus send_msg;
')
type $1_consolehelper_t, consolehelper_domain;
domain_type($1_consolehelper_t)
domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
role $2 types $1_consolehelper_t;
domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
allow $3 $1_consolehelper_t:process signal;
allow $3 $1_consolehelper_t:dbus send_msg;
allow $1_consolehelper_t $3:dbus send_msg;
allow $1_consolehelper_t $3:unix_stream_socket connectto;
kernel_read_system_state($1_consolehelper_t)
auth_use_pam($1_consolehelper_t)
userdom_manage_tmp_role($2, $1_consolehelper_t)
optional_policy(`
dbus_connect_session_bus($1_consolehelper_t)
')
optional_policy(`
hddtemp_run($1_consolehelper_t, $2)
')
optional_policy(`
shutdown_run($1_consolehelper_t, $2)
shutdown_send_sigchld($3)
')
optional_policy(`
mock_run($1_consolehelper_t, $2)
')
optional_policy(`
xserver_run_xauth($1_consolehelper_t, $2)
xserver_read_xdm_pid($1_consolehelper_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_console_role_template'($*)) dnl
')
########################################
##
## Execute the consolehelper program
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`userhelper_exec_consolehelper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userhelper_exec_consolehelper'($*)) dnl
gen_require(`
type consolehelper_exec_t;
')
corecmd_search_bin($1)
can_exec($1, consolehelper_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userhelper_exec_consolehelper'($*)) dnl
')
## User network interface configuration helper.
########################################
##
## Execute usernetctl in the usernetctl domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`usernetctl_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usernetctl_domtrans'($*)) dnl
gen_require(`
type usernetctl_t, usernetctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, usernetctl_exec_t, usernetctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usernetctl_domtrans'($*)) dnl
')
########################################
##
## Execute usernetctl in the usernetctl
## domain, and allow the specified role
## the usernetctl domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`usernetctl_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usernetctl_run'($*)) dnl
gen_require(`
type usernetctl_t;
attribute_role usernetctl_roles;
')
usernetctl_domtrans($1)
roleattribute $2 usernetctl_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usernetctl_run'($*)) dnl
')
## Unix to Unix Copy.
########################################
##
## Execute uucico in the uucpd_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`uucp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uucp_domtrans'($*)) dnl
gen_require(`
type uucpd_t, uucpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, uucpd_exec_t, uucpd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uucp_domtrans'($*)) dnl
')
########################################
##
## Append uucp log files.
##
##
##
## Domain allowed access.
##
##
#
define(`uucp_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uucp_append_log'($*)) dnl
gen_require(`
type uucpd_log_t;
')
logging_search_logs($1)
allow $1 uucpd_log_t:dir list_dir_perms;
append_files_pattern($1, uucpd_log_t, uucpd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uucp_append_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## uucp spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`uucp_manage_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uucp_manage_spool'($*)) dnl
gen_require(`
type uucpd_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t)
manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uucp_manage_spool'($*)) dnl
')
########################################
##
## Execute uux in the uux_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`uucp_domtrans_uux',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uucp_domtrans_uux'($*)) dnl
gen_require(`
type uux_t, uux_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, uux_exec_t, uux_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uucp_domtrans_uux'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an uucp environment.
##
##
##
## Domain allowed access.
##
##
##
#
define(`uucp_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uucp_admin'($*)) dnl
gen_require(`
type uucpd_t, uucpd_tmp_t, uucpd_log_t;
type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t;
type uucpd_var_run_t, uucpd_initrc_exec_t;
')
allow $1 uucpd_t:process signal_perms;
ps_process_pattern($1, uucpd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 uucpd_t:process ptrace;
')
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
files_list_spool($1)
admin_pattern($1, uucpd_spool_t)
admin_pattern($1, { uucpd_rw_t uucpd_ro_t })
files_list_tmp($1)
admin_pattern($1, uucpd_tmp_t)
files_list_pids($1)
admin_pattern($1, uucpd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uucp_admin'($*)) dnl
')
## UUID generation daemon.
########################################
##
## Execute uuidd in the uuidd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`uuidd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_domtrans'($*)) dnl
gen_require(`
type uuidd_t, uuidd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, uuidd_exec_t, uuidd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_domtrans'($*)) dnl
')
########################################
##
## Execute uuidd init scripts in
## the initrc domain.
##
##
##
## Domain allowed access.
##
##
#
define(`uuidd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_initrc_domtrans'($*)) dnl
gen_require(`
type uuidd_initrc_exec_t;
')
init_labeled_script_domtrans($1, uuidd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_initrc_domtrans'($*)) dnl
')
########################################
##
## Search uuidd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`uuidd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_search_lib'($*)) dnl
gen_require(`
type uuidd_var_lib_t;
')
files_search_var_lib($1)
allow $1 uuidd_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_search_lib'($*)) dnl
')
########################################
##
## Read uuidd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`uuidd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_read_lib_files'($*)) dnl
gen_require(`
type uuidd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## uuidd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`uuidd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_manage_lib_files'($*)) dnl
gen_require(`
type uuidd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_manage_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## uuidd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`uuidd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_manage_lib_dirs'($*)) dnl
gen_require(`
type uuidd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read uuidd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`uuidd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_read_pid_files'($*)) dnl
gen_require(`
type uuidd_var_run_t;
')
files_search_pids($1)
allow $1 uuidd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_read_pid_files'($*)) dnl
')
########################################
##
## Connect to uuidd with an unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`uuidd_stream_connect_manager',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_stream_connect_manager'($*)) dnl
gen_require(`
type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_stream_connect_manager'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an uuidd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`uuidd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uuidd_admin'($*)) dnl
gen_require(`
type uuidd_t, uuidd_initrc_exec_t;
type uuidd_var_run_t, uuidd_var_lib_t;
')
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 uuidd_t:process ptrace;
')
uuidd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 uuidd_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, uuidd_var_lib_t)
files_search_pids($1)
admin_pattern($1, uuidd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uuidd_admin'($*)) dnl
')
## University of Washington IMAP toolkit POP3 and IMAP mail server.
########################################
##
## Execute imapd in the imapd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`uwimap_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `uwimap_domtrans'($*)) dnl
gen_require(`
type imapd_t, imapd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, imapd_exec_t, imapd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `uwimap_domtrans'($*)) dnl
')
## Varnishd http accelerator daemon.
#######################################
##
## Execute varnishd in the varnishd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`varnishd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_domtrans'($*)) dnl
gen_require(`
type varnishd_t, varnishd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, varnishd_exec_t, varnishd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_domtrans'($*)) dnl
')
#######################################
##
## Execute varnishd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`varnishd_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_exec'($*)) dnl
gen_require(`
type varnishd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, varnishd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_exec'($*)) dnl
')
######################################
##
## Read varnishd configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`varnishd_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_read_config'($*)) dnl
gen_require(`
type varnishd_etc_t;
')
files_search_etc($1)
read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_read_config'($*)) dnl
')
#####################################
##
## Read varnish lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`varnishd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_read_lib_files'($*)) dnl
gen_require(`
type varnishd_var_lib_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
mmap_read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_read_lib_files'($*)) dnl
')
#######################################
##
## Read varnish log files.
##
##
##
## Domain allowed access.
##
##
#
define(`varnishd_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_read_log'($*)) dnl
gen_require(`
type varnishlog_log_t;
')
logging_search_logs($1)
read_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_read_log'($*)) dnl
')
######################################
##
## Append varnish log files.
##
##
##
## Domain allowed access.
##
##
#
define(`varnishd_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_append_log'($*)) dnl
gen_require(`
type varnishlog_log_t;
')
logging_search_logs($1)
append_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_append_log'($*)) dnl
')
#####################################
##
## Create, read, write, and delete
## varnish log files.
##
##
##
## Domain allowed access.
##
##
#
define(`varnishd_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_manage_log'($*)) dnl
gen_require(`
type varnishlog_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_manage_log'($*)) dnl
')
######################################
##
## All of the rules required to
## administrate an varnishlog environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`varnishd_admin_varnishlog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_admin_varnishlog'($*)) dnl
gen_require(`
type varnishd_t;
type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
type varnishlog_var_run_t;
')
allow $1 varnishlog_t:process signal_perms;
ps_process_pattern($1, varnishlog_t)
tunable_policy(`deny_ptrace',`',`
allow $1 varnishd_t:process ptrace;
')
init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 varnishlog_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, varnishlog_var_run_t)
logging_list_logs($1)
admin_pattern($1, varnishlog_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_admin_varnishlog'($*)) dnl
')
#######################################
##
## All of the rules required to
## administrate an varnishd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`varnishd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `varnishd_admin'($*)) dnl
gen_require(`
type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
type varnishd_var_run_t, varnishd_tmp_t;
type varnishd_initrc_exec_t;
')
allow $1 varnishd_t:process signal_perms;
ps_process_pattern($1, varnishd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 varnishd_t:process ptrace;
')
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, varnishd_var_lib_t)
files_list_etc($1)
admin_pattern($1, varnishd_etc_t)
files_list_pids($1)
admin_pattern($1, varnishd_var_run_t)
files_list_tmp($1)
admin_pattern($1, varnishd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `varnishd_admin'($*)) dnl
')
## run real-mode video BIOS code to alter hardware state.
########################################
##
## Execute vbetool in the vbetool domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vbetool_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vbetool_domtrans'($*)) dnl
gen_require(`
type vbetool_t, vbetool_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vbetool_exec_t, vbetool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vbetool_domtrans'($*)) dnl
')
########################################
##
## Execute vbetool in the vbetool
## domain, and allow the specified
## role the vbetool domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`vbetool_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vbetool_run'($*)) dnl
gen_require(`
attribute_role vbetool_roles;
')
vbetool_domtrans($1)
roleattribute $2 vbetool_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vbetool_run'($*)) dnl
')
## Spice agent for Linux.
########################################
##
## Execute a domain transition to run vdagent.
##
##
##
## Domain allowed access.
##
##
#
define(`vdagent_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vdagent_domtrans'($*)) dnl
gen_require(`
type vdagent_t, vdagent_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vdagent_exec_t, vdagent_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vdagent_domtrans'($*)) dnl
')
#####################################
##
## Get attributes of vdagent executable files.
##
##
##
## Domain allowed access.
##
##
#
define(`vdagent_getattr_exec_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vdagent_getattr_exec_files'($*)) dnl
gen_require(`
type vdagent_exec_t;
')
allow $1 vdagent_exec_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vdagent_getattr_exec_files'($*)) dnl
')
#######################################
##
## Get attributes of vdagent log files.
##
##
##
## Domain allowed access.
##
##
#
define(`vdagent_getattr_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vdagent_getattr_log'($*)) dnl
gen_require(`
type vdagent_log_t;
')
logging_search_logs($1)
allow $1 vdagent_log_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vdagent_getattr_log'($*)) dnl
')
########################################
##
## Read vdagent pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`vdagent_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vdagent_read_pid_files'($*)) dnl
gen_require(`
type vdagent_var_run_t;
')
files_search_pids($1)
allow $1 vdagent_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vdagent_read_pid_files'($*)) dnl
')
#####################################
##
## Connect to vdagent with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`vdagent_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vdagent_stream_connect'($*)) dnl
gen_require(`
type vdagent_var_run_t, vdagent_t;
')
files_search_pids($1)
stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vdagent_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an vdagent environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
#
define(`vdagent_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vdagent_admin'($*)) dnl
gen_require(`
type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t;
type vdagent_log_t;
')
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
tunable_policy(`deny_ptrace',`',`
allow $1 vdagent_t:process ptrace;
')
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 vdagentd_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, vdagent_log_t)
files_search_pids($1)
admin_pattern($1, vdagent_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vdagent_admin'($*)) dnl
')
## Virtual host metrics daemon.
########################################
##
## Execute a domain transition to run vhostmd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vhostmd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_domtrans'($*)) dnl
gen_require(`
type vhostmd_t, vhostmd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vhostmd_exec_t, vhostmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_domtrans'($*)) dnl
')
########################################
##
## Execute vhostmd init scripts in
## the initrc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vhostmd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_initrc_domtrans'($*)) dnl
gen_require(`
type vhostmd_initrc_exec_t;
')
init_labeled_script_domtrans($1, vhostmd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_initrc_domtrans'($*)) dnl
')
########################################
##
## Read vhostmd tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`vhostmd_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_read_tmpfs_files'($*)) dnl
gen_require(`
type vhostmd_tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 vhostmd_tmpfs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_read_tmpfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## vhostmd tmpfs files
##
##
##
## Domain to not audit.
##
##
#
define(`vhostmd_dontaudit_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_dontaudit_read_tmpfs_files'($*)) dnl
gen_require(`
type vhostmd_tmpfs_t;
')
dontaudit $1 vhostmd_tmpfs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_dontaudit_read_tmpfs_files'($*)) dnl
')
#######################################
##
## Read and write vhostmd tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`vhostmd_rw_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_rw_tmpfs_files'($*)) dnl
gen_require(`
type vhostmd_tmpfs_t;
')
fs_search_tmpfs($1)
rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_rw_tmpfs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## vhostmd tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`vhostmd_manage_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_manage_tmpfs_files'($*)) dnl
gen_require(`
type vhostmd_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_manage_tmpfs_files'($*)) dnl
')
########################################
##
## Read vhostmd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`vhostmd_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_read_pid_files'($*)) dnl
gen_require(`
type vhostmd_var_run_t;
')
files_search_pids($1)
allow $1 vhostmd_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_read_pid_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## vhostmd pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`vhostmd_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_manage_pid_files'($*)) dnl
gen_require(`
type vhostmd_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_manage_pid_files'($*)) dnl
')
########################################
##
## Connect to vhostmd with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`vhostmd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_stream_connect'($*)) dnl
gen_require(`
type vhostmd_t, vhostmd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_stream_connect'($*)) dnl
')
#######################################
##
## Do not audit attempts to read and
## write vhostmd unix domain stream sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`vhostmd_dontaudit_rw_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_dontaudit_rw_stream_connect'($*)) dnl
gen_require(`
type vhostmd_t;
')
dontaudit $1 vhostmd_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_dontaudit_rw_stream_connect'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an vhostmd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`vhostmd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vhostmd_admin'($*)) dnl
gen_require(`
type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_var_run_t;
type vhostmd_tmpfs_t;
')
allow $1 vhostmd_t:process signal_perms;
ps_process_pattern($1, vhostmd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 vhostmd_t:process ptrace;
')
vhostmd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 vhostmd_initrc_exec_t system_r;
allow $2 system_r;
fs_search_tmpfs($1)
admin_pattern($1, vhostmd_tmpfs_t)
files_search_pids($1)
admin_pattern($1, vhostmd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vhostmd_admin'($*)) dnl
')
## Libvirt virtualization API
########################################
##
## virtd_lxc_t stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_stub_lxc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_stub_lxc'($*)) dnl
gen_require(`
type virtd_lxc_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_stub_lxc'($*)) dnl
')
########################################
##
## svirt_sandbox_domain attribute stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_stub_svirt_sandbox_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_stub_svirt_sandbox_domain'($*)) dnl
gen_require(`
attribute svirt_sandbox_domain;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_stub_svirt_sandbox_domain'($*)) dnl
')
########################################
##
## container_file_t stub interface. No access allowed.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_stub_container_image',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_stub_container_image'($*)) dnl
gen_require(`
type container_file_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_stub_container_image'($*)) dnl
')
define(`virt_stub_svirt_sandbox_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_stub_svirt_sandbox_file'($*)) dnl
gen_require(`
type container_file_t;
type container_ro_file_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_stub_svirt_sandbox_file'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## qemu process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`virt_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_domain_template'($*)) dnl
gen_require(`
attribute virt_image_type, virt_domain;
attribute virt_tmpfs_type;
attribute virt_ptynode;
type qemu_exec_t;
type virtlogd_t;
')
type $1_t, virt_domain;
application_domain($1_t, qemu_exec_t)
domain_user_exemption_target($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
role system_r types $1_t;
type $1_devpts_t, virt_ptynode;
term_pty($1_devpts_t)
kernel_read_system_state($1_t)
auth_read_passwd($1_t)
logging_send_syslog_msg($1_t)
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
# Allow domain to write to pipes connected to virtlogd
allow $1_t virtlogd_t:fd use;
allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_domain_template'($*)) dnl
')
########################################
##
## Make the specified type usable as a virt image
##
##
##
## Type to be used as a virtual image
##
##
#
define(`virt_image',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_image'($*)) dnl
gen_require(`
attribute virt_image_type;
')
typeattribute $1 virt_image_type;
files_type($1)
# virt images can be assigned to blk devices
dev_node($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_image'($*)) dnl
')
#######################################
##
## Getattr on virt executable.
##
##
##
## Domain allowed to transition.
##
##
#
define(`virt_getattr_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_getattr_exec'($*)) dnl
gen_require(`
type virtd_exec_t;
')
allow $1 virtd_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_getattr_exec'($*)) dnl
')
########################################
##
## Execute a domain transition to run virt.
##
##
##
## Domain allowed to transition.
##
##
#
define(`virt_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_domtrans'($*)) dnl
gen_require(`
type virtd_t, virtd_exec_t;
')
domtrans_pattern($1, virtd_exec_t, virtd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_domtrans'($*)) dnl
')
########################################
##
## Execute virtd in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_exec'($*)) dnl
gen_require(`
type virtd_exec_t;
')
can_exec($1, virtd_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_exec'($*)) dnl
')
########################################
##
## Transition to virt_bridgehelper.
##
##
##
## Domain allowed to transition.
##
##
define(`virt_domtrans_bridgehelper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_domtrans_bridgehelper'($*)) dnl
gen_require(`
type virt_bridgehelper_t, virt_bridgehelper_exec_t;
')
domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_domtrans_bridgehelper'($*)) dnl
')
#######################################
##
## Connect to virt over a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_stream_connect'($*)) dnl
gen_require(`
type virtd_t, virt_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_stream_connect'($*)) dnl
')
#######################################
##
## Connect to svirt process over a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_stream_connect_svirt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_stream_connect_svirt'($*)) dnl
gen_require(`
type svirt_t;
type svirt_image_t;
')
stream_connect_pattern($1, svirt_image_t, svirt_image_t, svirt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_stream_connect_svirt'($*)) dnl
')
########################################
##
## Read and write to apmd unix
## stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_rw_stream_sockets_svirt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_rw_stream_sockets_svirt'($*)) dnl
gen_require(`
type svirt_t;
')
allow $1 svirt_t:unix_stream_socket { setopt getopt read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_rw_stream_sockets_svirt'($*)) dnl
')
########################################
##
## Allow domain to attach to virt TUN devices
##
##
##
## Domain allowed access.
##
##
#
define(`virt_attach_tun_iface',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_attach_tun_iface'($*)) dnl
gen_require(`
type virtd_t;
')
allow $1 virtd_t:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_attach_tun_iface'($*)) dnl
')
########################################
##
## Allow domain to attach to virt sandbox TUN devices
##
##
##
## Domain allowed access.
##
##
#
define(`virt_attach_sandbox_tun_iface',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_attach_sandbox_tun_iface'($*)) dnl
gen_require(`
attribute svirt_sandbox_domain;
')
allow $1 svirt_sandbox_domain:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_attach_sandbox_tun_iface'($*)) dnl
')
########################################
##
## Read virt config files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_config'($*)) dnl
gen_require(`
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_config'($*)) dnl
')
########################################
##
## manage virt config files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_config'($*)) dnl
gen_require(`
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_config'($*)) dnl
')
########################################
##
## Allow domain to manage virt image files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_getattr_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_getattr_content'($*)) dnl
gen_require(`
type virt_content_t;
')
allow $1 virt_content_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_getattr_content'($*)) dnl
')
########################################
##
## Allow domain to manage virt image files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_content'($*)) dnl
gen_require(`
type virt_content_t;
')
virt_search_lib($1)
allow $1 virt_content_t:dir list_dir_perms;
allow $1 virt_content_t:blk_file map;
allow $1 virt_content_t:file map;
list_dirs_pattern($1, virt_content_t, virt_content_t)
read_files_pattern($1, virt_content_t, virt_content_t)
read_lnk_files_pattern($1, virt_content_t, virt_content_t)
read_blk_files_pattern($1, virt_content_t, virt_content_t)
read_chr_files_pattern($1, virt_content_t, virt_content_t)
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
fs_read_nfs_symlinks($1)
')
tunable_policy(`virt_use_samba',`
fs_list_cifs($1)
fs_read_cifs_files($1)
fs_read_cifs_symlinks($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_content'($*)) dnl
')
########################################
##
## Allow domain to write virt image files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_write_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_write_content'($*)) dnl
gen_require(`
type virt_content_t;
')
allow $1 virt_content_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_write_content'($*)) dnl
')
########################################
##
## Read virt PID symlinks files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_pid_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_pid_symlinks'($*)) dnl
gen_require(`
type virt_var_run_t;
')
files_search_pids($1)
read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_pid_symlinks'($*)) dnl
')
########################################
##
## Read virt PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_pid_files'($*)) dnl
gen_require(`
type virt_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, virt_var_run_t, virt_var_run_t)
read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_pid_files'($*)) dnl
')
########################################
##
## Manage virt pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_pid_dirs'($*)) dnl
gen_require(`
type virt_var_run_t;
type virt_lxc_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
virt_filetrans_named_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_pid_dirs'($*)) dnl
')
########################################
##
## Manage virt pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_pid_files'($*)) dnl
gen_require(`
type virt_var_run_t;
type virt_lxc_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_pid_files'($*)) dnl
')
########################################
##
## Create objects in the pid directory
## with a private type with a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Type to which the created node will be transitioned.
##
##
##
##
## Object class(es) (single or set including {}) for which this
## the transition will occur.
##
##
##
##
## The name of the object being created.
##
##
#
define(`virt_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_pid_filetrans'($*)) dnl
gen_require(`
type virt_var_run_t;
')
filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_pid_filetrans'($*)) dnl
')
########################################
##
## Search virt lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_search_lib'($*)) dnl
gen_require(`
type virt_var_lib_t;
')
allow $1 virt_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_search_lib'($*)) dnl
')
########################################
##
## Read virt lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_lib_files'($*)) dnl
gen_require(`
type virt_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
list_dirs_pattern($1, virt_var_lib_t, virt_var_lib_t)
read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_lib_files'($*)) dnl
')
########################################
##
## Dontaudit inherited read virt lib files.
##
##
##
## Domain to not audit.
##
##
#
define(`virt_dontaudit_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_dontaudit_read_lib_files'($*)) dnl
gen_require(`
type virt_var_lib_t;
')
dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_dontaudit_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## virt lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_lib_files'($*)) dnl
gen_require(`
type virt_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_lib_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read virt's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`virt_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_log'($*)) dnl
gen_require(`
type virt_log_t;
')
logging_search_logs($1)
read_files_pattern($1, virt_log_t, virt_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## virt log files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_append_log'($*)) dnl
gen_require(`
type virt_log_t;
')
logging_search_logs($1)
append_files_pattern($1, virt_log_t, virt_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_append_log'($*)) dnl
')
########################################
##
## Allow domain to manage virt log files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_log'($*)) dnl
gen_require(`
type virt_log_t;
')
manage_dirs_pattern($1, virt_log_t, virt_log_t)
manage_files_pattern($1, virt_log_t, virt_log_t)
manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_log'($*)) dnl
')
########################################
##
## Allow domain to getattr virt image direcories
##
##
##
## Domain allowed access.
##
##
#
define(`virt_getattr_images',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_getattr_images'($*)) dnl
gen_require(`
attribute virt_image_type;
')
virt_search_lib($1)
allow $1 virt_image_type:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_getattr_images'($*)) dnl
')
########################################
##
## Allow domain to search virt image direcories
##
##
##
## Domain allowed access.
##
##
#
define(`virt_search_images',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_search_images'($*)) dnl
gen_require(`
attribute virt_image_type;
')
virt_search_lib($1)
allow $1 virt_image_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_search_images'($*)) dnl
')
########################################
##
## Allow domain to read virt image files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_images',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_images'($*)) dnl
gen_require(`
type virt_var_lib_t;
attribute virt_image_type;
')
virt_search_lib($1)
allow $1 virt_image_type:dir list_dir_perms;
list_dirs_pattern($1, virt_image_type, virt_image_type)
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
read_chr_files_pattern($1, virt_image_type, virt_image_type)
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
fs_read_nfs_symlinks($1)
')
tunable_policy(`virt_use_samba',`
fs_list_cifs($1)
fs_read_cifs_files($1)
fs_read_cifs_symlinks($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_images'($*)) dnl
')
########################################
##
## Allow domain to read virt blk image files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_blk_images',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_blk_images'($*)) dnl
gen_require(`
attribute virt_image_type;
')
read_blk_files_pattern($1, virt_image_type, virt_image_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_blk_images'($*)) dnl
')
########################################
##
## Allow domain to read/write virt image chr files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_rw_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_rw_chr_files'($*)) dnl
gen_require(`
attribute virt_image_type;
')
rw_chr_files_pattern($1, virt_image_type, virt_image_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_rw_chr_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## svirt cache files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_cache'($*)) dnl
gen_require(`
type virt_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
manage_files_pattern($1, virt_cache_t, virt_cache_t)
manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_cache'($*)) dnl
')
########################################
##
## Allow domain to manage virt image files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_images',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_images'($*)) dnl
gen_require(`
type virt_var_lib_t;
attribute virt_image_type;
')
virt_search_lib($1)
allow $1 virt_image_type:dir list_dir_perms;
manage_dirs_pattern($1, virt_image_type, virt_image_type)
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
rw_chr_files_pattern($1, virt_image_type, virt_image_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_images'($*)) dnl
')
#######################################
##
## Allow domain to manage virt image files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_default_image_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_default_image_type'($*)) dnl
gen_require(`
type virt_var_lib_t;
type virt_image_t;
')
virt_search_lib($1)
manage_dirs_pattern($1, virt_image_t, virt_image_t)
manage_files_pattern($1, virt_image_t, virt_image_t)
read_lnk_files_pattern($1, virt_image_t, virt_image_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_default_image_type'($*)) dnl
')
########################################
##
## Execute virt server in the virt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`virt_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_systemctl'($*)) dnl
gen_require(`
type virtd_unit_file_t;
type virtd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 virtd_unit_file_t:file read_file_perms;
allow $1 virtd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, virtd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_systemctl'($*)) dnl
')
########################################
##
## Ptrace the svirt domain
##
##
##
## Domain allowed to transition.
##
##
#
define(`virt_ptrace',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_ptrace'($*)) dnl
gen_require(`
attribute virt_domain;
')
allow $1 virt_domain:process ptrace;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_ptrace'($*)) dnl
')
#######################################
##
## Execute Sandbox Files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_exec_sandbox_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_exec_sandbox_files'($*)) dnl
gen_require(`
attribute svirt_file_type;
')
can_exec($1, svirt_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_exec_sandbox_files'($*)) dnl
')
########################################
##
## Allow any svirt_file_type to be an entrypoint of this domain
##
##
##
## Domain allowed access.
##
##
##
#
define(`virt_sandbox_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_sandbox_entrypoint'($*)) dnl
gen_require(`
attribute svirt_file_type;
')
allow $1 svirt_file_type:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_sandbox_entrypoint'($*)) dnl
')
#######################################
##
## List Sandbox Dirs
##
##
##
## Domain allowed access.
##
##
#
define(`virt_list_sandbox_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_list_sandbox_dirs'($*)) dnl
gen_require(`
type svirt_sandbox_file_t;
')
list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_list_sandbox_dirs'($*)) dnl
')
#######################################
##
## Read Sandbox Files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_sandbox_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_sandbox_files'($*)) dnl
gen_require(`
attribute svirt_file_type;
')
list_dirs_pattern($1, svirt_file_type, svirt_file_type)
read_files_pattern($1, svirt_file_type, svirt_file_type)
read_lnk_files_pattern($1, svirt_file_type, svirt_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_sandbox_files'($*)) dnl
')
#######################################
##
## Manage Sandbox Files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_sandbox_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_sandbox_files'($*)) dnl
gen_require(`
attribute svirt_file_type;
')
manage_dirs_pattern($1, svirt_file_type, svirt_file_type)
manage_files_pattern($1, svirt_file_type, svirt_file_type)
manage_fifo_files_pattern($1, svirt_file_type, svirt_file_type)
manage_chr_files_pattern($1, svirt_file_type, svirt_file_type)
manage_lnk_files_pattern($1, svirt_file_type, svirt_file_type)
allow $1 svirt_file_type:dir_file_class_set { relabelfrom relabelto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_sandbox_files'($*)) dnl
')
#######################################
##
## Getattr Sandbox File systems
##
##
##
## Domain allowed access.
##
##
#
define(`virt_getattr_sandbox_filesystem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_getattr_sandbox_filesystem'($*)) dnl
gen_require(`
attribute svirt_file_type;
')
allow $1 svirt_file_type:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_getattr_sandbox_filesystem'($*)) dnl
')
#######################################
##
## Relabel Sandbox File systems
##
##
##
## Domain allowed access.
##
##
#
define(`virt_relabel_sandbox_filesystem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_relabel_sandbox_filesystem'($*)) dnl
gen_require(`
attribute svirt_file_type;
')
allow $1 svirt_file_type:filesystem { relabelfrom relabelto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_relabel_sandbox_filesystem'($*)) dnl
')
#######################################
##
## Mounton Sandbox Files
##
##
##
## Domain allowed access.
##
##
#
define(`virt_mounton_sandbox_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_mounton_sandbox_file'($*)) dnl
gen_require(`
attribute svirt_file_type;
')
allow $1 svirt_file_type:dir_file_class_set mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_mounton_sandbox_file'($*)) dnl
')
#######################################
##
## Connect to virt over a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_stream_connect_sandbox',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_stream_connect_sandbox'($*)) dnl
gen_require(`
attribute svirt_sandbox_domain;
attribute svirt_file_type;
')
files_search_pids($1)
stream_connect_pattern($1, svirt_file_type, svirt_file_type, svirt_sandbox_domain)
ps_process_pattern(svirt_sandbox_domain, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_stream_connect_sandbox'($*)) dnl
')
########################################
##
## Execute qemu in the svirt domain, and
## allow the specified role the svirt domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the sandbox domain.
##
##
##
#
define(`virt_transition_svirt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_transition_svirt'($*)) dnl
gen_require(`
attribute virt_domain;
type virt_bridgehelper_t;
type svirt_image_t;
type svirt_socket_t;
')
allow $1 virt_domain:process transition;
role $2 types virt_domain;
role $2 types virt_bridgehelper_t;
role $2 types svirt_socket_t;
allow $1 virt_domain:process { sigkill sigstop signull signal };
allow $1 svirt_image_t:file { relabelfrom relabelto };
allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
optional_policy(`
ptchown_run(virt_domain, $2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_transition_svirt'($*)) dnl
')
########################################
##
## Do not audit attempts to write virt daemon unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`virt_dontaudit_write_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_dontaudit_write_pipes'($*)) dnl
gen_require(`
type virtd_t;
')
dontaudit $1 virtd_t:fd use;
dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_dontaudit_write_pipes'($*)) dnl
')
########################################
##
## Send a sigkill to virtual machines
##
##
##
## Domain allowed access.
##
##
#
define(`virt_kill_svirt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_kill_svirt'($*)) dnl
gen_require(`
attribute virt_domain;
')
allow $1 virt_domain:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_kill_svirt'($*)) dnl
')
########################################
##
## Send a sigkill to virtd daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_kill'($*)) dnl
gen_require(`
type virtd_t;
')
allow $1 virtd_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_kill'($*)) dnl
')
########################################
##
## Send a signal to virtd daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_signal'($*)) dnl
gen_require(`
type virtd_t;
')
allow $1 virtd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_signal'($*)) dnl
')
########################################
##
## Send null signal to virtd daemon.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_signull'($*)) dnl
gen_require(`
type virtd_t;
')
allow $1 virtd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_signull'($*)) dnl
')
########################################
##
## Send a signal to virtual machines
##
##
##
## Domain allowed access.
##
##
#
define(`virt_signal_svirt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_signal_svirt'($*)) dnl
gen_require(`
attribute virt_domain;
')
allow $1 virt_domain:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_signal_svirt'($*)) dnl
')
########################################
##
## Send a signal to sandbox domains
##
##
##
## Domain allowed access.
##
##
#
define(`virt_signal_sandbox',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_signal_sandbox'($*)) dnl
gen_require(`
attribute svirt_sandbox_domain;
')
allow $1 svirt_sandbox_domain:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_signal_sandbox'($*)) dnl
')
########################################
##
## Manage virt home files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_manage_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_home_files'($*)) dnl
gen_require(`
type virt_home_t;
')
userdom_search_user_home_dirs($1)
manage_files_pattern($1, virt_home_t, virt_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_home_files'($*)) dnl
')
########################################
##
## allow domain to read
## virt tmpfs files
##
##
##
## Domain allowed access
##
##
#
define(`virt_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_tmpfs_files'($*)) dnl
gen_require(`
attribute virt_tmpfs_type;
')
allow $1 virt_tmpfs_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_tmpfs_files'($*)) dnl
')
########################################
##
## allow domain to manage
## virt tmpfs files
##
##
##
## Domain allowed access
##
##
#
define(`virt_manage_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_manage_tmpfs_files'($*)) dnl
gen_require(`
attribute virt_tmpfs_type;
')
allow $1 virt_tmpfs_type:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_manage_tmpfs_files'($*)) dnl
')
########################################
##
## Create .virt directory in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_filetrans_home_content'($*)) dnl
gen_require(`
type virt_home_t;
type svirt_home_t;
')
userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
optional_policy(`
gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
gnome_data_filetrans($1, svirt_home_t, dir, "images")
gnome_data_filetrans($1, svirt_home_t, dir, "boot")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_filetrans_home_content'($*)) dnl
')
########################################
##
## Dontaudit attempts to Read virt_image_type devices.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_dontaudit_read_chr_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_dontaudit_read_chr_dev'($*)) dnl
gen_require(`
attribute virt_image_type;
')
dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_dontaudit_read_chr_dev'($*)) dnl
')
########################################
##
## Creates types and rules for a basic
## virt_lxc process domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`virt_sandbox_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_sandbox_domain_template'($*)) dnl
gen_require(`
attribute svirt_sandbox_domain;
')
type $1_t, svirt_sandbox_domain;
domain_type($1_t)
domain_user_exemption_target($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
role system_r types $1_t;
logging_send_syslog_msg($1_t)
kernel_read_system_state($1_t)
kernel_read_all_proc($1_t)
# optional_policy(`
# container_runtime_typebounds($1_t)
# ')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_sandbox_domain_template'($*)) dnl
')
########################################
##
## Make the specified type usable as a lxc domain
##
##
##
## Type to be used as a lxc domain
##
##
#
define(`virt_sandbox_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_sandbox_domain'($*)) dnl
gen_require(`
attribute svirt_sandbox_domain;
')
typeattribute $1 svirt_sandbox_domain;
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_sandbox_domain'($*)) dnl
')
########################################
##
## Make the specified type usable as a lxc network domain
##
##
##
## Type to be used as a lxc network domain
##
##
#
define(`virt_sandbox_net_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_sandbox_net_domain'($*)) dnl
gen_require(`
attribute sandbox_net_domain;
')
virt_sandbox_domain($1)
typeattribute $1 sandbox_net_domain;
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_sandbox_net_domain'($*)) dnl
')
########################################
##
## Execute a qemu_exec_t in the callers domain
##
##
##
## Domain allowed access.
##
##
#
define(`virt_exec_qemu',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_exec_qemu'($*)) dnl
gen_require(`
type qemu_exec_t;
')
can_exec($1, qemu_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_exec_qemu'($*)) dnl
')
########################################
##
## Transition to virt named content
##
##
##
## Domain allowed access.
##
##
#
define(`virt_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_filetrans_named_content'($*)) dnl
gen_require(`
type virt_lxc_var_run_t;
type virt_var_run_t;
')
files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_filetrans_named_content'($*)) dnl
')
########################################
##
## Execute qemu in the svirt domain, and
## allow the specified role the svirt domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the sandbox domain.
##
##
##
#
define(`virt_transition_svirt_sandbox',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_transition_svirt_sandbox'($*)) dnl
gen_require(`
attribute svirt_sandbox_domain;
')
allow $1 svirt_sandbox_domain:process { transition signal_perms };
role $2 types svirt_sandbox_domain;
allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
allow svirt_sandbox_domain $1:fd use;
allow svirt_sandbox_domain $1:process sigchld;
ps_process_pattern($1, svirt_sandbox_domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_transition_svirt_sandbox'($*)) dnl
')
########################################
##
## Read the process state of virt sandbox containers
##
##
##
## Domain allowed access.
##
##
#
define(`virt_sandbox_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_sandbox_read_state'($*)) dnl
gen_require(`
attribute svirt_sandbox_domain;
')
ps_process_pattern($1, svirt_sandbox_domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_sandbox_read_state'($*)) dnl
')
########################################
##
## Read and write to svirt_image devices.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_rw_svirt_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_rw_svirt_dev'($*)) dnl
gen_require(`
type svirt_image_t;
')
allow $1 svirt_image_t:chr_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_rw_svirt_dev'($*)) dnl
')
########################################
##
## Read and write to svirt_image files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_rw_svirt_image',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_rw_svirt_image'($*)) dnl
gen_require(`
type svirt_image_t;
')
allow $1 svirt_image_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_rw_svirt_image'($*)) dnl
')
########################################
##
## Read and write to svirt_image devices.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_rlimitinh',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_rlimitinh'($*)) dnl
gen_require(`
type virtd_t;
')
allow $1 virtd_t:process { rlimitinh };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_rlimitinh'($*)) dnl
')
########################################
##
## Read and write to svirt_image devices.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_noatsecure'($*)) dnl
gen_require(`
type virtd_t;
')
allow $1 virtd_t:process { noatsecure rlimitinh };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_noatsecure'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an virt environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`virt_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_admin'($*)) dnl
gen_require(`
attribute virt_domain;
attribute virt_system_domain;
attribute svirt_file_type;
attribute virt_file_type;
type virtd_initrc_exec_t;
')
allow $1 virt_system_domain:process signal_perms;
allow $1 virt_domain:process signal_perms;
ps_process_pattern($1, virt_system_domain)
ps_process_pattern($1, virt_domain)
tunable_policy(`deny_ptrace',`',`
allow $1 virt_system_domain:process ptrace;
allow $1 virt_domain:process ptrace;
')
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
allow $2 system_r;
allow $1 virt_domain:process signal_perms;
admin_pattern($1, virt_file_type)
admin_pattern($1, svirt_file_type)
virt_systemctl($1)
allow $1 virtd_unit_file_t:service all_service_perms;
virt_stream_connect_sandbox($1)
virt_stream_connect_svirt($1)
virt_stream_connect($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_admin'($*)) dnl
')
#######################################
##
## Getattr on virt executable.
##
##
##
## Domain allowed to transition.
##
##
#
define(`virt_default_capabilities',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_default_capabilities'($*)) dnl
gen_require(`
attribute sandbox_caps_domain;
')
typeattribute $1 sandbox_caps_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_default_capabilities'($*)) dnl
')
########################################
##
## Send and receive messages from
## virt over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_dbus_chat'($*)) dnl
gen_require(`
type virtd_t;
class dbus send_msg;
')
allow $1 virtd_t:dbus send_msg;
allow virtd_t $1:dbus send_msg;
ps_process_pattern(virtd_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_dbus_chat'($*)) dnl
')
########################################
##
## Execute a file in a sandbox directory
## in the specified domain.
##
##
##
## Execute a file in a sandbox directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`virt_sandbox_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_sandbox_domtrans'($*)) dnl
gen_require(`
type container_file_t;
')
domtrans_pattern($1,container_file_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_sandbox_domtrans'($*)) dnl
')
########################################
##
## Dontaudit read the process state (/proc/pid) of libvirt
##
##
##
## Domain allowed access.
##
##
#
define(`virt_dontaudit_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_dontaudit_read_state'($*)) dnl
gen_require(`
type virtd_t;
')
dontaudit $1 virtd_t:dir search_dir_perms;
dontaudit $1 virtd_t:file read_file_perms;
dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_dontaudit_read_state'($*)) dnl
')
#######################################
##
## Send to libvirt with a unix dgram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_dgram_send'($*)) dnl
gen_require(`
type virtd_t, virt_var_run_t;
')
files_search_pids($1)
dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_dgram_send'($*)) dnl
')
########################################
##
## Manage svirt tmp files,dirs and sockfiles.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_svirt_manage_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_svirt_manage_tmp'($*)) dnl
gen_require(`
type svirt_tmp_t;
')
manage_files_pattern($1, svirt_tmp_t, svirt_tmp_t)
manage_dirs_pattern($1, svirt_tmp_t, svirt_tmp_t)
manage_sock_files_pattern($1, svirt_tmp_t, svirt_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_svirt_manage_tmp'($*)) dnl
')
########################################
##
## Read qemu PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`virt_read_qemu_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `virt_read_qemu_pid_files'($*)) dnl
gen_require(`
type qemu_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t)
read_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `virt_read_qemu_pid_files'($*)) dnl
')
## Lock one or more sessions on the Linux console.
#######################################
##
## Execute vlock in the vlock domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vlock_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vlock_domtrans'($*)) dnl
gen_require(`
type vlock_t, vlock_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vlock_exec_t, vlock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vlock_domtrans'($*)) dnl
')
########################################
##
## Execute vlock in the vlock domain,
## and allow the specified role
## the vlock domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed to access.
##
##
##
#
define(`vlock_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vlock_run'($*)) dnl
gen_require(`
attribute_role vlock_roles;
')
vlock_domtrans($1)
roleattribute $2 vlock_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vlock_run'($*)) dnl
')
## VMware Tools daemon
########################################
##
## Execute vmtools in the vmtools domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vmtools_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmtools_domtrans'($*)) dnl
gen_require(`
type vmtools_t, vmtools_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vmtools_exec_t, vmtools_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmtools_domtrans'($*)) dnl
')
########################################
##
## Execute vmtools in the vmtools domin.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vmtools_domtrans_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmtools_domtrans_helper'($*)) dnl
gen_require(`
type vmtools_helper_t, vmtools_helper_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmtools_domtrans_helper'($*)) dnl
')
########################################
##
## Execute vmtools helpers in the vmtools_heler domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the mozilla_plugin domain.
##
##
#
define(`vmtools_run_helper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmtools_run_helper'($*)) dnl
gen_require(`
attribute_role vmtools_helper_roles;
')
vmtools_domtrans_helper($1)
roleattribute $2 vmtools_helper_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmtools_run_helper'($*)) dnl
')
########################################
##
## Execute vmtools server in the vmtools domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vmtools_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmtools_systemctl'($*)) dnl
gen_require(`
type vmtools_t;
type vmtools_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 vmtools_unit_file_t:file read_file_perms;
allow $1 vmtools_unit_file_t:service manage_service_perms;
ps_process_pattern($1, vmtools_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmtools_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an vmtools environment
##
##
##
## Domain allowed access.
##
##
##
#
define(`vmtools_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmtools_admin'($*)) dnl
gen_require(`
type vmtools_t;
type vmtools_unit_file_t;
')
allow $1 vmtools_t:process { signal_perms };
ps_process_pattern($1, vmtools_t)
tunable_policy(`deny_ptrace',`',`
allow $1 vmtools_t:process ptrace;
')
vmtools_systemctl($1)
admin_pattern($1, vmtools_unit_file_t)
allow $1 vmtools_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmtools_admin'($*)) dnl
')
########################################
##
## Send and receive messages from
## vmtools_unconfined over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`vmtools_unconfined_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmtools_unconfined_dbus_chat'($*)) dnl
gen_require(`
type vmtools_unconfined_t;
class dbus send_msg;
')
allow $1 vmtools_unconfined_t:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmtools_unconfined_dbus_chat'($*)) dnl
')
## VMWare Workstation virtual machines.
########################################
##
## Role access for vmware.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`vmware_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmware_role'($*)) dnl
gen_require(`
type vmware_t, vmware_exec_t, vmware_file_t;
type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t;
')
role $1 types vmware_t;
domtrans_pattern($2, vmware_exec_t, vmware_t)
ps_process_pattern($2, vmware_t)
allow $2 vmware_t:process signal_perms;
tunable_policy(`deny_ptrace',`',`
allow $2 vmware_t:process ptrace;
')
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware")
userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmware_role'($*)) dnl
')
########################################
##
## Execute vmware host executables
##
##
##
## Domain allowed access.
##
##
#
define(`vmware_exec_host',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmware_exec_host'($*)) dnl
gen_require(`
type vmware_host_exec_t;
')
corecmd_search_bin($1)
can_exec($1, vmware_host_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmware_exec_host'($*)) dnl
')
########################################
##
## Read vmware system configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`vmware_read_system_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmware_read_system_config'($*)) dnl
gen_require(`
type vmware_sys_conf_t;
')
files_search_etc($1)
allow $1 vmware_sys_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmware_read_system_config'($*)) dnl
')
########################################
##
## Append vmware system configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`vmware_append_system_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmware_append_system_config'($*)) dnl
gen_require(`
type vmware_sys_conf_t;
')
files_search_etc($1)
allow $1 vmware_sys_conf_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmware_append_system_config'($*)) dnl
')
########################################
##
## Append vmware log files.
##
##
##
## Domain allowed access.
##
##
#
define(`vmware_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmware_append_log'($*)) dnl
gen_require(`
type vmware_log_t;
')
logging_search_logs($1)
append_files_pattern($1, vmware_log_t, vmware_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmware_append_log'($*)) dnl
')
########################################
##
## Transition to vmware content
##
##
##
## Domain allowed access.
##
##
#
define(`vmware_filetrans_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmware_filetrans_content'($*)) dnl
gen_require(`
type vmware_log_t;
')
logging_log_filetrans($1, vmware_log_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmware_filetrans_content'($*)) dnl
')
########################################
##
## Manage vmware log files.
##
##
##
## Domain allowed access.
##
##
#
define(`vmware_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vmware_manage_log'($*)) dnl
gen_require(`
type vmware_log_t;
')
manage_files_pattern($1, vmware_log_t, vmware_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vmware_manage_log'($*)) dnl
')
## Console network traffic monitor.
########################################
##
## Execute a domain transition to run vnstat.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vnstatd_domtrans_vnstat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vnstatd_domtrans_vnstat'($*)) dnl
gen_require(`
type vnstat_t, vnstat_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vnstat_exec_t, vnstat_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vnstatd_domtrans_vnstat'($*)) dnl
')
########################################
##
## Execute vnstat in the vnstat domain,
## and allow the specified role
## the vnstat domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`vnstatd_run_vnstat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vnstatd_run_vnstat'($*)) dnl
gen_require(`
attribute_role vnstat_roles;
')
vnstatd_domtrans_vnstat($1)
roleattribute $2 vnstat_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vnstatd_run_vnstat'($*)) dnl
')
########################################
##
## Execute a domain transition to run vnstatd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vnstatd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vnstatd_domtrans'($*)) dnl
gen_require(`
type vnstatd_t, vnstatd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vnstatd_domtrans'($*)) dnl
')
########################################
##
## Search vnstatd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`vnstatd_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vnstatd_search_lib'($*)) dnl
gen_require(`
type vnstatd_var_lib_t;
')
files_search_var_lib($1)
allow $1 vnstatd_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vnstatd_search_lib'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## vnstatd lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`vnstatd_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vnstatd_manage_lib_dirs'($*)) dnl
gen_require(`
type vnstatd_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vnstatd_manage_lib_dirs'($*)) dnl
')
########################################
##
## Read vnstatd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`vnstatd_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vnstatd_read_lib_files'($*)) dnl
gen_require(`
type vnstatd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vnstatd_read_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## vnstatd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`vnstatd_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vnstatd_manage_lib_files'($*)) dnl
gen_require(`
type vnstatd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vnstatd_manage_lib_files'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an vnstatd environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
#
define(`vnstatd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vnstatd_admin'($*)) dnl
gen_require(`
type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t;
type vnstatd_var_run_t;
')
allow $1 vnstatd_t:process signal_perms;
ps_process_pattern($1, vnstatd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 vnstatd_t:process ptrace;
')
init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 vnstatd_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, vnstatd_var_run_t)
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
vnstatd_run_vnstat($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vnstatd_admin'($*)) dnl
')
## Virtual Private Networking client
########################################
##
## Execute VPN clients in the vpnc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`vpn_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpn_domtrans'($*)) dnl
gen_require(`
type vpnc_t, vpnc_exec_t;
')
domtrans_pattern($1, vpnc_exec_t, vpnc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpn_domtrans'($*)) dnl
')
########################################
##
## Execute VPN clients in the vpnc domain, and
## allow the specified role the vpnc domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`vpn_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpn_run'($*)) dnl
gen_require(`
attribute_role vpnc_roles;
type vpnc_t;
')
vpn_domtrans($1)
roleattribute $2 vpnc_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpn_run'($*)) dnl
')
########################################
##
## Send VPN clients the kill signal.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpn_kill'($*)) dnl
gen_require(`
type vpnc_t;
')
allow $1 vpnc_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpn_kill'($*)) dnl
')
########################################
##
## Send generic signals to VPN clients.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpn_signal'($*)) dnl
gen_require(`
type vpnc_t;
')
allow $1 vpnc_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpn_signal'($*)) dnl
')
########################################
##
## Send signull to VPN clients.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpn_signull'($*)) dnl
gen_require(`
type vpnc_t;
')
allow $1 vpnc_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpn_signull'($*)) dnl
')
########################################
##
## Send and receive messages from
## Vpnc over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpn_dbus_chat'($*)) dnl
gen_require(`
type vpnc_t;
class dbus send_msg;
')
allow $1 vpnc_t:dbus send_msg;
allow vpnc_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpn_dbus_chat'($*)) dnl
')
########################################
##
## Read vpnc PID dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`vpnc_manage_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpnc_manage_pid_dirs'($*)) dnl
gen_require(`
type vpnc_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, vpnc_var_run_t, vpnc_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpnc_manage_pid_dirs'($*)) dnl
')
########################################
##
## Read vpnc PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`vpnc_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpnc_read_pid_files'($*)) dnl
gen_require(`
type vpnc_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, vpnc_var_run_t, vpnc_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpnc_read_pid_files'($*)) dnl
')
########################################
##
## Read vpnc PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`vpnc_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpnc_manage_pid_files'($*)) dnl
gen_require(`
type vpnc_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, vpnc_var_run_t, vpnc_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpnc_manage_pid_files'($*)) dnl
')
########################################
##
## Read vpnc PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`vpnc_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpnc_manage_pid'($*)) dnl
gen_require(`
type vpnc_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, vpnc_var_run_t, vpnc_var_run_t)
manage_dirs_pattern($1, vpnc_var_run_t, vpnc_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpnc_manage_pid'($*)) dnl
')
########################################
##
## Relabelfrom from vpnc socket.
##
##
##
## Domain allowed access.
##
##
#
define(`vpn_relabelfrom_tun_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `vpn_relabelfrom_tun_socket'($*)) dnl
gen_require(`
type vpnc_t;
')
allow $1 vpnc_t:tun_socket relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `vpn_relabelfrom_tun_socket'($*)) dnl
')
## W3C Markup Validator.
## Software watchdog.
########################################
##
## All of the rules required to
## administrate an watchdog environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`watchdog_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `watchdog_admin'($*)) dnl
gen_require(`
type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t;
type watchdog_var_run_t;
')
allow $1 watchdog_t:process { ptrace signal_perms };
ps_process_pattern($1, watchdog_t)
init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 watchdog_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, watchdog_log_t)
files_search_pids($1)
admin_pattern($1, watchdog_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `watchdog_admin'($*)) dnl
')
#######################################
##
## Allow read watchdog_unconfined_t lnk files.
##
##
##
## Domain allowed access.
##
##
#
define(`watchdog_unconfined_exec_read_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `watchdog_unconfined_exec_read_lnk_files'($*)) dnl
gen_require(`
type watchdog_unconfined_exec_t;
')
read_lnk_files_pattern($1,watchdog_unconfined_exec_t, watchdog_unconfined_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `watchdog_unconfined_exec_read_lnk_files'($*)) dnl
')
## watchdog multiplexing daemon
########################################
##
## Execute a domain transition to run wdmd.
##
##
##
## Domain allowed access.
##
##
#
define(`wdmd_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wdmd_domtrans'($*)) dnl
gen_require(`
type wdmd_t, wdmd_exec_t;
')
domtrans_pattern($1, wdmd_exec_t, wdmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wdmd_domtrans'($*)) dnl
')
########################################
##
## Execute wdmd server in the wdmd domain.
##
##
##
## The type of the process performing this action.
##
##
#
define(`wdmd_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wdmd_initrc_domtrans'($*)) dnl
gen_require(`
type wdmd_initrc_exec_t;
')
init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wdmd_initrc_domtrans'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an wdmd environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`wdmd_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wdmd_admin'($*)) dnl
gen_require(`
type wdmd_t;
type wdmd_initrc_exec_t;
')
allow $1 wdmd_t:process signal_perms;
ps_process_pattern($1, wdmd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 wdmd_t:process ptrace;
')
wdmd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 wdmd_initrc_exec_t system_r;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wdmd_admin'($*)) dnl
')
######################################
##
## Create, read, write, and delete wdmd PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`wdmd_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wdmd_manage_pid_files'($*)) dnl
gen_require(`
type wdmd_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wdmd_manage_pid_files'($*)) dnl
')
########################################
##
## Connect to wdmd over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`wdmd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wdmd_stream_connect'($*)) dnl
gen_require(`
type wdmd_t, wdmd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wdmd_stream_connect'($*)) dnl
')
####################################
##
## Allow the specified domain to read/write wdmd's tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`wdmd_rw_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wdmd_rw_tmpfs'($*)) dnl
gen_require(`
type wdmd_tmpfs_t;
')
rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wdmd_rw_tmpfs'($*)) dnl
')
## Web administrator role.
########################################
##
## Change to the web administrator role.
##
##
##
## Role allowed access.
##
##
##
#
define(`webadm_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `webadm_role_change'($*)) dnl
gen_require(`
role webadm_r;
')
allow $1 webadm_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `webadm_role_change'($*)) dnl
')
########################################
##
## Change from the web administrator role.
##
##
##
## Change from the web administrator role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`webadm_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `webadm_role_change_to'($*)) dnl
gen_require(`
role webadm_r;
')
allow webadm_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `webadm_role_change_to'($*)) dnl
')
## Web server log analysis.
########################################
##
## Execute webalizer in the webalizer domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`webalizer_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `webalizer_domtrans'($*)) dnl
gen_require(`
type webalizer_t, webalizer_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, webalizer_exec_t, webalizer_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `webalizer_domtrans'($*)) dnl
')
########################################
##
## Execute webalizer in the webalizer
## domain, and allow the specified
## role the webalizer domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`webalizer_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `webalizer_run'($*)) dnl
gen_require(`
attribute_role webalizer_roles;
')
webalizer_domtrans($1)
roleattribute $2 webalizer_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `webalizer_run'($*)) dnl
')
## Wine Is Not an Emulator. Run Windows programs in Linux.
#######################################
##
## The per role template for the wine module.
##
##
##
## This template creates a derived domains which are used
## for wine applications.
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`wine_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wine_role'($*)) dnl
gen_require(`
type wine_t;
type wine_home_t;
type wine_exec_t;
')
role $1 types wine_t;
domain_auto_trans($2, wine_exec_t, wine_t)
# Unrestricted inheritance from the caller.
allow $2 wine_t:process { noatsecure siginh rlimitinh };
allow wine_t $2:fd use;
allow wine_t $2:process { sigchld signull };
allow wine_t $2:unix_stream_socket connectto;
# Allow the user domain to signal/ps.
ps_process_pattern($2, wine_t)
allow $2 wine_t:process signal_perms;
allow $2 wine_t:fd use;
allow $2 wine_t:shm { associate getattr unix_read unix_write };
allow $2 wine_t:unix_stream_socket connectto;
# X access, Home files
manage_dirs_pattern($2, wine_home_t, wine_home_t)
manage_files_pattern($2, wine_home_t, wine_home_t)
manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
relabel_dirs_pattern($2, wine_home_t, wine_home_t)
relabel_files_pattern($2, wine_home_t, wine_home_t)
relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wine_role'($*)) dnl
')
#######################################
##
## The role template for the wine module.
##
##
##
## This template creates a derived domains which are used
## for wine applications.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`wine_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wine_role_template'($*)) dnl
gen_require(`
type wine_t;
attribute wine_domain;
type wine_exec_t;
')
type $1_wine_t, wine_domain;
domain_type($1_wine_t)
domain_entry_file($1_wine_t, wine_exec_t)
ubac_constrained($1_wine_t)
role $2 types $1_wine_t;
allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, wine_exec_t, $1_wine_t)
corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
userdom_manage_tmp_role($2, $1_wine_t)
userdom_manage_home_role($2 ,$1_wine_t)
domain_mmap_low($1_wine_t)
optional_policy(`
xserver_role($1_r, $1_wine_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wine_role_template'($*)) dnl
')
########################################
##
## Execute the wine program in the wine domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`wine_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wine_domtrans'($*)) dnl
gen_require(`
type wine_t, wine_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, wine_exec_t, wine_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wine_domtrans'($*)) dnl
')
########################################
##
## Execute wine in the wine domain, and
## allow the specified role the wine domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`wine_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wine_run'($*)) dnl
gen_require(`
type wine_t;
')
wine_domtrans($1)
role $2 types wine_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wine_run'($*)) dnl
')
########################################
##
## Read and write wine Shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
define(`wine_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wine_rw_shm'($*)) dnl
gen_require(`
type wine_t;
')
allow $1 wine_t:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wine_rw_shm'($*)) dnl
')
########################################
##
## Transition to wine named content
##
##
##
## Domain allowed access.
##
##
#
define(`wine_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wine_filetrans_named_content'($*)) dnl
gen_require(`
type wine_home_t;
')
userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wine_filetrans_named_content'($*)) dnl
')
## Wireshark packet capture tool.
############################################################
##
## Role access for wireshark.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`wireshark_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wireshark_role'($*)) dnl
gen_require(`
attribute_role wireshark_roles;
type wireshark_t, wireshark_exec_t, wireshark_home_t;
type wireshark_tmp_t, wireshark_tmpfs_t;
')
roleattribute $1 wireshark_roles;
domtrans_pattern($2, wireshark_exec_t, wireshark_t)
allow $2 wireshark_t:process { ptrace signal_perms };
ps_process_pattern($2, wireshark_t)
allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 { wireshark_home_t wireshark_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wireshark_role'($*)) dnl
')
########################################
##
## Execute wireshark in wireshark domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`wireshark_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wireshark_domtrans'($*)) dnl
gen_require(`
type wireshark_t, wireshark_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, wireshark_exec_t, wireshark_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wireshark_domtrans'($*)) dnl
')
########################################
##
## Read and write wireshark Shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
define(`wireshark_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wireshark_rw_shm'($*)) dnl
gen_require(`
type wireshark_t;
')
allow $1 wireshark_t:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wireshark_rw_shm'($*)) dnl
')
## X Window Managers
#######################################
##
## The role template for the wm module.
##
##
##
## This template creates a derived domains which are used
## for window manager applications.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`wm_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wm_role_template'($*)) dnl
gen_require(`
type wm_exec_t;
class dbus send_msg;
attribute wm_domain;
')
type $1_wm_t, wm_domain;
domain_type($1_wm_t)
domain_entry_file($1_wm_t, wm_exec_t)
role $2 types $1_wm_t;
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
allow $3 $1_wm_t:process { signal sigchld signull };
allow $1_wm_t $3:process { signull sigkill };
allow $1_wm_t $3:dbus send_msg;
allow $3 $1_wm_t:dbus send_msg;
userdom_manage_home_role($2, $1_wm_t)
userdom_manage_tmp_role($2, $1_wm_t)
userdom_exec_user_tmp_files($1_wm_t)
domtrans_pattern($3, wm_exec_t, $1_wm_t)
corecmd_bin_domtrans($1_wm_t, $3)
corecmd_shell_domtrans($1_wm_t, $3)
auth_use_nsswitch($1_wm_t)
kernel_read_system_state($1_wm_t)
auth_use_nsswitch($1_wm_t)
mls_file_read_all_levels($1_wm_t)
mls_file_write_all_levels($1_wm_t)
mls_xwin_read_all_levels($1_wm_t)
mls_xwin_write_all_levels($1_wm_t)
mls_fd_use_all_levels($1_wm_t)
optional_policy(`
pulseaudio_run($1_wm_t, $2)
')
optional_policy(`
xserver_role($2, $1_wm_t)
xserver_manage_core_devices($1_wm_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wm_role_template'($*)) dnl
')
########################################
##
## Execute the wm program in the wm domain.
##
##
##
## Domain allowed access.
##
##
#
define(`wm_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `wm_exec'($*)) dnl
gen_require(`
type wm_exec_t;
')
can_exec($1, wm_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `wm_exec'($*)) dnl
')
## Xen hypervisor
########################################
##
## Execute a domain transition to run xend.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_domtrans'($*)) dnl
gen_require(`
type xend_t, xend_exec_t;
')
domtrans_pattern($1, xend_exec_t, xend_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to execute xend
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_exec'($*)) dnl
gen_require(`
type xend_exec_t;
')
can_exec($1, xend_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_exec'($*)) dnl
')
########################################
##
## Inherit and use xen file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_use_fds'($*)) dnl
gen_require(`
type xend_t;
')
allow $1 xend_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## xen file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`xen_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_dontaudit_use_fds'($*)) dnl
gen_require(`
type xend_t;
')
dontaudit $1 xend_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_dontaudit_use_fds'($*)) dnl
')
#######################################
##
## Read xend pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_read_pid_files_xenstored',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_read_pid_files_xenstored'($*)) dnl
gen_require(`
type xenstored_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_read_pid_files_xenstored'($*)) dnl
')
########################################
##
## Read xend lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_read_lib_files'($*)) dnl
gen_require(`
type xend_var_lib_t;
')
files_list_var_lib($1)
read_files_pattern($1, xend_var_lib_t, xend_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_read_lib_files'($*)) dnl
')
########################################
##
## Read xend image files.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_read_image_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_read_image_files'($*)) dnl
gen_require(`
type xen_image_t, xend_var_lib_t;
')
files_list_var_lib($1)
list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_read_image_files'($*)) dnl
')
########################################
##
## Allow the specified domain to read/write
## xend image files.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_manage_image_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_manage_image_dirs'($*)) dnl
gen_require(`
type xend_var_lib_t;
')
files_list_var_lib($1)
manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_manage_image_dirs'($*)) dnl
')
########################################
##
## Allow the specified domain to read/write
## xend image files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_rw_image_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_rw_image_files'($*)) dnl
gen_require(`
type xen_image_t, xend_var_lib_t;
')
files_list_var_lib($1)
allow $1 xend_var_lib_t:dir search_dir_perms;
rw_files_pattern($1, xen_image_t, xen_image_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_rw_image_files'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## xend log files.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_append_log'($*)) dnl
gen_require(`
type xend_var_log_t;
')
logging_search_logs($1)
append_files_pattern($1, xend_var_log_t, xend_var_log_t)
dontaudit $1 xend_var_log_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_append_log'($*)) dnl
')
########################################
##
## Create, read, write, and delete the
## xend log files.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_manage_log'($*)) dnl
gen_require(`
type xend_var_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t)
manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_manage_log'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## Xen unix domain stream sockets. These
## are leaked file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`xen_dontaudit_rw_unix_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_dontaudit_rw_unix_stream_sockets'($*)) dnl
gen_require(`
type xend_t;
')
dontaudit $1 xend_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_dontaudit_rw_unix_stream_sockets'($*)) dnl
')
########################################
##
## Connect to xenstored over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_stream_connect_xenstore',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_stream_connect_xenstore'($*)) dnl
gen_require(`
type xenstored_t, xenstored_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_stream_connect_xenstore'($*)) dnl
')
########################################
##
## Connect to xend over a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_stream_connect'($*)) dnl
gen_require(`
type xend_t, xend_var_run_t, xend_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
files_search_var_lib($1)
stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_stream_connect'($*)) dnl
')
########################################
##
## Execute a domain transition to run xm.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xen_domtrans_xm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_domtrans_xm'($*)) dnl
gen_require(`
type xm_t, xm_exec_t;
attribute virsh_transition_domain;
')
typeattribute $1 virsh_transition_domain;
domtrans_pattern($1, xm_exec_t, xm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_domtrans_xm'($*)) dnl
')
########################################
##
## Connect to xm over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xen_stream_connect_xm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xen_stream_connect_xm'($*)) dnl
gen_require(`
type xm_t, xenstored_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xen_stream_connect_xm'($*)) dnl
')
## X Windows Font Server.
########################################
##
## Read xfs temporary sock files.
##
##
##
## Domain allowed access.
##
##
#
define(`xfs_read_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xfs_read_sockets'($*)) dnl
gen_require(`
type xfs_tmp_t;
')
files_search_tmp($1)
read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xfs_read_sockets'($*)) dnl
')
########################################
##
## Connect to xfs with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xfs_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xfs_stream_connect'($*)) dnl
gen_require(`
type xfs_tmp_t, xfs_t;
')
files_search_tmp($1)
stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xfs_stream_connect'($*)) dnl
')
########################################
##
## Execute xfs in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`xfs_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xfs_exec'($*)) dnl
gen_require(`
type xfs_exec_t;
')
corecmd_search_bin($1)
can_exec($1, xfs_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xfs_exec'($*)) dnl
')
########################################
##
## All of the rules required to
## administrate an xfs environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`xfs_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xfs_admin'($*)) dnl
gen_require(`
type xfs_t, xfs_initrc_exec_t, xfs_var_run_t;
type xfs_tmp_t;
')
allow $1 xfs_t:process { ptrace signal_perms };
ps_process_pattern($1, xfs_t)
init_labeled_script_domtrans($1, xfs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 xfs_initrc_exec_t system_r;
allow $2 system_r;
files_search_pids($1)
admin_pattern($1, xfs_var_run_t)
files_search_tmp($1)
admin_pattern($1, xfs_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xfs_admin'($*)) dnl
')
## Least privileged xwindows user role.
########################################
##
## Change to the xguest role.
##
##
##
## Role allowed access.
##
##
##
#
define(`xguest_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xguest_role_change'($*)) dnl
gen_require(`
role xguest_r;
')
allow $1 xguest_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xguest_role_change'($*)) dnl
')
########################################
##
## Change from the xguest role.
##
##
##
## Change from the xguest role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`xguest_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xguest_role_change_to'($*)) dnl
gen_require(`
role xguest_r;
')
allow xguest_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xguest_role_change_to'($*)) dnl
')
## Modular screen saver and locker for X11.
########################################
##
## Role access for xscreensaver.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
define(`xscreensaver_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xscreensaver_role'($*)) dnl
gen_require(`
attribute_role xscreensaver_roles;
type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t;
')
roleattribute $1 xscreensaver_roles;
domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
allow $2 xscreensaver_t:process { ptrace signal_perms };
ps_process_pattern($2, xscreensaver_t)
allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xscreensaver_role'($*)) dnl
')
## Distributed infrastructure monitoring
########################################
##
## Execute a domain transition to run zabbix.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zabbix_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_domtrans'($*)) dnl
gen_require(`
type zabbix_t, zabbix_exec_t;
')
domtrans_pattern($1, zabbix_exec_t, zabbix_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run zabbix_script.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zabbix_script_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_script_domtrans'($*)) dnl
gen_require(`
type zabbix_script_t, zabbix_script_exec_t;
')
domtrans_pattern($1, zabbix_script_exec_t, zabbix_script_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_script_domtrans'($*)) dnl
')
########################################
##
## Allow connectivity to the zabbix server
##
##
##
## Domain allowed access.
##
##
#
define(`zabbix_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_tcp_connect'($*)) dnl
gen_require(`
type zabbix_t;
')
corenet_sendrecv_zabbix_agent_client_packets($1)
corenet_tcp_connect_zabbix_port($1)
corenet_tcp_recvfrom_labeled($1, zabbix_t)
corenet_tcp_sendrecv_zabbix_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_tcp_connect'($*)) dnl
')
########################################
##
## Allow the specified domain to read zabbix's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`zabbix_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_read_log'($*)) dnl
gen_require(`
type zabbix_log_t;
')
logging_search_logs($1)
read_files_pattern($1, zabbix_log_t, zabbix_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_read_log'($*)) dnl
')
########################################
##
## Allow the specified domain to read zabbix's tmp files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`zabbix_read_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_read_tmp'($*)) dnl
gen_require(`
type zabbix_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_read_tmp'($*)) dnl
')
########################################
##
## Allow the specified domain to append
## zabbix log files.
##
##
##
## Domain allowed access.
##
##
#
define(`zabbix_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_append_log'($*)) dnl
gen_require(`
type zabbix_log_t;
')
logging_search_logs($1)
append_files_pattern($1, zabbix_log_t, zabbix_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_append_log'($*)) dnl
')
########################################
##
## Read zabbix PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`zabbix_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_read_pid_files'($*)) dnl
gen_require(`
type zabbix_var_run_t;
')
files_search_pids($1)
allow $1 zabbix_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_read_pid_files'($*)) dnl
')
########################################
##
## Allow connectivity to a zabbix agent
##
##
##
## Domain allowed access.
##
##
#
define(`zabbix_agent_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_agent_tcp_connect'($*)) dnl
gen_require(`
type zabbix_t, zabbix_agent_t;
')
corenet_sendrecv_zabbix_agent_client_packets($1)
corenet_tcp_connect_zabbix_agent_port($1)
corenet_tcp_recvfrom_labeled($1, zabbix_t)
corenet_tcp_sendrecv_zabbix_agent_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_agent_tcp_connect'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an zabbix environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the zabbix domain.
##
##
##
#
define(`zabbix_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zabbix_admin'($*)) dnl
gen_require(`
type zabbix_t, zabbix_log_t, zabbix_var_run_t;
type zabbix_initrc_exec_t;
')
allow $1 zabbix_t:process signal_perms;
ps_process_pattern($1, zabbix_t)
tunable_policy(`deny_ptrace',`',`
allow $1 zabbix_t:process ptrace;
')
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zabbix_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, zabbix_log_t)
files_list_pids($1)
admin_pattern($1, zabbix_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zabbix_admin'($*)) dnl
')
## Zarafa collaboration platform.
######################################
##
## Creates types and rules for a basic
## zararfa init daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
define(`zarafa_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zarafa_domain_template'($*)) dnl
gen_require(`
attribute zarafa_domain;
')
##############################
#
# $1_t declarations
#
type zarafa_$1_t, zarafa_domain;
type zarafa_$1_exec_t;
init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
type zarafa_$1_log_t;
logging_log_file(zarafa_$1_log_t)
type zarafa_$1_var_run_t;
files_pid_file(zarafa_$1_var_run_t)
##############################
#
# $1_t local policy
#
manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
kernel_read_system_state(zarafa_$1_t)
auth_use_nsswitch(zarafa_$1_t)
logging_send_syslog_msg(zarafa_$1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zarafa_domain_template'($*)) dnl
')
######################################
##
## Allow the specified domain to search
## zarafa configuration dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`zarafa_search_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zarafa_search_config'($*)) dnl
gen_require(`
type zarafa_etc_t;
')
files_search_etc($1)
allow $1 zarafa_etc_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zarafa_search_config'($*)) dnl
')
########################################
##
## Execute a domain transition to run zarafa_deliver.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zarafa_domtrans_deliver',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zarafa_domtrans_deliver'($*)) dnl
gen_require(`
type zarafa_deliver_t, zarafa_deliver_exec_t;
')
domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zarafa_domtrans_deliver'($*)) dnl
')
########################################
##
## Execute a domain transition to run zarafa_server.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zarafa_domtrans_server',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zarafa_domtrans_server'($*)) dnl
gen_require(`
type zarafa_server_t, zarafa_server_exec_t;
')
domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zarafa_domtrans_server'($*)) dnl
')
#######################################
##
## Connect to zarafa-server unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`zarafa_stream_connect_server',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zarafa_stream_connect_server'($*)) dnl
gen_require(`
type zarafa_server_t, zarafa_server_var_run_t;
')
files_search_var_lib($1)
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zarafa_stream_connect_server'($*)) dnl
')
####################################
##
## Allow the specified domain to manage
## zarafa /var/lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`zarafa_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zarafa_manage_lib_files'($*)) dnl
gen_require(`
type zarafa_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zarafa_manage_lib_files'($*)) dnl
')
## Zebra border gateway protocol network routing service
########################################
##
## Read the configuration files for zebra.
##
##
##
## Domain allowed access.
##
##
##
#
define(`zebra_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zebra_read_config'($*)) dnl
gen_require(`
type zebra_conf_t;
')
files_search_etc($1)
allow $1 zebra_conf_t:dir list_dir_perms;
read_files_pattern($1, zebra_conf_t, zebra_conf_t)
read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zebra_read_config'($*)) dnl
')
########################################
##
## Connect to zebra over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`zebra_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zebra_stream_connect'($*)) dnl
gen_require(`
type zebra_t, zebra_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zebra_stream_connect'($*)) dnl
')
#######################################
##
## Execute zebra services in the zebra domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zebra_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zebra_systemctl'($*)) dnl
gen_require(`
type zebra_t;
type zebra_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 zebra_unit_file_t:file read_file_perms;
allow $1 zebra_unit_file_t:service manage_service_perms;
ps_process_pattern($1, zebra_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zebra_systemctl'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an zebra environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the zebra domain.
##
##
##
#
define(`zebra_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zebra_admin'($*)) dnl
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
')
allow $1 zebra_t:process signal_perms;
ps_process_pattern($1, zebra_t)
tunable_policy(`deny_ptrace',`',`
allow $1 zebra_t:process ptrace;
')
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zebra_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, zebra_conf_t)
logging_list_logs($1)
admin_pattern($1, zebra_log_t)
files_list_tmp($1)
admin_pattern($1, zebra_tmp_t)
files_list_pids($1)
admin_pattern($1, zebra_var_run_t)
zebra_systemctl($1)
admin_pattern($1, zebra_unit_file_t)
allow $1 zebra_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zebra_admin'($*)) dnl
')
## policy for zoneminder
########################################
##
## Transition to zoneminder.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zoneminder_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_domtrans'($*)) dnl
gen_require(`
type zoneminder_t, zoneminder_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_domtrans'($*)) dnl
')
########################################
##
## Allow the specified domain to execute zoneminder
## in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zoneminder_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_exec'($*)) dnl
gen_require(`
type zoneminder_exec_t;
')
corecmd_search_bin($1)
can_exec($1, zoneminder_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_exec'($*)) dnl
')
########################################
##
## Execute zoneminder server in the zoneminder domain.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_initrc_domtrans'($*)) dnl
gen_require(`
type zoneminder_initrc_exec_t;
')
init_labeled_script_domtrans($1, zoneminder_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_initrc_domtrans'($*)) dnl
')
########################################
##
## Read zoneminder's log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`zoneminder_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_read_log'($*)) dnl
gen_require(`
type zoneminder_log_t;
')
logging_search_logs($1)
read_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_read_log'($*)) dnl
')
########################################
##
## Append to zoneminder log files.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_append_log'($*)) dnl
gen_require(`
type zoneminder_log_t;
')
logging_search_logs($1)
append_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_append_log'($*)) dnl
')
########################################
##
## Manage zoneminder log files
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_manage_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_manage_log'($*)) dnl
gen_require(`
type zoneminder_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t)
manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_manage_log'($*)) dnl
')
########################################
##
## Search zoneminder lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_search_lib'($*)) dnl
gen_require(`
type zoneminder_var_lib_t;
')
allow $1 zoneminder_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_search_lib'($*)) dnl
')
########################################
##
## Read zoneminder lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_read_lib_files'($*)) dnl
gen_require(`
type zoneminder_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_read_lib_files'($*)) dnl
')
########################################
##
## Manage zoneminder lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_manage_lib_files'($*)) dnl
gen_require(`
type zoneminder_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_manage_lib_files'($*)) dnl
')
########################################
##
## Manage zoneminder lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_manage_lib_dirs'($*)) dnl
gen_require(`
type zoneminder_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_manage_lib_dirs'($*)) dnl
')
########################################
##
## Manage zoneminder sock_files files.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_manage_lib_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_manage_lib_sock_files'($*)) dnl
gen_require(`
type zoneminder_var_lib_t;
')
files_search_var_lib($1)
manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_manage_lib_sock_files'($*)) dnl
')
########################################
##
## Search zoneminder spool directories.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_search_spool'($*)) dnl
gen_require(`
type zoneminder_spool_t;
')
allow $1 zoneminder_spool_t:dir search_dir_perms;
files_search_spool($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_search_spool'($*)) dnl
')
########################################
##
## Read zoneminder spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_read_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_read_spool_files'($*)) dnl
gen_require(`
type zoneminder_spool_t;
')
files_search_spool($1)
read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_read_spool_files'($*)) dnl
')
########################################
##
## Manage zoneminder spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_manage_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_manage_spool_files'($*)) dnl
gen_require(`
type zoneminder_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_manage_spool_files'($*)) dnl
')
########################################
##
## Manage zoneminder spool dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_manage_spool_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_manage_spool_dirs'($*)) dnl
gen_require(`
type zoneminder_spool_t;
')
files_search_spool($1)
manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_manage_spool_dirs'($*)) dnl
')
########################################
##
## Connect to zoneminder over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_stream_connect'($*)) dnl
gen_require(`
type zoneminder_t, zoneminder_var_lib_t;
')
files_search_pids($1)
stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_stream_connect'($*)) dnl
')
######################################
##
## Read/write zonerimender tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`zoneminder_rw_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_rw_tmpfs_files'($*)) dnl
gen_require(`
type zoneminder_tmpfs_t;
')
fs_search_tmpfs($1)
rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_rw_tmpfs_files'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## an zoneminder environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`zoneminder_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zoneminder_admin'($*)) dnl
gen_require(`
type zoneminder_t;
type zoneminder_initrc_exec_t;
type zoneminder_log_t;
type zoneminder_var_lib_t;
type zoneminder_spool_t;
')
allow $1 zoneminder_t:process { ptrace signal_perms };
ps_process_pattern($1, zoneminder_t)
zoneminder_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 zoneminder_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, zoneminder_log_t)
files_search_var_lib($1)
admin_pattern($1, zoneminder_var_lib_t)
files_search_spool($1)
admin_pattern($1, zoneminder_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zoneminder_admin'($*)) dnl
')
## z/OS Remote-services Audit dispatcher plugin.
########################################
##
## Execute a domain transition to run audispd-zos-remote.
##
##
##
## Domain allowed to transition.
##
##
#
define(`zosremote_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zosremote_domtrans'($*)) dnl
gen_require(`
type zos_remote_t, zos_remote_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zosremote_domtrans'($*)) dnl
')
########################################
##
## Execute zos remote in the zos remote
## domain, and allow the specified role
## the zos remote domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`zosremote_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `zosremote_run'($*)) dnl
gen_require(`
attribute_role zos_remote_roles;
')
zosremote_domtrans($1)
roleattribute $2 zos_remote_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `zosremote_run'($*)) dnl
')
##
## Core policy for shells, and generic programs
## in /bin, /sbin, /usr/bin, and /usr/sbin.
##
##
## Contains the base bin and sbin directory types
## which need to be searched for the kernel to
## run init.
##
#####################################
##
## corecmd stub bin_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`corecmd_stub_bin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_stub_bin'($*)) dnl
gen_require(`
type bin_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_stub_bin'($*)) dnl
')
########################################
##
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
##
##
##
## Type to be used for files.
##
##
#
define(`corecmd_executable_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_executable_file'($*)) dnl
gen_require(`
attribute exec_type;
')
typeattribute $1 exec_type;
files_type($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_executable_file'($*)) dnl
')
########################################
##
## Create a aliased type to generic bin files. (Deprecated)
##
##
##
## Create a aliased type to generic bin files. (Deprecated)
##
##
## This is added to support targeted policy. Its
## use should be limited. It has no effect
## on the strict policy.
##
##
##
##
## Alias type for bin_t.
##
##
#
define(`corecmd_bin_alias',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_alias'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_alias'($*)) dnl
')
########################################
##
## Make general progams in bin an entrypoint for
## the specified domain.
##
##
##
## The domain for which bin_t is an entrypoint.
##
##
#
define(`corecmd_bin_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_entry_type'($*)) dnl
gen_require(`
type bin_t;
type usr_t;
')
domain_entry_file($1, bin_t)
domain_entry_file($1, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_entry_type'($*)) dnl
')
########################################
##
## Make general progams in sbin an entrypoint for
## the specified domain. (Deprecated)
##
##
##
## The domain for which sbin programs are an entrypoint.
##
##
#
define(`corecmd_sbin_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_sbin_entry_type'($*)) dnl
corecmd_bin_entry_type($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_sbin_entry_type'($*)) dnl
')
########################################
##
## Make the shell an entrypoint for the specified domain.
##
##
##
## The domain for which the shell is an entrypoint.
##
##
#
define(`corecmd_shell_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_shell_entry_type'($*)) dnl
gen_require(`
type shell_exec_t;
')
domain_entry_file($1, shell_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_shell_entry_type'($*)) dnl
')
########################################
##
## Search the contents of bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_search_bin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_search_bin'($*)) dnl
gen_require(`
type bin_t;
')
corecmd_read_bin_symlinks($1)
search_dirs_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_search_bin'($*)) dnl
')
########################################
##
## Do not audit attempts to search the contents of bin directories.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_search_bin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_search_bin'($*)) dnl
gen_require(`
type bin_t;
')
dontaudit $1 bin_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_search_bin'($*)) dnl
')
########################################
##
## List the contents of bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_list_bin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_list_bin'($*)) dnl
gen_require(`
type bin_t;
')
corecmd_read_bin_symlinks($1)
list_dirs_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_list_bin'($*)) dnl
')
########################################
##
## Do not audit attempts to write bin directories.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_write_bin_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_bin_dirs'($*)) dnl
gen_require(`
type bin_t;
')
dontaudit $1 bin_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_bin_dirs'($*)) dnl
')
########################################
##
## Get the attributes of files in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_getattr_bin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_getattr_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
getattr_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_getattr_bin_files'($*)) dnl
')
########################################
##
## Get the attributes of files in bin directories.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_getattr_bin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_getattr_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
dontaudit $1 bin_t:dir search_dir_perms;
dontaudit $1 bin_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_getattr_bin_files'($*)) dnl
')
########################################
##
## Read files in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_bin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
corecmd_read_bin_symlinks($1)
read_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_bin_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write bin files.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_write_bin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
dontaudit $1 bin_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_bin_files'($*)) dnl
')
########################################
##
## Do not audit attempts to access check bin files.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_access_check_bin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_access_check_bin'($*)) dnl
gen_require(`
type bin_t;
')
dontaudit $1 bin_t:file audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_access_check_bin'($*)) dnl
')
########################################
##
## Read symbolic links in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_bin_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_symlinks'($*)) dnl
gen_require(`
type bin_t;
')
read_lnk_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_bin_symlinks'($*)) dnl
')
########################################
##
## Read pipes in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_bin_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_pipes'($*)) dnl
gen_require(`
type bin_t;
')
corecmd_read_bin_symlinks(bin_t)
read_fifo_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_bin_pipes'($*)) dnl
')
########################################
##
## Read named sockets in bin directories.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_bin_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_sockets'($*)) dnl
gen_require(`
type bin_t;
')
corecmd_read_bin_symlinks($1)
read_sock_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_bin_sockets'($*)) dnl
')
########################################
##
## Execute generic programs in bin directories,
## in the caller domain.
##
##
##
## Allow the specified domain to execute generic programs
## in system bin directories (/bin, /sbin, /usr/bin,
## /usr/sbin) a without domain transition.
##
##
## Typically, this interface should be used when the domain
## executes general system progams within the privileges
## of the source domain. Some examples of these programs
## are ls, cp, sed, python, and tar. This does not include
## shells, such as bash.
##
##
## Related interface:
##
##
## - corecmd_exec_shell()
##
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_bin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_bin'($*)) dnl
gen_require(`
type bin_t;
')
read_lnk_files_pattern($1, bin_t, bin_t)
list_dirs_pattern($1, bin_t, bin_t)
can_exec($1, bin_t)
ifdef(`enable_mls',`',`
files_exec_all_base_ro_files($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_bin'($*)) dnl
')
########################################
##
## Create, read, write, and delete bin files.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_manage_bin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_manage_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
corecmd_read_bin_symlinks($1)
manage_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_manage_bin_files'($*)) dnl
')
########################################
##
## Relabel to and from the bin type.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_relabel_bin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_relabel_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
relabel_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_relabel_bin_files'($*)) dnl
')
########################################
##
## Mmap a bin file as executable.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_mmap_bin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_mmap_bin_files'($*)) dnl
gen_require(`
type bin_t;
')
corecmd_read_bin_symlinks($1)
mmap_exec_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_mmap_bin_files'($*)) dnl
')
########################################
##
## Execute a file in a bin directory
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon().
##
##
##
## Execute a file in a bin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the userhelper policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`corecmd_bin_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_spec_domtrans'($*)) dnl
gen_require(`
type bin_t;
type usr_t;
')
read_lnk_files_pattern($1, bin_t, bin_t)
domain_transition_pattern($1, bin_t, $2)
read_lnk_files_pattern($1, usr_t, usr_t)
domain_transition_pattern($1, usr_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_spec_domtrans'($*)) dnl
')
########################################
##
## Execute a file in a bin directory
## in the specified domain.
##
##
##
## Execute a file in a bin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the ssh-agent policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`corecmd_bin_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_domtrans'($*)) dnl
gen_require(`
type bin_t;
type usr_t;
')
corecmd_bin_spec_domtrans($1, $2)
type_transition $1 bin_t:process $2;
type_transition $1 usr_t:process $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_domtrans'($*)) dnl
')
########################################
##
## Search the contents of sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_search_sbin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_search_sbin'($*)) dnl
corecmd_search_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_search_sbin'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## sbin directories. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_search_sbin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_search_sbin'($*)) dnl
corecmd_dontaudit_search_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_search_sbin'($*)) dnl
')
########################################
##
## List the contents of sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_list_sbin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_list_sbin'($*)) dnl
corecmd_list_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_list_sbin'($*)) dnl
')
########################################
##
## Do not audit attempts to write
## sbin directories. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_write_sbin_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_sbin_dirs'($*)) dnl
corecmd_dontaudit_write_bin_dirs($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_sbin_dirs'($*)) dnl
')
########################################
##
## Get the attributes of sbin files. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_getattr_sbin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_getattr_sbin_files'($*)) dnl
corecmd_getattr_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_getattr_sbin_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attibutes
## of sbin files. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_getattr_sbin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_getattr_sbin_files'($*)) dnl
corecmd_dontaudit_getattr_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_getattr_sbin_files'($*)) dnl
')
########################################
##
## Read files in sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_sbin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_files'($*)) dnl
corecmd_read_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_files'($*)) dnl
')
########################################
##
## Read symbolic links in sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_sbin_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_symlinks'($*)) dnl
corecmd_read_bin_symlinks($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_symlinks'($*)) dnl
')
########################################
##
## Read named pipes in sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_sbin_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_pipes'($*)) dnl
corecmd_read_bin_pipes($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_pipes'($*)) dnl
')
########################################
##
## Read named sockets in sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_read_sbin_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_sockets'($*)) dnl
corecmd_read_bin_sockets($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_sockets'($*)) dnl
')
########################################
##
## Execute generic programs in sbin directories,
## in the caller domain. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_sbin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_sbin'($*)) dnl
corecmd_exec_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_sbin'($*)) dnl
')
########################################
##
## Create, read, write, and delete sbin files. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`corecmd_manage_sbin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_manage_sbin_files'($*)) dnl
corecmd_manage_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_manage_sbin_files'($*)) dnl
')
########################################
##
## Relabel to and from the sbin type. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`corecmd_relabel_sbin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_relabel_sbin_files'($*)) dnl
corecmd_relabel_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_relabel_sbin_files'($*)) dnl
')
########################################
##
## Mmap a sbin file as executable. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`corecmd_mmap_sbin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_mmap_sbin_files'($*)) dnl
corecmd_mmap_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_mmap_sbin_files'($*)) dnl
')
########################################
##
## Execute a file in a sbin directory
## in the specified domain. (Deprecated)
##
##
##
## Execute a file in a sbin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested. (Deprecated)
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the ssh-agent policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`corecmd_sbin_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_sbin_domtrans'($*)) dnl
corecmd_bin_domtrans($1, $2)
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_sbin_domtrans'($*)) dnl
')
########################################
##
## Execute a file in a sbin directory
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon(). (Deprecated)
##
##
##
## Execute a file in a sbin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested. (Deprecated)
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the userhelper policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`corecmd_sbin_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_sbin_spec_domtrans'($*)) dnl
corecmd_bin_spec_domtrans($1, $2)
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_sbin_spec_domtrans'($*)) dnl
')
########################################
##
## Check if a shell is executable (DAC-wise).
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_check_exec_shell',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_check_exec_shell'($*)) dnl
gen_require(`
type bin_t, shell_exec_t;
')
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, bin_t)
allow $1 shell_exec_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_check_exec_shell'($*)) dnl
')
########################################
##
## Execute shells in the caller domain.
##
##
##
## Allow the specified domain to execute shells without
## a domain transition.
##
##
## Typically, this interface should be used when the domain
## executes shells within the privileges
## of the source domain. Some examples of these programs
## are bash, tcsh, and zsh.
##
##
## Related interface:
##
##
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_shell',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_shell'($*)) dnl
gen_require(`
type bin_t, shell_exec_t;
')
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, shell_exec_t)
allow $1 shell_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_shell'($*)) dnl
')
########################################
##
## Execute ls in the caller domain. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_ls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_ls'($*)) dnl
corecmd_exec_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_ls'($*)) dnl
')
########################################
##
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the shell process.
##
##
#
define(`corecmd_shell_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_shell_spec_domtrans'($*)) dnl
gen_require(`
type bin_t, shell_exec_t;
')
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, bin_t)
domain_transition_pattern($1, shell_exec_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_shell_spec_domtrans'($*)) dnl
')
########################################
##
## Execute a shell in the specified domain.
##
##
##
## Execute a shell in the specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the shell process.
##
##
#
define(`corecmd_shell_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_shell_domtrans'($*)) dnl
gen_require(`
type shell_exec_t;
')
corecmd_shell_spec_domtrans($1, $2)
type_transition $1 shell_exec_t:process $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_shell_domtrans'($*)) dnl
')
########################################
##
## Execute chroot in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_exec_chroot',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_chroot'($*)) dnl
gen_require(`
type chroot_exec_t;
type bin_t;
')
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, chroot_exec_t)
allow $1 self:capability sys_chroot;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_chroot'($*)) dnl
')
########################################
##
## Do not audit attempts to access check executable files.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_access_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_access_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
')
dontaudit $1 exec_type:file audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_access_all_executables'($*)) dnl
')
########################################
##
## Get the attributes of all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_getattr_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_getattr_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
type bin_t;
')
allow $1 bin_t:dir list_dir_perms;
getattr_files_pattern($1, bin_t, exec_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_getattr_all_executables'($*)) dnl
')
########################################
##
## Execute all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_exec_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_exec_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
type bin_t;
')
can_exec($1, exec_type)
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, exec_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_exec_all_executables'($*)) dnl
')
########################################
##
## Do not audit attempts to execute all executables.
##
##
##
## Domain to not audit.
##
##
#
define(`corecmd_dontaudit_exec_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_exec_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
')
dontaudit $1 exec_type:file { execute execute_no_trans };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_exec_all_executables'($*)) dnl
')
########################################
##
## Create, read, write, and all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_manage_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_manage_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
type bin_t;
')
manage_dirs_pattern($1, bin_t, exec_type)
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_manage_all_executables'($*)) dnl
')
########################################
##
## Relabel to and from the bin type.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_relabel_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_relabel_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
type bin_t;
')
relabel_files_pattern($1, bin_t, exec_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_relabel_all_executables'($*)) dnl
')
########################################
##
## Mmap all executables as executable.
##
##
##
## Domain allowed access.
##
##
#
define(`corecmd_mmap_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_mmap_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
type bin_t;
')
mmap_exec_files_pattern($1, bin_t, exec_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_mmap_all_executables'($*)) dnl
')
########################################
##
## Read all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_read_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_read_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
')
read_files_pattern($1, exec_type, exec_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_read_all_executables'($*)) dnl
')
########################################
##
## Read all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corecmd_entrypoint_all_executables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_entrypoint_all_executables'($*)) dnl
gen_require(`
attribute exec_type;
')
allow $1 exec_type:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_entrypoint_all_executables'($*)) dnl
')
########################################
##
## Create objects in the /bin directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
define(`corecmd_bin_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corecmd_bin_filetrans'($*)) dnl
gen_require(`
type bin_t;
')
filetrans_pattern($1, bin_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corecmd_bin_filetrans'($*)) dnl
')
#
# This is a generated file! Instead of modifying this file, the
# corenetwork.if.in or corenetwork.if.m4 file should be modified.
#
## Policy controlling access to network objects
##
## Contains the initial SIDs for network objects.
##
########################################
##
## Define type to be a network port type
##
##
##
## Define type to be a network port type
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for network ports.
##
##
#
define(`corenet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_port'($*)) dnl
gen_require(`
attribute port_type;
')
typeattribute $1 port_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_port'($*)) dnl
')
########################################
##
## Define network type to be a reserved port (lt 1024)
##
##
##
## Define network type to be a reserved port (lt 1024)
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for network ports.
##
##
#
define(`corenet_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_reserved_port'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
typeattribute $1 reserved_port_type;
corenet_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_reserved_port'($*)) dnl
')
########################################
##
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
##
##
##
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for network ports.
##
##
#
define(`corenet_rpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_rpc_port'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
typeattribute $1 rpc_port_type;
corenet_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_rpc_port'($*)) dnl
')
########################################
##
## Define type to be a network node type
##
##
##
## Define type to be a network node type
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for network nodes.
##
##
#
define(`corenet_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_node'($*)) dnl
gen_require(`
attribute node_type;
')
typeattribute $1 node_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_node'($*)) dnl
')
########################################
##
## Define type to be a network packet type
##
##
##
## Define type to be a network packet type
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for a network packet.
##
##
#
define(`corenet_packet',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_packet'($*)) dnl
gen_require(`
attribute packet_type;
')
typeattribute $1 packet_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_packet'($*)) dnl
')
########################################
##
## Define type to be a network client packet type
##
##
##
## Define type to be a network client packet type
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for a network client packet.
##
##
#
define(`corenet_client_packet',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_client_packet'($*)) dnl
gen_require(`
attribute packet_type, client_packet_type;
')
typeattribute $1 client_packet_type, packet_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_client_packet'($*)) dnl
')
########################################
##
## Define type to be a network server packet type
##
##
##
## Define type to be a network server packet type
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for a network server packet.
##
##
#
define(`corenet_server_packet',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_server_packet'($*)) dnl
gen_require(`
attribute packet_type, server_packet_type;
')
typeattribute $1 server_packet_type, packet_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_server_packet'($*)) dnl
')
########################################
##
## Make the specified type usable
## for labeled ipsec.
##
##
##
## Type to be used for labeled ipsec.
##
##
#
define(`corenet_spd_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_spd_type'($*)) dnl
gen_require(`
attribute ipsec_spd_type;
')
typeattribute $1 ipsec_spd_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_spd_type'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on generic interfaces.
##
##
##
## Allow the specified domain to send and receive TCP network
## traffic on generic network interfaces.
##
##
## Related interface:
##
##
## - corenet_all_recvfrom_unlabeled()
## - corenet_tcp_sendrecv_generic_node()
## - corenet_tcp_sendrecv_all_ports()
## - corenet_tcp_connect_all_ports()
##
##
## Example client being able to connect to all ports over
## generic nodes, without labeled networking:
##
##
## allow myclient_t self:tcp_socket create_stream_socket_perms;
## corenet_tcp_sendrecv_generic_if(myclient_t)
## corenet_tcp_sendrecv_generic_node(myclient_t)
## corenet_tcp_sendrecv_all_ports(myclient_t)
## corenet_tcp_connect_all_ports(myclient_t)
## corenet_all_recvfrom_unlabeled(myclient_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_if'($*)) dnl
')
########################################
##
## Send UDP network traffic on generic interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_send_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif { udp_send egress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_if'($*)) dnl
')
########################################
##
## Dontaudit attempts to send UDP network traffic
## on generic interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_send_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
dontaudit $1 netif_t:netif { udp_send egress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_generic_if'($*)) dnl
')
########################################
##
## Receive UDP network traffic on generic interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_receive_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif { udp_recv ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_if'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP network
## traffic on generic interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_receive_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
dontaudit $1 netif_t:netif { udp_recv ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_generic_if'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on generic interfaces.
##
##
##
## Allow the specified domain to send and receive UDP network
## traffic on generic network interfaces.
##
##
## Related interface:
##
##
## - corenet_all_recvfrom_unlabeled()
## - corenet_udp_sendrecv_generic_node()
## - corenet_udp_sendrecv_all_ports()
##
##
## Example client being able to send to all ports over
## generic nodes, without labeled networking:
##
##
## allow myclient_t self:udp_socket create_socket_perms;
## corenet_udp_sendrecv_generic_if(myclient_t)
## corenet_udp_sendrecv_generic_node(myclient_t)
## corenet_udp_sendrecv_all_ports(myclient_t)
## corenet_all_recvfrom_unlabeled(myclient_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_if'($*)) dnl
corenet_udp_send_generic_if($1)
corenet_udp_receive_generic_if($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_if'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive UDP network
## traffic on generic interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_sendrecv_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_generic_if'($*)) dnl
corenet_dontaudit_udp_send_generic_if($1)
corenet_dontaudit_udp_receive_generic_if($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_generic_if'($*)) dnl
')
########################################
##
## Send raw IP packets on generic interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_send_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif { rawip_send egress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_generic_if'($*)) dnl
')
########################################
##
## Receive raw IP packets on generic interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_receive_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif { rawip_recv ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_generic_if'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on generic interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_sendrecv_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_generic_if'($*)) dnl
corenet_raw_send_generic_if($1)
corenet_raw_receive_generic_if($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_generic_if'($*)) dnl
')
########################################
##
## Allow outgoing network traffic on the generic interfaces.
##
##
##
## The peer label of the outgoing network traffic.
##
##
##
#
define(`corenet_out_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_out_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif egress;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_out_generic_if'($*)) dnl
')
########################################
##
## Allow incoming traffic on the generic interfaces.
##
##
##
## The peer label of the incoming network traffic.
##
##
##
#
define(`corenet_in_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_in_generic_if'($*)) dnl
gen_require(`
type netif_t;
')
allow $1 netif_t:netif ingress;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_in_generic_if'($*)) dnl
')
########################################
##
## Allow incoming and outgoing network traffic on the generic interfaces.
##
##
##
## The peer label of the network traffic.
##
##
##
#
define(`corenet_inout_generic_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_inout_generic_if'($*)) dnl
corenet_in_generic_if($1)
corenet_out_generic_if($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_inout_generic_if'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on all interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_sendrecv_all_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_if'($*)) dnl
')
########################################
##
## Send UDP network traffic on all interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_send_all_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif { udp_send egress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_if'($*)) dnl
')
########################################
##
## Receive UDP network traffic on all interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_receive_all_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif { udp_recv ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_if'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on all interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_sendrecv_all_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_if'($*)) dnl
corenet_udp_send_all_if($1)
corenet_udp_receive_all_if($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_if'($*)) dnl
')
########################################
##
## Send raw IP packets on all interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_send_all_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif { rawip_send egress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_all_if'($*)) dnl
')
########################################
##
## Send and receive SCTP network traffic on generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_sendrecv_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_sendrecv_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node { sendto recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_sendrecv_generic_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on all interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_receive_all_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_all_if'($*)) dnl
gen_require(`
attribute netif_type;
')
allow $1 netif_type:netif { rawip_recv ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_all_if'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on all interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_sendrecv_all_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_all_if'($*)) dnl
corenet_raw_send_all_if($1)
corenet_raw_receive_all_if($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_all_if'($*)) dnl
')
########################################
##
## Send and receive DCCP network traffic on generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_sendrecv_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_generic_node'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on generic nodes.
##
##
##
## Allow the specified domain to send and receive TCP network
## traffic to/from generic network nodes (hostnames/networks).
##
##
## Related interface:
##
##
## - corenet_all_recvfrom_unlabeled()
## - corenet_tcp_sendrecv_generic_if()
## - corenet_tcp_sendrecv_all_ports()
## - corenet_tcp_connect_all_ports()
##
##
## Example client being able to connect to all ports over
## generic nodes, without labeled networking:
##
##
## allow myclient_t self:tcp_socket create_stream_socket_perms;
## corenet_tcp_sendrecv_generic_if(myclient_t)
## corenet_tcp_sendrecv_generic_node(myclient_t)
## corenet_tcp_sendrecv_all_ports(myclient_t)
## corenet_tcp_connect_all_ports(myclient_t)
## corenet_all_recvfrom_unlabeled(myclient_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_node'($*)) dnl
')
########################################
##
## Send UDP network traffic on generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_send_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node { udp_send sendto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_node'($*)) dnl
')
########################################
##
## Receive UDP network traffic on generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_receive_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node { udp_recv recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_node'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on generic nodes.
##
##
##
## Allow the specified domain to send and receive UDP network
## traffic to/from generic network nodes (hostnames/networks).
##
##
## Related interface:
##
##
## - corenet_all_recvfrom_unlabeled()
## - corenet_udp_sendrecv_generic_if()
## - corenet_udp_sendrecv_all_ports()
##
##
## Example client being able to send to all ports over
## generic nodes, without labeled networking:
##
##
## allow myclient_t self:udp_socket create_socket_perms;
## corenet_udp_sendrecv_generic_if(myclient_t)
## corenet_udp_sendrecv_generic_node(myclient_t)
## corenet_udp_sendrecv_all_ports(myclient_t)
## corenet_all_recvfrom_unlabeled(myclient_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_node'($*)) dnl
corenet_udp_send_generic_node($1)
corenet_udp_receive_generic_node($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_node'($*)) dnl
')
########################################
##
## Send raw IP packets on generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_send_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node { rawip_send sendto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_generic_node'($*)) dnl
')
########################################
##
## Receive raw IP packets on generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_receive_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node { rawip_recv recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_generic_node'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_sendrecv_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_generic_node'($*)) dnl
corenet_raw_send_generic_node($1)
corenet_raw_receive_generic_node($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_generic_node'($*)) dnl
')
########################################
##
## Bind DCCP sockets to generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_bind_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:dccp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_generic_node'($*)) dnl
')
########################################
##
## Bind SCTP sockets to generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_bind_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:sctp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_generic_node'($*)) dnl
')
########################################
##
## Bind ICMP sockets to generic nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_icmp_bind_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_icmp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:icmp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_icmp_bind_generic_node'($*)) dnl
')
########################################
##
## Bind TCP sockets to generic nodes.
##
##
##
## Bind TCP sockets to generic nodes. This is
## necessary for binding a socket so it
## can be used for servers to listen
## for incoming connections.
##
##
## Related interface:
##
##
## - corenet_udp_bind_generic_node()
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:tcp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_generic_node'($*)) dnl
')
########################################
##
## Bind UDP sockets to generic nodes.
##
##
##
## Bind UDP sockets to generic nodes. This is
## necessary for binding a socket so it
## can be used for servers to listen
## for incoming connections.
##
##
## Related interface:
##
##
## - corenet_tcp_bind_generic_node()
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:udp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_generic_node'($*)) dnl
')
########################################
##
## Dontaudit attempts to bind TCP sockets to generic nodes.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_tcp_bind_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
dontaudit $1 node_t:tcp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_generic_node'($*)) dnl
')
########################################
##
## Dontaudit attempts to bind UDP sockets to generic nodes.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
dontaudit $1 node_t:udp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_generic_node'($*)) dnl
')
########################################
##
## Bind raw sockets to genric nodes.
##
##
##
## Domain allowed access.
##
##
# rawip_socket node_bind does not make much sense.
# cjp: vmware hits this too
define(`corenet_raw_bind_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_bind_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:rawip_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_bind_generic_node'($*)) dnl
')
########################################
##
## Allow outgoing network traffic to generic nodes.
##
##
##
## The peer label of the outgoing network traffic.
##
##
##
#
define(`corenet_out_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_out_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_out_generic_node'($*)) dnl
')
########################################
##
## Allow incoming network traffic from generic nodes.
##
##
##
## The peer label of the incoming network traffic.
##
##
##
#
define(`corenet_in_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_in_generic_node'($*)) dnl
gen_require(`
type node_t;
')
allow $1 node_t:node recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_in_generic_node'($*)) dnl
')
########################################
##
## Allow incoming and outgoing network traffic with generic nodes.
##
##
##
## The peer label of the network traffic.
##
##
##
#
define(`corenet_inout_generic_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_inout_generic_node'($*)) dnl
corenet_in_generic_node($1)
corenet_out_generic_node($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_inout_generic_node'($*)) dnl
')
########################################
##
## Send and receive DCCP network traffic on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_sendrecv_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_sendrecv_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Send UDP network traffic on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_send_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node { udp_send sendto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_nodes'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP network
## traffic on any nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_send_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
dontaudit $1 node_type:node { udp_send sendto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_all_nodes'($*)) dnl
')
########################################
##
## Send and receive SCTP network traffic on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_sendrecv_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_sendrecv_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node { sendto recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Receive UDP network traffic on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_receive_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node { udp_recv recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_nodes'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP
## network traffic on all nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_receive_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
dontaudit $1 node_type:node { udp_recv recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_all_nodes'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_sendrecv_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_nodes'($*)) dnl
corenet_udp_send_all_nodes($1)
corenet_udp_receive_all_nodes($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive UDP
## network traffic on any nodes nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_sendrecv_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_all_nodes'($*)) dnl
corenet_dontaudit_udp_send_all_nodes($1)
corenet_dontaudit_udp_receive_all_nodes($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Send raw IP packets on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_send_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node { rawip_send sendto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_all_nodes'($*)) dnl
')
########################################
##
## Receive raw IP packets on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_receive_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:node { rawip_recv recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_all_nodes'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_sendrecv_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_all_nodes'($*)) dnl
corenet_raw_send_all_nodes($1)
corenet_raw_receive_all_nodes($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_all_nodes'($*)) dnl
')
########################################
##
## Bind DCCP sockets to all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_bind_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:dccp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_nodes'($*)) dnl
')
########################################
##
## Bind TCP sockets to all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:tcp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_nodes'($*)) dnl
')
########################################
##
## Bind UDP sockets to all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_bind_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:udp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_nodes'($*)) dnl
')
########################################
##
## Bind raw sockets to all nodes.
##
##
##
## Domain allowed access.
##
##
# rawip_socket node_bind does not make much sense.
# cjp: vmware hits this too
define(`corenet_raw_bind_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_bind_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:rawip_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_bind_all_nodes'($*)) dnl
')
########################################
##
## Send and receive DCCP network traffic on generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_sendrecv_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_generic_port'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_sendrecv_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and
## receive DCCP network traffic on
## generic ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_sendrecv_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_sendrecv_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_sendrecv_generic_port'($*)) dnl
')
########################################
##
## Bind SCTP sockets to all nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_bind_all_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_nodes'($*)) dnl
gen_require(`
attribute node_type;
')
allow $1 node_type:sctp_socket node_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_nodes'($*)) dnl
')
########################################
##
## Do not audit send and receive TCP network traffic on generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_sendrecv_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_sendrecv_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_sendrecv_generic_port'($*)) dnl
')
########################################
##
## Send UDP network traffic on generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_send_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_port'($*)) dnl
')
########################################
##
## Receive UDP network traffic on generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_receive_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_port'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_sendrecv_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_port'($*)) dnl
corenet_udp_send_generic_port($1)
corenet_udp_receive_generic_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_port'($*)) dnl
')
########################################
##
## Bind DCCP sockets to generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_bind_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
attribute defined_port_type;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
dontaudit $1 defined_port_type:dccp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_generic_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
attribute defined_port_type;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
dontaudit $1 defined_port_type:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_generic_port'($*)) dnl
')
########################################
##
## Do not audit attempts to bind DCCP
## sockets to generic ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_bind_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_bind_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_bind_generic_port'($*)) dnl
')
########################################
##
## Do not audit bind TCP sockets to generic ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_bind_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_generic_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_bind_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
attribute defined_port_type;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind;
dontaudit $1 defined_port_type:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_generic_port'($*)) dnl
')
########################################
##
## Connect DCCP sockets to generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_connect_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t,ephemeral_port_t;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_generic_port'($*)) dnl
')
########################################
##
## Connect TCP sockets to generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_generic_port'($*)) dnl
')
########################################
##
## Send and receive DCCP network traffic on all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_sendrecv_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:dccp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_all_ports'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on all ports.
##
##
##
## Send and receive TCP network traffic on all ports.
## Related interfaces:
##
##
## - corenet_all_recvfrom_unlabeled()
## - corenet_tcp_sendrecv_generic_if()
## - corenet_tcp_sendrecv_generic_node()
## - corenet_tcp_connect_all_ports()
## - corenet_tcp_bind_all_ports()
##
##
## Example client being able to connect to all ports over
## generic nodes, without labeled networking:
##
##
## allow myclient_t self:tcp_socket create_stream_socket_perms;
## corenet_tcp_sendrecv_generic_if(myclient_t)
## corenet_tcp_sendrecv_generic_node(myclient_t)
## corenet_tcp_sendrecv_all_ports(myclient_t)
## corenet_tcp_connect_all_ports(myclient_t)
## corenet_all_recvfrom_unlabeled(myclient_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_ports'($*)) dnl
')
########################################
##
## Send UDP network traffic on all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_send_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_ports'($*)) dnl
')
########################################
##
## Bind SCTP sockets to generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_bind_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
attribute defined_port_type;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
dontaudit $1 defined_port_type:sctp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_generic_port'($*)) dnl
')
########################################
##
## Do not audit attempts to bind SCTP
## sockets to generic ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_sctp_bind_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t, ephemeral_port_t;
')
dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_generic_port'($*)) dnl
')
########################################
##
## Do not audit attepts to bind SCTP sockets to any ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_sctp_bind_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:sctp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_all_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect SCTP sockets
## to all ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_sctp_connect_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_connect_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:sctp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_connect_all_ports'($*)) dnl
')
########################################
##
## Connect SCTP sockets to all ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_connect_all_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_unreserved_ports'($*)) dnl
gen_require(`
attribute unreserved_port_type;
')
allow $1 unreserved_port_type:sctp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_unreserved_ports'($*)) dnl
')
########################################
##
## Connect SCTP sockets to all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_connect_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:sctp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_ports'($*)) dnl
')
########################################
##
## Bind SCTP sockets to all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_bind_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:sctp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Receive UDP network traffic on all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_receive_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_ports'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on all ports.
##
##
##
## Send and receive UDP network traffic on all ports.
## Related interfaces:
##
##
## - corenet_all_recvfrom_unlabeled()
## - corenet_udp_sendrecv_generic_if()
## - corenet_udp_sendrecv_generic_node()
## - corenet_udp_bind_all_ports()
##
##
## Example client being able to send to all ports over
## generic nodes, without labeled networking:
##
##
## allow myclient_t self:udp_socket create_socket_perms;
## corenet_udp_sendrecv_generic_if(myclient_t)
## corenet_udp_sendrecv_generic_node(myclient_t)
## corenet_udp_sendrecv_all_ports(myclient_t)
## corenet_all_recvfrom_unlabeled(myclient_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_ports'($*)) dnl
corenet_udp_send_all_ports($1)
corenet_udp_receive_all_ports($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_ports'($*)) dnl
')
########################################
##
## Bind DCCP sockets to all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_bind_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:dccp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_ports'($*)) dnl
')
########################################
##
## Do not audit attepts to bind DCCP sockets to any ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_bind_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:dccp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_bind_all_ports'($*)) dnl
')
########################################
##
## Do not audit attepts to bind TCP sockets to any ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_bind_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_bind_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_ports'($*)) dnl
')
########################################
##
## Connect SCTP sockets to generic ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_connect_generic_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_generic_port'($*)) dnl
gen_require(`
type port_t, unreserved_port_t,ephemeral_port_t;
')
allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_generic_port'($*)) dnl
')
########################################
##
## Do not audit attepts to bind UDP sockets to any ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_bind_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_ports'($*)) dnl
')
########################################
##
## Connect DCCP sockets to all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_connect_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_all_ports'($*)) dnl
')
########################################
##
## Connect TCP sockets to all ports.
##
##
##
## Connect TCP sockets to all ports
##
##
## Related interfaces:
##
##
## - corenet_all_recvfrom_unlabeled()
## - corenet_tcp_sendrecv_generic_if()
## - corenet_tcp_sendrecv_generic_node()
## - corenet_tcp_sendrecv_all_ports()
## - corenet_tcp_bind_all_ports()
##
##
## Example client being able to connect to all ports over
## generic nodes, without labeled networking:
##
##
## allow myclient_t self:tcp_socket create_stream_socket_perms;
## corenet_tcp_sendrecv_generic_if(myclient_t)
## corenet_tcp_sendrecv_generic_node(myclient_t)
## corenet_tcp_sendrecv_all_ports(myclient_t)
## corenet_tcp_connect_all_ports(myclient_t)
## corenet_all_recvfrom_unlabeled(myclient_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_connect_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect DCCP sockets
## to all ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_connect_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_connect_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_connect_all_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect TCP sockets
## to all ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_connect_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
dontaudit $1 port_type:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_ports'($*)) dnl
')
########################################
##
## Send and receive DCCP network traffic on generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_sendrecv_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_reserved_port'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_sendrecv_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_reserved_port'($*)) dnl
')
########################################
##
## Send UDP network traffic on generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_send_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_reserved_port'($*)) dnl
')
########################################
##
## Receive UDP network traffic on generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_receive_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_reserved_port'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_sendrecv_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_reserved_port'($*)) dnl
corenet_udp_send_reserved_port($1)
corenet_udp_receive_reserved_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_reserved_port'($*)) dnl
')
########################################
##
## Bind DCCP sockets to generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_bind_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:dccp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_reserved_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_reserved_port'($*)) dnl
')
########################################
##
## Bind SCTP sockets to all ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_bind_all_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_ports'($*)) dnl
gen_require(`
attribute port_type;
')
allow $1 port_type:sctp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_bind_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_reserved_port'($*)) dnl
')
########################################
##
## Connect DCCP sockets to generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_connect_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_reserved_port'($*)) dnl
')
########################################
##
## Connect TCP sockets to generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_reserved_port'($*)) dnl
')
########################################
##
## Send and receive DCCP network traffic on all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_sendrecv_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_all_reserved_ports'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_sendrecv_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_reserved_ports'($*)) dnl
')
########################################
##
## Send UDP network traffic on all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_send_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_reserved_ports'($*)) dnl
')
########################################
##
## Receive UDP network traffic on all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_receive_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_reserved_ports'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_sendrecv_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_reserved_ports'($*)) dnl
corenet_udp_send_all_reserved_ports($1)
corenet_udp_receive_all_reserved_ports($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_reserved_ports'($*)) dnl
')
########################################
##
## Bind DCCP sockets to all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_bind_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:dccp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind DCCP sockets to all reserved ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_bind_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:dccp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind TCP sockets to all reserved ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_bind_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to all reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_bind_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind UDP sockets to all reserved ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_bind_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Bind DCCP sockets to all ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_bind_all_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_unreserved_ports'($*)) dnl
gen_require(`
attribute unreserved_port_type;
')
allow $1 unreserved_port_type:dccp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_unreserved_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_all_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_unreserved_ports'($*)) dnl
gen_require(`
attribute unreserved_port_type;
')
allow $1 unreserved_port_type:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_unreserved_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_unreserved_ports'($*)) dnl
gen_require(`
attribute unreserved_port_type;
')
allow $1 unreserved_port_type:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_unreserved_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to all ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_bind_all_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_unreserved_ports'($*)) dnl
gen_require(`
attribute unreserved_port_type;
')
allow $1 unreserved_port_type:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_unreserved_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all ports > 32768.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_all_ephemeral_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_ephemeral_ports'($*)) dnl
gen_require(`
attribute ephemeral_port_type;
')
allow $1 ephemeral_port_type:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_ephemeral_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to all ports > 32768.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_bind_all_ephemeral_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_ephemeral_ports'($*)) dnl
gen_require(`
attribute ephemeral_port_type;
')
allow $1 ephemeral_port_type:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_ephemeral_ports'($*)) dnl
')
########################################
##
## Connect DCCP sockets to reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_connect_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_all_reserved_ports'($*)) dnl
')
########################################
##
## Connect TCP sockets to reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_reserved_ports'($*)) dnl
')
########################################
##
## Connect DCCP sockets to all ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_connect_all_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_all_unreserved_ports'($*)) dnl
gen_require(`
attribute unreserved_port_type;
')
allow $1 unreserved_port_type:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_all_unreserved_ports'($*)) dnl
')
#######################################
##
## Connect TCP sockets to ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_unreserved_ports'($*)) dnl
gen_require(`
type unreserved_port_t;
')
allow $1 unreserved_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_unreserved_ports'($*)) dnl
')
########################################
##
## Connect TCP sockets to all ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_all_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_unreserved_ports'($*)) dnl
gen_require(`
attribute unreserved_port_type;
')
allow $1 unreserved_port_type:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_unreserved_ports'($*)) dnl
')
########################################
##
## Connect TCP sockets to all ports > 32768.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_all_ephemeral_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_ephemeral_ports'($*)) dnl
gen_require(`
attribute ephemeral_port_type;
')
allow $1 ephemeral_port_type:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_ephemeral_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect DCCP sockets
## all reserved ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_connect_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_connect_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_connect_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect TCP sockets
## all reserved ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_connect_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_reserved_ports'($*)) dnl
')
########################################
##
## Connect DCCP sockets to rpc ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_connect_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
allow $1 rpc_port_type:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_all_rpc_ports'($*)) dnl
')
########################################
##
## Connect TCP sockets to rpc ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
allow $1 rpc_port_type:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_rpc_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect DCCP sockets
## all rpc ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_connect_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_connect_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
dontaudit $1 rpc_port_type:dccp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_connect_all_rpc_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to connect TCP sockets
## all rpc ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_connect_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
dontaudit $1 rpc_port_type:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_rpc_ports'($*)) dnl
')
########################################
##
## Read and write the TUN/TAP virtual network device.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_bind_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:sctp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_reserved_port'($*)) dnl
')
########################################
##
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_rw_tun_tap_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_rw_tun_tap_dev'($*)) dnl
gen_require(`
type tun_tap_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_rw_tun_tap_dev'($*)) dnl
')
########################################
##
## Relabel to and from the TUN/TAP virtual network device.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_relabel_tun_tap_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabel_tun_tap_dev'($*)) dnl
gen_require(`
type tun_tap_device_t;
')
relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabel_tun_tap_dev'($*)) dnl
')
########################################
##
## Read and write inherited TUN/TAP virtual network device.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_rw_inherited_tun_tap_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_rw_inherited_tun_tap_dev'($*)) dnl
gen_require(`
type tun_tap_device_t;
')
allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_rw_inherited_tun_tap_dev'($*)) dnl
')
########################################
##
## Connect SCTP sockets to generic reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_connect_reserved_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_reserved_port'($*)) dnl
gen_require(`
type reserved_port_t;
')
allow $1 reserved_port_t:sctp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_reserved_port'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_rw_tun_tap_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_rw_tun_tap_dev'($*)) dnl
gen_require(`
type tun_tap_device_t;
')
dontaudit $1 tun_tap_device_t:chr_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_rw_tun_tap_dev'($*)) dnl
')
########################################
##
## Getattr the point-to-point device.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_getattr_ppp_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_getattr_ppp_dev'($*)) dnl
gen_require(`
type ppp_device_t;
')
allow $1 ppp_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_getattr_ppp_dev'($*)) dnl
')
########################################
##
## Read and write the point-to-point device.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_rw_ppp_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_rw_ppp_dev'($*)) dnl
gen_require(`
type ppp_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 ppp_device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_rw_ppp_dev'($*)) dnl
')
########################################
##
## Bind DCCP sockets to all RPC ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_bind_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
allow $1 rpc_port_type:dccp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Bind TCP sockets to all RPC ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_bind_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
allow $1 rpc_port_type:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind DCCP sockets to all RPC ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_bind_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
dontaudit $1 rpc_port_type:dccp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind TCP sockets to all RPC ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_bind_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
dontaudit $1 rpc_port_type:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Bind UDP sockets to all RPC ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_bind_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
allow $1 rpc_port_type:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to bind UDP sockets to all RPC ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_bind_all_rpc_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_rpc_ports'($*)) dnl
gen_require(`
attribute rpc_port_type;
')
dontaudit $1 rpc_port_type:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_rpc_ports'($*)) dnl
')
########################################
##
## Send and receive messages on a
## non-encrypted (no IPSEC) network
## session.
##
##
##
## Send and receive messages on a
## non-encrypted (no IPSEC) network
## session. (Deprecated)
##
##
## The corenet_all_recvfrom_unlabeled() interface should be used instead
## of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_non_ipsec_sendrecv',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_non_ipsec_sendrecv'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
corenet_all_recvfrom_unlabeled($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_non_ipsec_sendrecv'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## messages on a non-encrypted (no IPSEC) network
## session.
##
##
##
## Do not audit attempts to send and receive
## messages on a non-encrypted (no IPSEC) network
## session.
##
##
## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
## used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_non_ipsec_sendrecv',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_non_ipsec_sendrecv'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
corenet_dontaudit_all_recvfrom_unlabeled($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_non_ipsec_sendrecv'($*)) dnl
')
########################################
##
## Receive TCP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_recv_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_recv_netlabel'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
corenet_tcp_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_recv_netlabel'($*)) dnl
')
########################################
##
## Receive DCCP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:dccp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Receive TCP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:tcp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Receive DCCP packets from an unlabled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dccp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_recvfrom_unlabeled'($*)) dnl
gen_require(`
attribute corenet_unlabeled_type;
')
kernel_dccp_recvfrom_unlabeled($1)
kernel_recvfrom_unlabeled_peer($1)
typeattribute $1 corenet_unlabeled_type;
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to bind SCTP sockets to all reserved ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_sctp_bind_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:sctp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_recv_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recv_netlabel'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
corenet_dontaudit_tcp_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recv_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive DCCP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:dccp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive DCCP packets from an unlabeled
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_dccp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_recvfrom_unlabeled'($*)) dnl
kernel_dontaudit_dccp_recvfrom_unlabeled($1)
kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_dontaudit_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_tcp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_dontaudit_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive UDP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_recv_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_recv_netlabel'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
corenet_udp_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_recv_netlabel'($*)) dnl
')
########################################
##
## Receive UDP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:udp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Receive UDP packets from an unlabeled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_udp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_unlabeled'($*)) dnl
kernel_udp_recvfrom_unlabeled($1)
kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Bind SCTP sockets to all ports > 1024.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_bind_all_unreserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_unreserved_ports'($*)) dnl
gen_require(`
attribute unreserved_port_type;
')
allow $1 unreserved_port_type:sctp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_unreserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_recv_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recv_netlabel'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
corenet_dontaudit_udp_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recv_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP packets from an unlabeled
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_udp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recvfrom_unlabeled'($*)) dnl
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_dontaudit_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive Raw IP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_recv_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_recv_netlabel'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
corenet_raw_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_recv_netlabel'($*)) dnl
')
########################################
##
## Receive Raw IP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:rawip_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Receive Raw IP packets from an unlabeled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_raw_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_unlabeled'($*)) dnl
kernel_raw_recvfrom_unlabeled($1)
kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive Raw IP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_raw_recv_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recv_netlabel'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
corenet_dontaudit_raw_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recv_netlabel'($*)) dnl
')
########################################
##
## Do not audit attempts to receive Raw IP packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_raw_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Connect SCTP sockets to reserved ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_connect_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
allow $1 reserved_port_type:sctp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to receive Raw IP packets from an unlabeled
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_raw_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recvfrom_unlabeled'($*)) dnl
kernel_dontaudit_raw_recvfrom_unlabeled($1)
kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_dontaudit_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive packets from an unlabeled connection.
##
##
##
## Allow the specified domain to receive packets from an
## unlabeled connection. On machines that do not utilize
## labeled networking, this will be required on all
## networking domains. On machines tha do utilize
## labeled networking, this will be required for any
## networking domain that is allowed to receive
## network traffic that does not have a label.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_all_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_unlabeled'($*)) dnl
gen_require(`
attribute corenet_unlabeled_type;
')
typeattribute $1 corenet_unlabeled_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive packets from a NetLabel connection.
##
##
##
## Allow the specified domain to receive NetLabel
## network traffic, which utilizes the Commercial IP
## Security Option (CIPSO) to set the MLS level
## of the network packets. This is required for
## all networking domains that receive NetLabel
## network traffic.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_all_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_netlabel'($*)) dnl
gen_require(`
attribute netlabel_peer_type;
')
typeattribute $1 netlabel_peer_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Enable unlabeled net packets
##
##
##
## Allow unlabeled_packet_t to be used by all domains that use the network
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_enable_unlabeled_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_enable_unlabeled_packets'($*)) dnl
gen_require(`
attribute corenet_unlabeled_type;
')
kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_enable_unlabeled_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive packets from an unlabeled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_all_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_all_recvfrom_unlabeled'($*)) dnl
kernel_dontaudit_dccp_recvfrom_unlabeled($1)
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
kernel_dontaudit_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_all_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to connect SCTP sockets
## all reserved ports.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_sctp_connect_all_reserved_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_connect_all_reserved_ports'($*)) dnl
gen_require(`
attribute reserved_port_type;
')
dontaudit $1 reserved_port_type:sctp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_connect_all_reserved_ports'($*)) dnl
')
########################################
##
## Do not audit attempts to receive packets from a NetLabel
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`corenet_dontaudit_all_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_all_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_all_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Rules for receiving labeled DCCP packets.
##
##
##
## Domain allowed access.
##
##
##
##
## Peer domain.
##
##
#
define(`corenet_dccp_recvfrom_labeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dccp_recvfrom_labeled'($*)) dnl
allow { $1 $2 } self:association sendto;
allow $1 $2:{ association dccp_socket } recvfrom;
allow $2 $1:{ association dccp_socket } recvfrom;
allow $1 $2:peer recv;
allow $2 $1:peer recv;
# allow receiving packets from MLS-only peers using NetLabel
corenet_dccp_recvfrom_netlabel($1)
corenet_dccp_recvfrom_netlabel($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dccp_recvfrom_labeled'($*)) dnl
')
########################################
##
## Rules for receiving labeled TCP packets.
##
##
##
## Rules for receiving labeled TCP packets.
##
##
## Due to the nature of TCP, this is bidirectional.
##
##
##
##
## Domain allowed access.
##
##
##
##
## Peer domain.
##
##
#
define(`corenet_tcp_recvfrom_labeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_recvfrom_labeled'($*)) dnl
allow { $1 $2 } self:association sendto;
allow $1 $2:{ association tcp_socket } recvfrom;
allow $2 $1:{ association tcp_socket } recvfrom;
allow $1 $2:peer recv;
allow $2 $1:peer recv;
# allow receiving packets from MLS-only peers using NetLabel
corenet_tcp_recvfrom_netlabel($1)
corenet_tcp_recvfrom_netlabel($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_recvfrom_labeled'($*)) dnl
')
########################################
##
## Rules for receiving labeled UDP packets.
##
##
##
## Domain allowed access.
##
##
##
##
## Peer domain.
##
##
#
define(`corenet_udp_recvfrom_labeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_labeled'($*)) dnl
allow $2 self:association sendto;
allow $1 $2:{ association udp_socket } recvfrom;
allow $1 $2:peer recv;
# allow receiving packets from MLS-only peers using NetLabel
corenet_udp_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_labeled'($*)) dnl
')
########################################
##
## Rules for receiving labeled raw IP packets.
##
##
##
## Domain allowed access.
##
##
##
##
## Peer domain.
##
##
#
define(`corenet_raw_recvfrom_labeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_labeled'($*)) dnl
allow $2 self:association sendto;
allow $1 $2:{ association rawip_socket } recvfrom;
allow $1 $2:peer recv;
# allow receiving packets from MLS-only peers using NetLabel
corenet_raw_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_labeled'($*)) dnl
')
########################################
##
## Rules for receiving labeled packets via TCP, UDP and raw IP.
##
##
##
## Rules for receiving labeled packets via TCP, UDP and raw IP.
##
##
## Due to the nature of TCP, the rules (for TCP
## networking only) are bidirectional.
##
##
##
##
## Domain allowed access.
##
##
##
##
## Peer domain.
##
##
#
define(`corenet_all_recvfrom_labeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_labeled'($*)) dnl
corenet_sctp_recvfrom_labeled($1, $2)
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_labeled'($*)) dnl
')
########################################
##
## Make the specified type usable
## for labeled ipsec.
##
##
##
## Type to be used for labeled ipsec.
##
##
#
define(`corenet_setcontext_all_spds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_setcontext_all_spds'($*)) dnl
gen_require(`
attribute ipsec_spd_type;
')
allow $1 ipsec_spd_type:association setcontext;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_setcontext_all_spds'($*)) dnl
')
########################################
##
## Send generic client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_generic_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_generic_client_packets'($*)) dnl
gen_require(`
type client_packet_t;
')
allow $1 client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_generic_client_packets'($*)) dnl
')
########################################
##
## Receive generic client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_generic_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_generic_client_packets'($*)) dnl
gen_require(`
type client_packet_t;
')
allow $1 client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_generic_client_packets'($*)) dnl
')
########################################
##
## Send and receive generic client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_generic_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_generic_client_packets'($*)) dnl
corenet_send_generic_client_packets($1)
corenet_receive_generic_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_generic_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to the generic client packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_generic_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_generic_client_packets'($*)) dnl
gen_require(`
type client_packet_t;
')
allow $1 client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_generic_client_packets'($*)) dnl
')
########################################
##
## Send generic server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_generic_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_generic_server_packets'($*)) dnl
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_generic_server_packets'($*)) dnl
')
########################################
##
## Receive generic server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_generic_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_generic_server_packets'($*)) dnl
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_generic_server_packets'($*)) dnl
')
########################################
##
## Send and receive generic server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_generic_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_generic_server_packets'($*)) dnl
corenet_send_generic_server_packets($1)
corenet_receive_generic_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_generic_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to the generic server packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_generic_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_generic_server_packets'($*)) dnl
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_generic_server_packets'($*)) dnl
')
########################################
##
## Send and receive unlabeled packets.
##
##
##
## Send and receive unlabeled packets.
## These packets do not match any netfilter
## SECMARK rules.
##
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_unlabeled_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_unlabeled_packets'($*)) dnl
kernel_sendrecv_unlabeled_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_unlabeled_packets'($*)) dnl
')
########################################
##
## Send all client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_all_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_all_client_packets'($*)) dnl
gen_require(`
attribute client_packet_type;
')
allow $1 client_packet_type:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_all_client_packets'($*)) dnl
')
########################################
##
## Receive all client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_all_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_all_client_packets'($*)) dnl
gen_require(`
attribute client_packet_type;
')
allow $1 client_packet_type:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_all_client_packets'($*)) dnl
')
########################################
##
## Send and receive all client packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_all_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_client_packets'($*)) dnl
corenet_send_all_client_packets($1)
corenet_receive_all_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to any client packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_all_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_client_packets'($*)) dnl
gen_require(`
attribute client_packet_type;
')
allow $1 client_packet_type:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_client_packets'($*)) dnl
')
########################################
##
## Send all server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_all_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_all_server_packets'($*)) dnl
gen_require(`
attribute server_packet_type;
')
allow $1 server_packet_type:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_all_server_packets'($*)) dnl
')
########################################
##
## Receive SCTP packets from a NetLabel connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_recvfrom_netlabel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_netlabel'($*)) dnl
gen_require(`
type netlabel_peer_t;
')
allow $1 netlabel_peer_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_netlabel'($*)) dnl
')
########################################
##
## Receive all server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_all_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_all_server_packets'($*)) dnl
gen_require(`
attribute server_packet_type;
')
allow $1 server_packet_type:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_all_server_packets'($*)) dnl
')
########################################
##
## Send and receive all server packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_all_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_server_packets'($*)) dnl
corenet_send_all_server_packets($1)
corenet_receive_all_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to any server packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_all_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_server_packets'($*)) dnl
gen_require(`
attribute server_packet_type;
')
allow $1 server_packet_type:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_server_packets'($*)) dnl
')
########################################
##
## Receive SCTP packets from an unlabled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sctp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_unlabeled'($*)) dnl
gen_require(`
attribute corenet_unlabeled_type;
')
kernel_recvfrom_unlabeled_peer($1)
typeattribute $1 corenet_unlabeled_type;
kernel_sendrecv_unlabeled_association($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Send all packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_send_all_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_all_packets'($*)) dnl
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_all_packets'($*)) dnl
')
########################################
##
## Receive all packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_receive_all_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_all_packets'($*)) dnl
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_all_packets'($*)) dnl
')
########################################
##
## Send and receive all packets.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_sendrecv_all_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_packets'($*)) dnl
corenet_send_all_packets($1)
corenet_receive_all_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_packets'($*)) dnl
')
########################################
##
## Relabel packets to any packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_all_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_packets'($*)) dnl
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_packets'($*)) dnl
')
########################################
##
## Unconfined access to network objects.
##
##
##
## The domain allowed access.
##
##
#
define(`corenet_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_unconfined'($*)) dnl
gen_require(`
attribute corenet_unconfined_type;
')
typeattribute $1 corenet_unconfined_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_unconfined'($*)) dnl
')
########################################
##
## Dontaudit bind tcp sockets to defined ports.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_bind_all_defined_ports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_defined_ports'($*)) dnl
gen_require(`
attribute defined_port_type;
')
dontaudit $1 defined_port_type:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_defined_ports'($*)) dnl
')
########################################
##
## Create all network named devices with the correct label
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_filetrans_all_named_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_filetrans_all_named_dev'($*)) dnl
gen_require(`
type tun_tap_device_t;
type ppp_device_t;
')
dev_filetrans($1, tun_tap_device_t, chr_file, "tap0")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap1")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap2")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap3")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap4")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap5")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap6")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap7")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap8")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap9")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap10")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap11")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap12")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap13")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap14")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap15")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap16")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap20")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap21")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap22")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap23")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap24")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap25")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap26")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap27")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap28")
dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
dev_filetrans($1, ppp_device_t, chr_file, "ppp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_filetrans_all_named_dev'($*)) dnl
')
########################################
##
## Define type to be an infiniband pkey type
##
##
##
## Define type to be an infiniband pkey type
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for infiniband pkeys.
##
##
#
define(`corenet_ib_pkey',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_ib_pkey'($*)) dnl
gen_require(`
attribute ibpkey_type;
')
typeattribute $1 ibpkey_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_ib_pkey'($*)) dnl
')
########################################
##
## Access unlabeled infiniband pkeys.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_ib_access_unlabeled_pkeys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_ib_access_unlabeled_pkeys'($*)) dnl
kernel_ib_access_unlabeled_pkeys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_ib_access_unlabeled_pkeys'($*)) dnl
')
########################################
##
## Access all labeled infiniband pkeys.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_ib_access_all_pkeys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_ib_access_all_pkeys'($*)) dnl
gen_require(`
attribute ibpkey_type;
')
allow $1 ibpkey_type:infiniband_pkey access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_ib_access_all_pkeys'($*)) dnl
')
########################################
##
## Define type to be an infiniband endport
##
##
##
## Define type to be an infiniband endport
##
##
## This is for supporting third party modules and its
## use is not allowed in upstream reference policy.
##
##
##
##
## Type to be used for infiniband endports.
##
##
#
define(`corenet_ib_endport',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_ib_endport'($*)) dnl
gen_require(`
attribute ibendport_type;
')
typeattribute $1 ibendport_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_ib_endport'($*)) dnl
')
########################################
##
## Manage subnets on all labeled Infiniband endports
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_ib_manage_subnet_all_endports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_ib_manage_subnet_all_endports'($*)) dnl
gen_require(`
attribute ibendport_type;
')
allow $1 ibendport_type:infiniband_endport manage_subnet;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_ib_manage_subnet_all_endports'($*)) dnl
')
########################################
##
## Rules for receiving labeled SCTP packets.
##
##
##
## Domain allowed access.
##
##
##
##
## Peer domain.
##
##
#
define(`corenet_sctp_recvfrom_labeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_labeled'($*)) dnl
allow { $1 $2 } self:association sendto;
allow $1 $2:association recvfrom;
allow $2 $1:association recvfrom;
allow $1 $2:peer recv;
allow $2 $1:peer recv;
# allow receiving packets from MLS-only peers using NetLabel
corenet_sctp_recvfrom_netlabel($1)
corenet_sctp_recvfrom_netlabel($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_labeled'($*)) dnl
')
########################################
##
## Manage subnet on all unlabeled Infiniband endports
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_ib_manage_subnet_unlabeled_endports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_ib_manage_subnet_unlabeled_endports'($*)) dnl
kernel_ib_manage_subnet_unlabeled_endports($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_ib_manage_subnet_unlabeled_endports'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_bos_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_bos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_bos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
dontaudit $1 afs_bos_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_bos_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_bos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_bos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
dontaudit $1 afs_bos_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_bos_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_bos_port'($*)) dnl
corenet_udp_send_afs_bos_port($1)
corenet_udp_receive_afs_bos_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_bos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_bos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_bos_port'($*)) dnl
corenet_dontaudit_udp_send_afs_bos_port($1)
corenet_dontaudit_udp_receive_afs_bos_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_bos_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_bos_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_bos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_bos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to afs_bos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
dontaudit $1 afs_bos_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_bos_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_bos port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
allow $1 afs_bos_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_bos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to afs_bos port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_afs_bos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_bos_port'($*)) dnl
gen_require(`
type afs_bos_port_t;
')
dontaudit $1 afs_bos_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_bos_port'($*)) dnl
')
########################################
##
## Send afs_bos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_bos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
allow $1 afs_bos_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_bos_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_bos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
dontaudit $1 afs_bos_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Receive afs_bos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_bos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
allow $1 afs_bos_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_bos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_bos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
dontaudit $1 afs_bos_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_bos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_bos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_bos_client_packets'($*)) dnl
corenet_send_afs_bos_client_packets($1)
corenet_receive_afs_bos_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_bos_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_bos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_bos_client_packets'($*)) dnl
corenet_dontaudit_send_afs_bos_client_packets($1)
corenet_dontaudit_receive_afs_bos_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_bos_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_bos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_bos_client_packets'($*)) dnl
gen_require(`
type afs_bos_client_packet_t;
')
allow $1 afs_bos_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_bos_client_packets'($*)) dnl
')
########################################
##
## Send afs_bos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_bos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
allow $1 afs_bos_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_bos_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_bos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
dontaudit $1 afs_bos_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Receive afs_bos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_bos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
allow $1 afs_bos_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_bos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_bos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
dontaudit $1 afs_bos_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_bos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_bos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_bos_server_packets'($*)) dnl
corenet_send_afs_bos_server_packets($1)
corenet_receive_afs_bos_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_bos_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_bos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_bos_server_packets'($*)) dnl
corenet_dontaudit_send_afs_bos_server_packets($1)
corenet_dontaudit_receive_afs_bos_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_bos_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_bos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_bos_server_packets'($*)) dnl
gen_require(`
type afs_bos_server_packet_t;
')
allow $1 afs_bos_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_bos_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_fs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_fs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_fs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
dontaudit $1 afs_fs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_fs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_fs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_fs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
dontaudit $1 afs_fs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_fs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_fs_port'($*)) dnl
corenet_udp_send_afs_fs_port($1)
corenet_udp_receive_afs_fs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_fs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_fs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_fs_port'($*)) dnl
corenet_dontaudit_udp_send_afs_fs_port($1)
corenet_dontaudit_udp_receive_afs_fs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_fs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_fs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_fs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_fs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to afs_fs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
dontaudit $1 afs_fs_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_fs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_fs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
allow $1 afs_fs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_fs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to afs_fs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_afs_fs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_fs_port'($*)) dnl
gen_require(`
type afs_fs_port_t;
')
dontaudit $1 afs_fs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_fs_port'($*)) dnl
')
########################################
##
## Send afs_fs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_fs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
allow $1 afs_fs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_fs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_fs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
dontaudit $1 afs_fs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Receive afs_fs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_fs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
allow $1 afs_fs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_fs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_fs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
dontaudit $1 afs_fs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_fs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_fs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_fs_client_packets'($*)) dnl
corenet_send_afs_fs_client_packets($1)
corenet_receive_afs_fs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_fs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_fs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_fs_client_packets'($*)) dnl
corenet_dontaudit_send_afs_fs_client_packets($1)
corenet_dontaudit_receive_afs_fs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_fs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_fs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_fs_client_packets'($*)) dnl
gen_require(`
type afs_fs_client_packet_t;
')
allow $1 afs_fs_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_fs_client_packets'($*)) dnl
')
########################################
##
## Send afs_fs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_fs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
allow $1 afs_fs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_fs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_fs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
dontaudit $1 afs_fs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Receive afs_fs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_fs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
allow $1 afs_fs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_fs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_fs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
dontaudit $1 afs_fs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_fs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_fs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_fs_server_packets'($*)) dnl
corenet_send_afs_fs_server_packets($1)
corenet_receive_afs_fs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_fs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_fs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_fs_server_packets'($*)) dnl
corenet_dontaudit_send_afs_fs_server_packets($1)
corenet_dontaudit_receive_afs_fs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_fs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_fs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_fs_server_packets'($*)) dnl
gen_require(`
type afs_fs_server_packet_t;
')
allow $1 afs_fs_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_fs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_ka_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_ka_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_ka port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
dontaudit $1 afs_ka_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_ka_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_ka_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_ka port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
dontaudit $1 afs_ka_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_ka_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_ka_port'($*)) dnl
corenet_udp_send_afs_ka_port($1)
corenet_udp_receive_afs_ka_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_ka_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_ka port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_ka_port'($*)) dnl
corenet_dontaudit_udp_send_afs_ka_port($1)
corenet_dontaudit_udp_receive_afs_ka_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_ka_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_ka_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_ka port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_ka_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to afs_ka port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
dontaudit $1 afs_ka_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_ka_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_ka port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
allow $1 afs_ka_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_ka_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to afs_ka port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_afs_ka_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_ka_port'($*)) dnl
gen_require(`
type afs_ka_port_t;
')
dontaudit $1 afs_ka_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_ka_port'($*)) dnl
')
########################################
##
## Send afs_ka_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_ka_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
allow $1 afs_ka_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_ka_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_ka_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
dontaudit $1 afs_ka_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Receive afs_ka_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_ka_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
allow $1 afs_ka_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_ka_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_ka_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
dontaudit $1 afs_ka_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_ka_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_ka_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_ka_client_packets'($*)) dnl
corenet_send_afs_ka_client_packets($1)
corenet_receive_afs_ka_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_ka_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_ka_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_ka_client_packets'($*)) dnl
corenet_dontaudit_send_afs_ka_client_packets($1)
corenet_dontaudit_receive_afs_ka_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_ka_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_ka_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_ka_client_packets'($*)) dnl
gen_require(`
type afs_ka_client_packet_t;
')
allow $1 afs_ka_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_ka_client_packets'($*)) dnl
')
########################################
##
## Send afs_ka_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_ka_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
allow $1 afs_ka_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_ka_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_ka_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
dontaudit $1 afs_ka_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Receive afs_ka_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_ka_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
allow $1 afs_ka_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_ka_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_ka_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
dontaudit $1 afs_ka_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_ka_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_ka_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_ka_server_packets'($*)) dnl
corenet_send_afs_ka_server_packets($1)
corenet_receive_afs_ka_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_ka_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_ka_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_ka_server_packets'($*)) dnl
corenet_dontaudit_send_afs_ka_server_packets($1)
corenet_dontaudit_receive_afs_ka_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_ka_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_ka_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_ka_server_packets'($*)) dnl
gen_require(`
type afs_ka_server_packet_t;
')
allow $1 afs_ka_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_ka_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_pt_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_pt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_pt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
dontaudit $1 afs_pt_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_pt_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_pt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_pt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
dontaudit $1 afs_pt_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_pt_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_pt_port'($*)) dnl
corenet_udp_send_afs_pt_port($1)
corenet_udp_receive_afs_pt_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_pt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_pt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_pt_port'($*)) dnl
corenet_dontaudit_udp_send_afs_pt_port($1)
corenet_dontaudit_udp_receive_afs_pt_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_pt_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_pt_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_pt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_pt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to afs_pt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
dontaudit $1 afs_pt_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_pt_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_pt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
allow $1 afs_pt_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_pt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to afs_pt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_afs_pt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_pt_port'($*)) dnl
gen_require(`
type afs_pt_port_t;
')
dontaudit $1 afs_pt_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_pt_port'($*)) dnl
')
########################################
##
## Send afs_pt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_pt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
allow $1 afs_pt_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_pt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_pt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
dontaudit $1 afs_pt_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Receive afs_pt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_pt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
allow $1 afs_pt_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_pt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_pt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
dontaudit $1 afs_pt_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_pt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_pt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_pt_client_packets'($*)) dnl
corenet_send_afs_pt_client_packets($1)
corenet_receive_afs_pt_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_pt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_pt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_pt_client_packets'($*)) dnl
corenet_dontaudit_send_afs_pt_client_packets($1)
corenet_dontaudit_receive_afs_pt_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_pt_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_pt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_pt_client_packets'($*)) dnl
gen_require(`
type afs_pt_client_packet_t;
')
allow $1 afs_pt_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_pt_client_packets'($*)) dnl
')
########################################
##
## Send afs_pt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_pt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
allow $1 afs_pt_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_pt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_pt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
dontaudit $1 afs_pt_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Receive afs_pt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_pt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
allow $1 afs_pt_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_pt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_pt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
dontaudit $1 afs_pt_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_pt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_pt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_pt_server_packets'($*)) dnl
corenet_send_afs_pt_server_packets($1)
corenet_receive_afs_pt_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_pt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_pt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_pt_server_packets'($*)) dnl
corenet_dontaudit_send_afs_pt_server_packets($1)
corenet_dontaudit_receive_afs_pt_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_pt_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_pt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_pt_server_packets'($*)) dnl
gen_require(`
type afs_pt_server_packet_t;
')
allow $1 afs_pt_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_pt_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_vl_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_vl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs_vl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
dontaudit $1 afs_vl_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_vl_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_vl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs_vl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
dontaudit $1 afs_vl_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_vl_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_vl_port'($*)) dnl
corenet_udp_send_afs_vl_port($1)
corenet_udp_receive_afs_vl_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_vl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs_vl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_vl_port'($*)) dnl
corenet_dontaudit_udp_send_afs_vl_port($1)
corenet_dontaudit_udp_receive_afs_vl_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_vl_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_vl_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs_vl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_vl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to afs_vl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
dontaudit $1 afs_vl_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_vl_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs_vl port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
allow $1 afs_vl_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_vl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to afs_vl port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_afs_vl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_vl_port'($*)) dnl
gen_require(`
type afs_vl_port_t;
')
dontaudit $1 afs_vl_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_vl_port'($*)) dnl
')
########################################
##
## Send afs_vl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_vl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
allow $1 afs_vl_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_vl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_vl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
dontaudit $1 afs_vl_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Receive afs_vl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_vl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
allow $1 afs_vl_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_vl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_vl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
dontaudit $1 afs_vl_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs_vl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_vl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_vl_client_packets'($*)) dnl
corenet_send_afs_vl_client_packets($1)
corenet_receive_afs_vl_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_vl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_vl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_vl_client_packets'($*)) dnl
corenet_dontaudit_send_afs_vl_client_packets($1)
corenet_dontaudit_receive_afs_vl_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_vl_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_vl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_vl_client_packets'($*)) dnl
gen_require(`
type afs_vl_client_packet_t;
')
allow $1 afs_vl_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_vl_client_packets'($*)) dnl
')
########################################
##
## Send afs_vl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs_vl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
allow $1 afs_vl_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs_vl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs_vl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
dontaudit $1 afs_vl_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Receive afs_vl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs_vl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
allow $1 afs_vl_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs_vl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs_vl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
dontaudit $1 afs_vl_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs_vl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs_vl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_vl_server_packets'($*)) dnl
corenet_send_afs_vl_server_packets($1)
corenet_receive_afs_vl_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs_vl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs_vl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_vl_server_packets'($*)) dnl
corenet_dontaudit_send_afs_vl_server_packets($1)
corenet_dontaudit_receive_afs_vl_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs_vl_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs_vl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_vl_server_packets'($*)) dnl
gen_require(`
type afs_vl_server_packet_t;
')
allow $1 afs_vl_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_vl_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the afs3_callback port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
allow $1 afs3_callback_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs3_callback_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the afs3_callback port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
allow $1 afs3_callback_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs3_callback_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the afs3_callback port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
dontaudit $1 afs3_callback_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs3_callback_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the afs3_callback port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
allow $1 afs3_callback_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs3_callback_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the afs3_callback port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
dontaudit $1 afs3_callback_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs3_callback_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the afs3_callback port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs3_callback_port'($*)) dnl
corenet_udp_send_afs3_callback_port($1)
corenet_udp_receive_afs3_callback_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs3_callback_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the afs3_callback port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs3_callback_port'($*)) dnl
corenet_dontaudit_udp_send_afs3_callback_port($1)
corenet_dontaudit_udp_receive_afs3_callback_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs3_callback_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the afs3_callback port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
allow $1 afs3_callback_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs3_callback_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the afs3_callback port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
allow $1 afs3_callback_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs3_callback_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to afs3_callback port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
dontaudit $1 afs3_callback_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs3_callback_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the afs3_callback port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
allow $1 afs3_callback_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs3_callback_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to afs3_callback port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_afs3_callback_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs3_callback_port'($*)) dnl
gen_require(`
type afs3_callback_port_t;
')
dontaudit $1 afs3_callback_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs3_callback_port'($*)) dnl
')
########################################
##
## Send afs3_callback_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs3_callback_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs3_callback_client_packets'($*)) dnl
gen_require(`
type afs3_callback_client_packet_t;
')
allow $1 afs3_callback_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs3_callback_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs3_callback_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs3_callback_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs3_callback_client_packets'($*)) dnl
gen_require(`
type afs3_callback_client_packet_t;
')
dontaudit $1 afs3_callback_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs3_callback_client_packets'($*)) dnl
')
########################################
##
## Receive afs3_callback_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs3_callback_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs3_callback_client_packets'($*)) dnl
gen_require(`
type afs3_callback_client_packet_t;
')
allow $1 afs3_callback_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs3_callback_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs3_callback_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs3_callback_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs3_callback_client_packets'($*)) dnl
gen_require(`
type afs3_callback_client_packet_t;
')
dontaudit $1 afs3_callback_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs3_callback_client_packets'($*)) dnl
')
########################################
##
## Send and receive afs3_callback_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs3_callback_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs3_callback_client_packets'($*)) dnl
corenet_send_afs3_callback_client_packets($1)
corenet_receive_afs3_callback_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs3_callback_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs3_callback_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs3_callback_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs3_callback_client_packets'($*)) dnl
corenet_dontaudit_send_afs3_callback_client_packets($1)
corenet_dontaudit_receive_afs3_callback_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs3_callback_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs3_callback_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs3_callback_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs3_callback_client_packets'($*)) dnl
gen_require(`
type afs3_callback_client_packet_t;
')
allow $1 afs3_callback_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs3_callback_client_packets'($*)) dnl
')
########################################
##
## Send afs3_callback_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_afs3_callback_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_afs3_callback_server_packets'($*)) dnl
gen_require(`
type afs3_callback_server_packet_t;
')
allow $1 afs3_callback_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_afs3_callback_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send afs3_callback_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_afs3_callback_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs3_callback_server_packets'($*)) dnl
gen_require(`
type afs3_callback_server_packet_t;
')
dontaudit $1 afs3_callback_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs3_callback_server_packets'($*)) dnl
')
########################################
##
## Receive afs3_callback_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_afs3_callback_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_afs3_callback_server_packets'($*)) dnl
gen_require(`
type afs3_callback_server_packet_t;
')
allow $1 afs3_callback_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_afs3_callback_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive afs3_callback_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_afs3_callback_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs3_callback_server_packets'($*)) dnl
gen_require(`
type afs3_callback_server_packet_t;
')
dontaudit $1 afs3_callback_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs3_callback_server_packets'($*)) dnl
')
########################################
##
## Send and receive afs3_callback_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_afs3_callback_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs3_callback_server_packets'($*)) dnl
corenet_send_afs3_callback_server_packets($1)
corenet_receive_afs3_callback_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs3_callback_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive afs3_callback_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_afs3_callback_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs3_callback_server_packets'($*)) dnl
corenet_dontaudit_send_afs3_callback_server_packets($1)
corenet_dontaudit_receive_afs3_callback_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs3_callback_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to afs3_callback_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_afs3_callback_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs3_callback_server_packets'($*)) dnl
gen_require(`
type afs3_callback_server_packet_t;
')
allow $1 afs3_callback_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs3_callback_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_agentx_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_agentx_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the agentx port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
dontaudit $1 agentx_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_agentx_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_agentx_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the agentx port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
dontaudit $1 agentx_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_agentx_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_agentx_port'($*)) dnl
corenet_udp_send_agentx_port($1)
corenet_udp_receive_agentx_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_agentx_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the agentx port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_agentx_port'($*)) dnl
corenet_dontaudit_udp_send_agentx_port($1)
corenet_dontaudit_udp_receive_agentx_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_agentx_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_agentx_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the agentx port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_agentx_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to agentx port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
dontaudit $1 agentx_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_agentx_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the agentx port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
allow $1 agentx_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_agentx_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to agentx port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_agentx_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_agentx_port'($*)) dnl
gen_require(`
type agentx_port_t;
')
dontaudit $1 agentx_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_agentx_port'($*)) dnl
')
########################################
##
## Send agentx_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_agentx_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
allow $1 agentx_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_agentx_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send agentx_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_agentx_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
dontaudit $1 agentx_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_agentx_client_packets'($*)) dnl
')
########################################
##
## Receive agentx_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_agentx_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
allow $1 agentx_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_agentx_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive agentx_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_agentx_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
dontaudit $1 agentx_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_agentx_client_packets'($*)) dnl
')
########################################
##
## Send and receive agentx_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_agentx_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_agentx_client_packets'($*)) dnl
corenet_send_agentx_client_packets($1)
corenet_receive_agentx_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_agentx_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive agentx_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_agentx_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_agentx_client_packets'($*)) dnl
corenet_dontaudit_send_agentx_client_packets($1)
corenet_dontaudit_receive_agentx_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_agentx_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to agentx_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_agentx_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_agentx_client_packets'($*)) dnl
gen_require(`
type agentx_client_packet_t;
')
allow $1 agentx_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_agentx_client_packets'($*)) dnl
')
########################################
##
## Send agentx_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_agentx_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
allow $1 agentx_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_agentx_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send agentx_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_agentx_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
dontaudit $1 agentx_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_agentx_server_packets'($*)) dnl
')
########################################
##
## Receive agentx_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_agentx_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
allow $1 agentx_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_agentx_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive agentx_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_agentx_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
dontaudit $1 agentx_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_agentx_server_packets'($*)) dnl
')
########################################
##
## Send and receive agentx_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_agentx_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_agentx_server_packets'($*)) dnl
corenet_send_agentx_server_packets($1)
corenet_receive_agentx_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_agentx_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive agentx_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_agentx_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_agentx_server_packets'($*)) dnl
corenet_dontaudit_send_agentx_server_packets($1)
corenet_dontaudit_receive_agentx_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_agentx_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to agentx_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_agentx_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_agentx_server_packets'($*)) dnl
gen_require(`
type agentx_server_packet_t;
')
allow $1 agentx_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_agentx_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amanda_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_amanda_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the amanda port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
dontaudit $1 amanda_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amanda_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amanda_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the amanda port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
dontaudit $1 amanda_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amanda_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amanda_port'($*)) dnl
corenet_udp_send_amanda_port($1)
corenet_udp_receive_amanda_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amanda_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the amanda port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amanda_port'($*)) dnl
corenet_dontaudit_udp_send_amanda_port($1)
corenet_dontaudit_udp_receive_amanda_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amanda_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amanda_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the amanda port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amanda_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to amanda port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
dontaudit $1 amanda_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_amanda_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the amanda port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
allow $1 amanda_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amanda_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to amanda port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_amanda_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_amanda_port'($*)) dnl
gen_require(`
type amanda_port_t;
')
dontaudit $1 amanda_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_amanda_port'($*)) dnl
')
########################################
##
## Send amanda_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amanda_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
allow $1 amanda_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amanda_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amanda_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amanda_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
dontaudit $1 amanda_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amanda_client_packets'($*)) dnl
')
########################################
##
## Receive amanda_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amanda_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
allow $1 amanda_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amanda_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amanda_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amanda_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
dontaudit $1 amanda_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amanda_client_packets'($*)) dnl
')
########################################
##
## Send and receive amanda_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amanda_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amanda_client_packets'($*)) dnl
corenet_send_amanda_client_packets($1)
corenet_receive_amanda_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amanda_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amanda_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amanda_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amanda_client_packets'($*)) dnl
corenet_dontaudit_send_amanda_client_packets($1)
corenet_dontaudit_receive_amanda_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amanda_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to amanda_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amanda_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amanda_client_packets'($*)) dnl
gen_require(`
type amanda_client_packet_t;
')
allow $1 amanda_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amanda_client_packets'($*)) dnl
')
########################################
##
## Send amanda_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amanda_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
allow $1 amanda_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amanda_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amanda_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amanda_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
dontaudit $1 amanda_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amanda_server_packets'($*)) dnl
')
########################################
##
## Receive amanda_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amanda_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
allow $1 amanda_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amanda_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amanda_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amanda_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
dontaudit $1 amanda_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amanda_server_packets'($*)) dnl
')
########################################
##
## Send and receive amanda_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amanda_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amanda_server_packets'($*)) dnl
corenet_send_amanda_server_packets($1)
corenet_receive_amanda_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amanda_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amanda_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amanda_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amanda_server_packets'($*)) dnl
corenet_dontaudit_send_amanda_server_packets($1)
corenet_dontaudit_receive_amanda_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amanda_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to amanda_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amanda_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amanda_server_packets'($*)) dnl
gen_require(`
type amanda_server_packet_t;
')
allow $1 amanda_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amanda_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amavisd_recv_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_amavisd_recv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the amavisd_recv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
dontaudit $1 amavisd_recv_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amavisd_recv_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amavisd_recv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the amavisd_recv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
dontaudit $1 amavisd_recv_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amavisd_recv_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amavisd_recv_port'($*)) dnl
corenet_udp_send_amavisd_recv_port($1)
corenet_udp_receive_amavisd_recv_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amavisd_recv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the amavisd_recv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amavisd_recv_port'($*)) dnl
corenet_dontaudit_udp_send_amavisd_recv_port($1)
corenet_dontaudit_udp_receive_amavisd_recv_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amavisd_recv_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amavisd_recv_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amavisd_recv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to amavisd_recv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
dontaudit $1 amavisd_recv_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_amavisd_recv_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
allow $1 amavisd_recv_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amavisd_recv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to amavisd_recv port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_amavisd_recv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_amavisd_recv_port'($*)) dnl
gen_require(`
type amavisd_recv_port_t;
')
dontaudit $1 amavisd_recv_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_amavisd_recv_port'($*)) dnl
')
########################################
##
## Send amavisd_recv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amavisd_recv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
allow $1 amavisd_recv_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amavisd_recv_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amavisd_recv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
dontaudit $1 amavisd_recv_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Receive amavisd_recv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amavisd_recv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
allow $1 amavisd_recv_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amavisd_recv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amavisd_recv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
dontaudit $1 amavisd_recv_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Send and receive amavisd_recv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amavisd_recv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_recv_client_packets'($*)) dnl
corenet_send_amavisd_recv_client_packets($1)
corenet_receive_amavisd_recv_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amavisd_recv_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amavisd_recv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_recv_client_packets'($*)) dnl
corenet_dontaudit_send_amavisd_recv_client_packets($1)
corenet_dontaudit_receive_amavisd_recv_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to amavisd_recv_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amavisd_recv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_recv_client_packets'($*)) dnl
gen_require(`
type amavisd_recv_client_packet_t;
')
allow $1 amavisd_recv_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_recv_client_packets'($*)) dnl
')
########################################
##
## Send amavisd_recv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amavisd_recv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
allow $1 amavisd_recv_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amavisd_recv_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amavisd_recv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
dontaudit $1 amavisd_recv_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Receive amavisd_recv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amavisd_recv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
allow $1 amavisd_recv_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amavisd_recv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amavisd_recv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
dontaudit $1 amavisd_recv_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Send and receive amavisd_recv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amavisd_recv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_recv_server_packets'($*)) dnl
corenet_send_amavisd_recv_server_packets($1)
corenet_receive_amavisd_recv_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amavisd_recv_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amavisd_recv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_recv_server_packets'($*)) dnl
corenet_dontaudit_send_amavisd_recv_server_packets($1)
corenet_dontaudit_receive_amavisd_recv_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to amavisd_recv_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amavisd_recv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_recv_server_packets'($*)) dnl
gen_require(`
type amavisd_recv_server_packet_t;
')
allow $1 amavisd_recv_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_recv_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amavisd_send_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_amavisd_send_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the amavisd_send port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
dontaudit $1 amavisd_send_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amavisd_send_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amavisd_send_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the amavisd_send port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
dontaudit $1 amavisd_send_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amavisd_send_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amavisd_send_port'($*)) dnl
corenet_udp_send_amavisd_send_port($1)
corenet_udp_receive_amavisd_send_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amavisd_send_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the amavisd_send port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amavisd_send_port'($*)) dnl
corenet_dontaudit_udp_send_amavisd_send_port($1)
corenet_dontaudit_udp_receive_amavisd_send_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amavisd_send_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amavisd_send_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amavisd_send_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to amavisd_send port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
dontaudit $1 amavisd_send_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_amavisd_send_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the amavisd_send port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
allow $1 amavisd_send_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amavisd_send_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to amavisd_send port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_amavisd_send_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_amavisd_send_port'($*)) dnl
gen_require(`
type amavisd_send_port_t;
')
dontaudit $1 amavisd_send_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_amavisd_send_port'($*)) dnl
')
########################################
##
## Send amavisd_send_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amavisd_send_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
allow $1 amavisd_send_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amavisd_send_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amavisd_send_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
dontaudit $1 amavisd_send_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Receive amavisd_send_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amavisd_send_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
allow $1 amavisd_send_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amavisd_send_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amavisd_send_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
dontaudit $1 amavisd_send_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Send and receive amavisd_send_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amavisd_send_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_send_client_packets'($*)) dnl
corenet_send_amavisd_send_client_packets($1)
corenet_receive_amavisd_send_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amavisd_send_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amavisd_send_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_send_client_packets'($*)) dnl
corenet_dontaudit_send_amavisd_send_client_packets($1)
corenet_dontaudit_receive_amavisd_send_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to amavisd_send_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amavisd_send_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_send_client_packets'($*)) dnl
gen_require(`
type amavisd_send_client_packet_t;
')
allow $1 amavisd_send_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_send_client_packets'($*)) dnl
')
########################################
##
## Send amavisd_send_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amavisd_send_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
allow $1 amavisd_send_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amavisd_send_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amavisd_send_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
dontaudit $1 amavisd_send_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Receive amavisd_send_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amavisd_send_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
allow $1 amavisd_send_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amavisd_send_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amavisd_send_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
dontaudit $1 amavisd_send_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Send and receive amavisd_send_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amavisd_send_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_send_server_packets'($*)) dnl
corenet_send_amavisd_send_server_packets($1)
corenet_receive_amavisd_send_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amavisd_send_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amavisd_send_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_send_server_packets'($*)) dnl
corenet_dontaudit_send_amavisd_send_server_packets($1)
corenet_dontaudit_receive_amavisd_send_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to amavisd_send_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amavisd_send_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_send_server_packets'($*)) dnl
gen_require(`
type amavisd_send_server_packet_t;
')
allow $1 amavisd_send_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_send_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the amqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
allow $1 amqp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amqp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the amqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
allow $1 amqp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_amqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the amqp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
dontaudit $1 amqp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amqp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the amqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
allow $1 amqp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the amqp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
dontaudit $1 amqp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amqp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the amqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amqp_port'($*)) dnl
corenet_udp_send_amqp_port($1)
corenet_udp_receive_amqp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the amqp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amqp_port'($*)) dnl
corenet_dontaudit_udp_send_amqp_port($1)
corenet_dontaudit_udp_receive_amqp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amqp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the amqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
allow $1 amqp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amqp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the amqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
allow $1 amqp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to amqp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
dontaudit $1 amqp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_amqp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the amqp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
allow $1 amqp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to amqp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_amqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_amqp_port'($*)) dnl
gen_require(`
type amqp_port_t;
')
dontaudit $1 amqp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_amqp_port'($*)) dnl
')
########################################
##
## Send amqp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amqp_client_packets'($*)) dnl
gen_require(`
type amqp_client_packet_t;
')
allow $1 amqp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amqp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amqp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amqp_client_packets'($*)) dnl
gen_require(`
type amqp_client_packet_t;
')
dontaudit $1 amqp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amqp_client_packets'($*)) dnl
')
########################################
##
## Receive amqp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amqp_client_packets'($*)) dnl
gen_require(`
type amqp_client_packet_t;
')
allow $1 amqp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amqp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amqp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amqp_client_packets'($*)) dnl
gen_require(`
type amqp_client_packet_t;
')
dontaudit $1 amqp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amqp_client_packets'($*)) dnl
')
########################################
##
## Send and receive amqp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amqp_client_packets'($*)) dnl
corenet_send_amqp_client_packets($1)
corenet_receive_amqp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amqp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amqp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amqp_client_packets'($*)) dnl
corenet_dontaudit_send_amqp_client_packets($1)
corenet_dontaudit_receive_amqp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amqp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to amqp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amqp_client_packets'($*)) dnl
gen_require(`
type amqp_client_packet_t;
')
allow $1 amqp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amqp_client_packets'($*)) dnl
')
########################################
##
## Send amqp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_amqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_amqp_server_packets'($*)) dnl
gen_require(`
type amqp_server_packet_t;
')
allow $1 amqp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_amqp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send amqp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_amqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amqp_server_packets'($*)) dnl
gen_require(`
type amqp_server_packet_t;
')
dontaudit $1 amqp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amqp_server_packets'($*)) dnl
')
########################################
##
## Receive amqp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_amqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_amqp_server_packets'($*)) dnl
gen_require(`
type amqp_server_packet_t;
')
allow $1 amqp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_amqp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive amqp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_amqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amqp_server_packets'($*)) dnl
gen_require(`
type amqp_server_packet_t;
')
dontaudit $1 amqp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amqp_server_packets'($*)) dnl
')
########################################
##
## Send and receive amqp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_amqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amqp_server_packets'($*)) dnl
corenet_send_amqp_server_packets($1)
corenet_receive_amqp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amqp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive amqp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_amqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amqp_server_packets'($*)) dnl
corenet_dontaudit_send_amqp_server_packets($1)
corenet_dontaudit_receive_amqp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amqp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to amqp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_amqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amqp_server_packets'($*)) dnl
gen_require(`
type amqp_server_packet_t;
')
allow $1 amqp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_amqp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the aol port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
allow $1 aol_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_aol_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the aol port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
allow $1 aol_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_aol_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the aol port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
dontaudit $1 aol_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_aol_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the aol port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
allow $1 aol_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_aol_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the aol port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
dontaudit $1 aol_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_aol_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the aol port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_aol_port'($*)) dnl
corenet_udp_send_aol_port($1)
corenet_udp_receive_aol_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_aol_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the aol port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_aol_port'($*)) dnl
corenet_dontaudit_udp_send_aol_port($1)
corenet_dontaudit_udp_receive_aol_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_aol_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the aol port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
allow $1 aol_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_aol_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the aol port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
allow $1 aol_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_aol_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to aol port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
dontaudit $1 aol_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_aol_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the aol port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
allow $1 aol_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_aol_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to aol port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_aol_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_aol_port'($*)) dnl
gen_require(`
type aol_port_t;
')
dontaudit $1 aol_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_aol_port'($*)) dnl
')
########################################
##
## Send aol_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_aol_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_aol_client_packets'($*)) dnl
gen_require(`
type aol_client_packet_t;
')
allow $1 aol_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_aol_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send aol_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_aol_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_aol_client_packets'($*)) dnl
gen_require(`
type aol_client_packet_t;
')
dontaudit $1 aol_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_aol_client_packets'($*)) dnl
')
########################################
##
## Receive aol_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_aol_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_aol_client_packets'($*)) dnl
gen_require(`
type aol_client_packet_t;
')
allow $1 aol_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_aol_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive aol_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_aol_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_aol_client_packets'($*)) dnl
gen_require(`
type aol_client_packet_t;
')
dontaudit $1 aol_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_aol_client_packets'($*)) dnl
')
########################################
##
## Send and receive aol_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_aol_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_aol_client_packets'($*)) dnl
corenet_send_aol_client_packets($1)
corenet_receive_aol_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_aol_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive aol_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_aol_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_aol_client_packets'($*)) dnl
corenet_dontaudit_send_aol_client_packets($1)
corenet_dontaudit_receive_aol_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_aol_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to aol_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_aol_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_aol_client_packets'($*)) dnl
gen_require(`
type aol_client_packet_t;
')
allow $1 aol_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_aol_client_packets'($*)) dnl
')
########################################
##
## Send aol_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_aol_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_aol_server_packets'($*)) dnl
gen_require(`
type aol_server_packet_t;
')
allow $1 aol_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_aol_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send aol_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_aol_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_aol_server_packets'($*)) dnl
gen_require(`
type aol_server_packet_t;
')
dontaudit $1 aol_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_aol_server_packets'($*)) dnl
')
########################################
##
## Receive aol_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_aol_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_aol_server_packets'($*)) dnl
gen_require(`
type aol_server_packet_t;
')
allow $1 aol_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_aol_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive aol_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_aol_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_aol_server_packets'($*)) dnl
gen_require(`
type aol_server_packet_t;
')
dontaudit $1 aol_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_aol_server_packets'($*)) dnl
')
########################################
##
## Send and receive aol_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_aol_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_aol_server_packets'($*)) dnl
corenet_send_aol_server_packets($1)
corenet_receive_aol_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_aol_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive aol_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_aol_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_aol_server_packets'($*)) dnl
corenet_dontaudit_send_aol_server_packets($1)
corenet_dontaudit_receive_aol_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_aol_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to aol_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_aol_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_aol_server_packets'($*)) dnl
gen_require(`
type aol_server_packet_t;
')
allow $1 aol_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_aol_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the apc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
allow $1 apc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the apc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
allow $1 apc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_apc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the apc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
dontaudit $1 apc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the apc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
allow $1 apc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the apc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
dontaudit $1 apc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the apc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apc_port'($*)) dnl
corenet_udp_send_apc_port($1)
corenet_udp_receive_apc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the apc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apc_port'($*)) dnl
corenet_dontaudit_udp_send_apc_port($1)
corenet_dontaudit_udp_receive_apc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the apc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
allow $1 apc_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the apc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
allow $1 apc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to apc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
dontaudit $1 apc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_apc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the apc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
allow $1 apc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to apc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_apc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_apc_port'($*)) dnl
gen_require(`
type apc_port_t;
')
dontaudit $1 apc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_apc_port'($*)) dnl
')
########################################
##
## Send apc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_apc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_apc_client_packets'($*)) dnl
gen_require(`
type apc_client_packet_t;
')
allow $1 apc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_apc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send apc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_apc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apc_client_packets'($*)) dnl
gen_require(`
type apc_client_packet_t;
')
dontaudit $1 apc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apc_client_packets'($*)) dnl
')
########################################
##
## Receive apc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_apc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_apc_client_packets'($*)) dnl
gen_require(`
type apc_client_packet_t;
')
allow $1 apc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_apc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive apc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_apc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apc_client_packets'($*)) dnl
gen_require(`
type apc_client_packet_t;
')
dontaudit $1 apc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apc_client_packets'($*)) dnl
')
########################################
##
## Send and receive apc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_apc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apc_client_packets'($*)) dnl
corenet_send_apc_client_packets($1)
corenet_receive_apc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive apc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_apc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apc_client_packets'($*)) dnl
corenet_dontaudit_send_apc_client_packets($1)
corenet_dontaudit_receive_apc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to apc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_apc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apc_client_packets'($*)) dnl
gen_require(`
type apc_client_packet_t;
')
allow $1 apc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_apc_client_packets'($*)) dnl
')
########################################
##
## Send apc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_apc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_apc_server_packets'($*)) dnl
gen_require(`
type apc_server_packet_t;
')
allow $1 apc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_apc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send apc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_apc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apc_server_packets'($*)) dnl
gen_require(`
type apc_server_packet_t;
')
dontaudit $1 apc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apc_server_packets'($*)) dnl
')
########################################
##
## Receive apc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_apc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_apc_server_packets'($*)) dnl
gen_require(`
type apc_server_packet_t;
')
allow $1 apc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_apc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive apc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_apc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apc_server_packets'($*)) dnl
gen_require(`
type apc_server_packet_t;
')
dontaudit $1 apc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apc_server_packets'($*)) dnl
')
########################################
##
## Send and receive apc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_apc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apc_server_packets'($*)) dnl
corenet_send_apc_server_packets($1)
corenet_receive_apc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive apc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_apc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apc_server_packets'($*)) dnl
corenet_dontaudit_send_apc_server_packets($1)
corenet_dontaudit_receive_apc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to apc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_apc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apc_server_packets'($*)) dnl
gen_require(`
type apc_server_packet_t;
')
allow $1 apc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_apc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apcupsd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_apcupsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the apcupsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
dontaudit $1 apcupsd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apcupsd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apcupsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the apcupsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
dontaudit $1 apcupsd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apcupsd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apcupsd_port'($*)) dnl
corenet_udp_send_apcupsd_port($1)
corenet_udp_receive_apcupsd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apcupsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the apcupsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apcupsd_port'($*)) dnl
corenet_dontaudit_udp_send_apcupsd_port($1)
corenet_dontaudit_udp_receive_apcupsd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apcupsd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apcupsd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the apcupsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apcupsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to apcupsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
dontaudit $1 apcupsd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_apcupsd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the apcupsd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
allow $1 apcupsd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apcupsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to apcupsd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_apcupsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_apcupsd_port'($*)) dnl
gen_require(`
type apcupsd_port_t;
')
dontaudit $1 apcupsd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_apcupsd_port'($*)) dnl
')
########################################
##
## Send apcupsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_apcupsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
allow $1 apcupsd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send apcupsd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_apcupsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
dontaudit $1 apcupsd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Receive apcupsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_apcupsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
allow $1 apcupsd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive apcupsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_apcupsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
dontaudit $1 apcupsd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Send and receive apcupsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_apcupsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apcupsd_client_packets'($*)) dnl
corenet_send_apcupsd_client_packets($1)
corenet_receive_apcupsd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive apcupsd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_apcupsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apcupsd_client_packets'($*)) dnl
corenet_dontaudit_send_apcupsd_client_packets($1)
corenet_dontaudit_receive_apcupsd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to apcupsd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_apcupsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apcupsd_client_packets'($*)) dnl
gen_require(`
type apcupsd_client_packet_t;
')
allow $1 apcupsd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_apcupsd_client_packets'($*)) dnl
')
########################################
##
## Send apcupsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_apcupsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
allow $1 apcupsd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send apcupsd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_apcupsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
dontaudit $1 apcupsd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Receive apcupsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_apcupsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
allow $1 apcupsd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive apcupsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_apcupsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
dontaudit $1 apcupsd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Send and receive apcupsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_apcupsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apcupsd_server_packets'($*)) dnl
corenet_send_apcupsd_server_packets($1)
corenet_receive_apcupsd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive apcupsd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_apcupsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apcupsd_server_packets'($*)) dnl
corenet_dontaudit_send_apcupsd_server_packets($1)
corenet_dontaudit_receive_apcupsd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to apcupsd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_apcupsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apcupsd_server_packets'($*)) dnl
gen_require(`
type apcupsd_server_packet_t;
')
allow $1 apcupsd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_apcupsd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the apertus_ldp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
allow $1 apertus_ldp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apertus_ldp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the apertus_ldp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
allow $1 apertus_ldp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_apertus_ldp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the apertus_ldp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
dontaudit $1 apertus_ldp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apertus_ldp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the apertus_ldp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
allow $1 apertus_ldp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apertus_ldp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the apertus_ldp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
dontaudit $1 apertus_ldp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apertus_ldp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the apertus_ldp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apertus_ldp_port'($*)) dnl
corenet_udp_send_apertus_ldp_port($1)
corenet_udp_receive_apertus_ldp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apertus_ldp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the apertus_ldp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apertus_ldp_port'($*)) dnl
corenet_dontaudit_udp_send_apertus_ldp_port($1)
corenet_dontaudit_udp_receive_apertus_ldp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apertus_ldp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the apertus_ldp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
allow $1 apertus_ldp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apertus_ldp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the apertus_ldp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
allow $1 apertus_ldp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apertus_ldp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to apertus_ldp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
dontaudit $1 apertus_ldp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_apertus_ldp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the apertus_ldp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
allow $1 apertus_ldp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apertus_ldp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to apertus_ldp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_apertus_ldp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_apertus_ldp_port'($*)) dnl
gen_require(`
type apertus_ldp_port_t;
')
dontaudit $1 apertus_ldp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_apertus_ldp_port'($*)) dnl
')
########################################
##
## Send apertus_ldp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_apertus_ldp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_apertus_ldp_client_packets'($*)) dnl
gen_require(`
type apertus_ldp_client_packet_t;
')
allow $1 apertus_ldp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_apertus_ldp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send apertus_ldp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_apertus_ldp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apertus_ldp_client_packets'($*)) dnl
gen_require(`
type apertus_ldp_client_packet_t;
')
dontaudit $1 apertus_ldp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apertus_ldp_client_packets'($*)) dnl
')
########################################
##
## Receive apertus_ldp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_apertus_ldp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_apertus_ldp_client_packets'($*)) dnl
gen_require(`
type apertus_ldp_client_packet_t;
')
allow $1 apertus_ldp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_apertus_ldp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive apertus_ldp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_apertus_ldp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apertus_ldp_client_packets'($*)) dnl
gen_require(`
type apertus_ldp_client_packet_t;
')
dontaudit $1 apertus_ldp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apertus_ldp_client_packets'($*)) dnl
')
########################################
##
## Send and receive apertus_ldp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_apertus_ldp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apertus_ldp_client_packets'($*)) dnl
corenet_send_apertus_ldp_client_packets($1)
corenet_receive_apertus_ldp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apertus_ldp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive apertus_ldp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_apertus_ldp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apertus_ldp_client_packets'($*)) dnl
corenet_dontaudit_send_apertus_ldp_client_packets($1)
corenet_dontaudit_receive_apertus_ldp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apertus_ldp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to apertus_ldp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_apertus_ldp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apertus_ldp_client_packets'($*)) dnl
gen_require(`
type apertus_ldp_client_packet_t;
')
allow $1 apertus_ldp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_apertus_ldp_client_packets'($*)) dnl
')
########################################
##
## Send apertus_ldp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_apertus_ldp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_apertus_ldp_server_packets'($*)) dnl
gen_require(`
type apertus_ldp_server_packet_t;
')
allow $1 apertus_ldp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_apertus_ldp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send apertus_ldp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_apertus_ldp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apertus_ldp_server_packets'($*)) dnl
gen_require(`
type apertus_ldp_server_packet_t;
')
dontaudit $1 apertus_ldp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apertus_ldp_server_packets'($*)) dnl
')
########################################
##
## Receive apertus_ldp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_apertus_ldp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_apertus_ldp_server_packets'($*)) dnl
gen_require(`
type apertus_ldp_server_packet_t;
')
allow $1 apertus_ldp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_apertus_ldp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive apertus_ldp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_apertus_ldp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apertus_ldp_server_packets'($*)) dnl
gen_require(`
type apertus_ldp_server_packet_t;
')
dontaudit $1 apertus_ldp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apertus_ldp_server_packets'($*)) dnl
')
########################################
##
## Send and receive apertus_ldp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_apertus_ldp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apertus_ldp_server_packets'($*)) dnl
corenet_send_apertus_ldp_server_packets($1)
corenet_receive_apertus_ldp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apertus_ldp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive apertus_ldp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_apertus_ldp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apertus_ldp_server_packets'($*)) dnl
corenet_dontaudit_send_apertus_ldp_server_packets($1)
corenet_dontaudit_receive_apertus_ldp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apertus_ldp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to apertus_ldp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_apertus_ldp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apertus_ldp_server_packets'($*)) dnl
gen_require(`
type apertus_ldp_server_packet_t;
')
allow $1 apertus_ldp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_apertus_ldp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the appswitch_emp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
allow $1 appswitch_emp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_appswitch_emp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the appswitch_emp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
allow $1 appswitch_emp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_appswitch_emp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the appswitch_emp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
dontaudit $1 appswitch_emp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_appswitch_emp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the appswitch_emp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
allow $1 appswitch_emp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_appswitch_emp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the appswitch_emp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
dontaudit $1 appswitch_emp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_appswitch_emp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the appswitch_emp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_appswitch_emp_port'($*)) dnl
corenet_udp_send_appswitch_emp_port($1)
corenet_udp_receive_appswitch_emp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_appswitch_emp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the appswitch_emp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_appswitch_emp_port'($*)) dnl
corenet_dontaudit_udp_send_appswitch_emp_port($1)
corenet_dontaudit_udp_receive_appswitch_emp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_appswitch_emp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the appswitch_emp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
allow $1 appswitch_emp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_appswitch_emp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the appswitch_emp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
allow $1 appswitch_emp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_appswitch_emp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to appswitch_emp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
dontaudit $1 appswitch_emp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_appswitch_emp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the appswitch_emp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
allow $1 appswitch_emp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_appswitch_emp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to appswitch_emp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_appswitch_emp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_appswitch_emp_port'($*)) dnl
gen_require(`
type appswitch_emp_port_t;
')
dontaudit $1 appswitch_emp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_appswitch_emp_port'($*)) dnl
')
########################################
##
## Send appswitch_emp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_appswitch_emp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_appswitch_emp_client_packets'($*)) dnl
gen_require(`
type appswitch_emp_client_packet_t;
')
allow $1 appswitch_emp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_appswitch_emp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send appswitch_emp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_appswitch_emp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_appswitch_emp_client_packets'($*)) dnl
gen_require(`
type appswitch_emp_client_packet_t;
')
dontaudit $1 appswitch_emp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_appswitch_emp_client_packets'($*)) dnl
')
########################################
##
## Receive appswitch_emp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_appswitch_emp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_appswitch_emp_client_packets'($*)) dnl
gen_require(`
type appswitch_emp_client_packet_t;
')
allow $1 appswitch_emp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_appswitch_emp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive appswitch_emp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_appswitch_emp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_appswitch_emp_client_packets'($*)) dnl
gen_require(`
type appswitch_emp_client_packet_t;
')
dontaudit $1 appswitch_emp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_appswitch_emp_client_packets'($*)) dnl
')
########################################
##
## Send and receive appswitch_emp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_appswitch_emp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_appswitch_emp_client_packets'($*)) dnl
corenet_send_appswitch_emp_client_packets($1)
corenet_receive_appswitch_emp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_appswitch_emp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive appswitch_emp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_appswitch_emp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_appswitch_emp_client_packets'($*)) dnl
corenet_dontaudit_send_appswitch_emp_client_packets($1)
corenet_dontaudit_receive_appswitch_emp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_appswitch_emp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to appswitch_emp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_appswitch_emp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_appswitch_emp_client_packets'($*)) dnl
gen_require(`
type appswitch_emp_client_packet_t;
')
allow $1 appswitch_emp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_appswitch_emp_client_packets'($*)) dnl
')
########################################
##
## Send appswitch_emp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_appswitch_emp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_appswitch_emp_server_packets'($*)) dnl
gen_require(`
type appswitch_emp_server_packet_t;
')
allow $1 appswitch_emp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_appswitch_emp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send appswitch_emp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_appswitch_emp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_appswitch_emp_server_packets'($*)) dnl
gen_require(`
type appswitch_emp_server_packet_t;
')
dontaudit $1 appswitch_emp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_appswitch_emp_server_packets'($*)) dnl
')
########################################
##
## Receive appswitch_emp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_appswitch_emp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_appswitch_emp_server_packets'($*)) dnl
gen_require(`
type appswitch_emp_server_packet_t;
')
allow $1 appswitch_emp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_appswitch_emp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive appswitch_emp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_appswitch_emp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_appswitch_emp_server_packets'($*)) dnl
gen_require(`
type appswitch_emp_server_packet_t;
')
dontaudit $1 appswitch_emp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_appswitch_emp_server_packets'($*)) dnl
')
########################################
##
## Send and receive appswitch_emp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_appswitch_emp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_appswitch_emp_server_packets'($*)) dnl
corenet_send_appswitch_emp_server_packets($1)
corenet_receive_appswitch_emp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_appswitch_emp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive appswitch_emp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_appswitch_emp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_appswitch_emp_server_packets'($*)) dnl
corenet_dontaudit_send_appswitch_emp_server_packets($1)
corenet_dontaudit_receive_appswitch_emp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_appswitch_emp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to appswitch_emp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_appswitch_emp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_appswitch_emp_server_packets'($*)) dnl
gen_require(`
type appswitch_emp_server_packet_t;
')
allow $1 appswitch_emp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_appswitch_emp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_asterisk_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_asterisk_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the asterisk port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
dontaudit $1 asterisk_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_asterisk_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_asterisk_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the asterisk port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
dontaudit $1 asterisk_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_asterisk_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_asterisk_port'($*)) dnl
corenet_udp_send_asterisk_port($1)
corenet_udp_receive_asterisk_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_asterisk_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the asterisk port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_asterisk_port'($*)) dnl
corenet_dontaudit_udp_send_asterisk_port($1)
corenet_dontaudit_udp_receive_asterisk_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_asterisk_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_asterisk_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the asterisk port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_asterisk_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to asterisk port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
dontaudit $1 asterisk_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_asterisk_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the asterisk port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
allow $1 asterisk_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_asterisk_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to asterisk port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_asterisk_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_asterisk_port'($*)) dnl
gen_require(`
type asterisk_port_t;
')
dontaudit $1 asterisk_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_asterisk_port'($*)) dnl
')
########################################
##
## Send asterisk_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_asterisk_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
allow $1 asterisk_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_asterisk_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send asterisk_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_asterisk_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
dontaudit $1 asterisk_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_asterisk_client_packets'($*)) dnl
')
########################################
##
## Receive asterisk_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_asterisk_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
allow $1 asterisk_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_asterisk_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive asterisk_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_asterisk_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
dontaudit $1 asterisk_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_asterisk_client_packets'($*)) dnl
')
########################################
##
## Send and receive asterisk_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_asterisk_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_asterisk_client_packets'($*)) dnl
corenet_send_asterisk_client_packets($1)
corenet_receive_asterisk_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_asterisk_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive asterisk_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_asterisk_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_asterisk_client_packets'($*)) dnl
corenet_dontaudit_send_asterisk_client_packets($1)
corenet_dontaudit_receive_asterisk_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_asterisk_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to asterisk_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_asterisk_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_asterisk_client_packets'($*)) dnl
gen_require(`
type asterisk_client_packet_t;
')
allow $1 asterisk_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_asterisk_client_packets'($*)) dnl
')
########################################
##
## Send asterisk_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_asterisk_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
allow $1 asterisk_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_asterisk_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send asterisk_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_asterisk_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
dontaudit $1 asterisk_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_asterisk_server_packets'($*)) dnl
')
########################################
##
## Receive asterisk_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_asterisk_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
allow $1 asterisk_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_asterisk_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive asterisk_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_asterisk_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
dontaudit $1 asterisk_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_asterisk_server_packets'($*)) dnl
')
########################################
##
## Send and receive asterisk_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_asterisk_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_asterisk_server_packets'($*)) dnl
corenet_send_asterisk_server_packets($1)
corenet_receive_asterisk_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_asterisk_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive asterisk_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_asterisk_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_asterisk_server_packets'($*)) dnl
corenet_dontaudit_send_asterisk_server_packets($1)
corenet_dontaudit_receive_asterisk_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_asterisk_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to asterisk_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_asterisk_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_asterisk_server_packets'($*)) dnl
gen_require(`
type asterisk_server_packet_t;
')
allow $1 asterisk_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_asterisk_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_audit_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_audit_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the audit port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
dontaudit $1 audit_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_audit_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_audit_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the audit port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
dontaudit $1 audit_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_audit_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_audit_port'($*)) dnl
corenet_udp_send_audit_port($1)
corenet_udp_receive_audit_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_audit_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the audit port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_audit_port'($*)) dnl
corenet_dontaudit_udp_send_audit_port($1)
corenet_dontaudit_udp_receive_audit_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_audit_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_audit_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the audit port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_audit_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to audit port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
dontaudit $1 audit_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_audit_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the audit port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
allow $1 audit_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_audit_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to audit port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_audit_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_audit_port'($*)) dnl
gen_require(`
type audit_port_t;
')
dontaudit $1 audit_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_audit_port'($*)) dnl
')
########################################
##
## Send audit_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_audit_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
allow $1 audit_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_audit_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send audit_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_audit_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
dontaudit $1 audit_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_audit_client_packets'($*)) dnl
')
########################################
##
## Receive audit_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_audit_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
allow $1 audit_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_audit_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive audit_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_audit_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
dontaudit $1 audit_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_audit_client_packets'($*)) dnl
')
########################################
##
## Send and receive audit_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_audit_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_audit_client_packets'($*)) dnl
corenet_send_audit_client_packets($1)
corenet_receive_audit_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_audit_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive audit_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_audit_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_audit_client_packets'($*)) dnl
corenet_dontaudit_send_audit_client_packets($1)
corenet_dontaudit_receive_audit_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_audit_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to audit_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_audit_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_audit_client_packets'($*)) dnl
gen_require(`
type audit_client_packet_t;
')
allow $1 audit_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_audit_client_packets'($*)) dnl
')
########################################
##
## Send audit_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_audit_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
allow $1 audit_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_audit_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send audit_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_audit_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
dontaudit $1 audit_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_audit_server_packets'($*)) dnl
')
########################################
##
## Receive audit_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_audit_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
allow $1 audit_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_audit_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive audit_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_audit_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
dontaudit $1 audit_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_audit_server_packets'($*)) dnl
')
########################################
##
## Send and receive audit_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_audit_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_audit_server_packets'($*)) dnl
corenet_send_audit_server_packets($1)
corenet_receive_audit_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_audit_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive audit_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_audit_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_audit_server_packets'($*)) dnl
corenet_dontaudit_send_audit_server_packets($1)
corenet_dontaudit_receive_audit_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_audit_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to audit_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_audit_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_audit_server_packets'($*)) dnl
gen_require(`
type audit_server_packet_t;
')
allow $1 audit_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_audit_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_auth_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_auth_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the auth port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
dontaudit $1 auth_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_auth_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_auth_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the auth port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
dontaudit $1 auth_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_auth_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_auth_port'($*)) dnl
corenet_udp_send_auth_port($1)
corenet_udp_receive_auth_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_auth_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the auth port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_auth_port'($*)) dnl
corenet_dontaudit_udp_send_auth_port($1)
corenet_dontaudit_udp_receive_auth_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_auth_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_auth_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the auth port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_auth_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to auth port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
dontaudit $1 auth_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_auth_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the auth port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
allow $1 auth_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_auth_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to auth port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_auth_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_auth_port'($*)) dnl
gen_require(`
type auth_port_t;
')
dontaudit $1 auth_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_auth_port'($*)) dnl
')
########################################
##
## Send auth_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_auth_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
allow $1 auth_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_auth_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send auth_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_auth_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
dontaudit $1 auth_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_auth_client_packets'($*)) dnl
')
########################################
##
## Receive auth_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_auth_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
allow $1 auth_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_auth_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive auth_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_auth_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
dontaudit $1 auth_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_auth_client_packets'($*)) dnl
')
########################################
##
## Send and receive auth_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_auth_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_auth_client_packets'($*)) dnl
corenet_send_auth_client_packets($1)
corenet_receive_auth_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_auth_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive auth_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_auth_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_auth_client_packets'($*)) dnl
corenet_dontaudit_send_auth_client_packets($1)
corenet_dontaudit_receive_auth_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_auth_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to auth_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_auth_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_auth_client_packets'($*)) dnl
gen_require(`
type auth_client_packet_t;
')
allow $1 auth_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_auth_client_packets'($*)) dnl
')
########################################
##
## Send auth_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_auth_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
allow $1 auth_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_auth_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send auth_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_auth_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
dontaudit $1 auth_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_auth_server_packets'($*)) dnl
')
########################################
##
## Receive auth_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_auth_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
allow $1 auth_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_auth_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive auth_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_auth_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
dontaudit $1 auth_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_auth_server_packets'($*)) dnl
')
########################################
##
## Send and receive auth_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_auth_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_auth_server_packets'($*)) dnl
corenet_send_auth_server_packets($1)
corenet_receive_auth_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_auth_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive auth_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_auth_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_auth_server_packets'($*)) dnl
corenet_dontaudit_send_auth_server_packets($1)
corenet_dontaudit_receive_auth_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_auth_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to auth_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_auth_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_auth_server_packets'($*)) dnl
gen_require(`
type auth_server_packet_t;
')
allow $1 auth_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_auth_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the bacula port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
allow $1 bacula_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bacula_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the bacula port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
allow $1 bacula_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_bacula_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the bacula port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
dontaudit $1 bacula_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bacula_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the bacula port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
allow $1 bacula_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bacula_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the bacula port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
dontaudit $1 bacula_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bacula_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the bacula port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bacula_port'($*)) dnl
corenet_udp_send_bacula_port($1)
corenet_udp_receive_bacula_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bacula_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the bacula port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bacula_port'($*)) dnl
corenet_dontaudit_udp_send_bacula_port($1)
corenet_dontaudit_udp_receive_bacula_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bacula_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the bacula port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
allow $1 bacula_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bacula_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the bacula port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
allow $1 bacula_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bacula_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to bacula port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
dontaudit $1 bacula_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bacula_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the bacula port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
allow $1 bacula_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bacula_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to bacula port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_bacula_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bacula_port'($*)) dnl
gen_require(`
type bacula_port_t;
')
dontaudit $1 bacula_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bacula_port'($*)) dnl
')
########################################
##
## Send bacula_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bacula_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bacula_client_packets'($*)) dnl
gen_require(`
type bacula_client_packet_t;
')
allow $1 bacula_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bacula_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bacula_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bacula_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bacula_client_packets'($*)) dnl
gen_require(`
type bacula_client_packet_t;
')
dontaudit $1 bacula_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bacula_client_packets'($*)) dnl
')
########################################
##
## Receive bacula_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bacula_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bacula_client_packets'($*)) dnl
gen_require(`
type bacula_client_packet_t;
')
allow $1 bacula_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bacula_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bacula_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bacula_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bacula_client_packets'($*)) dnl
gen_require(`
type bacula_client_packet_t;
')
dontaudit $1 bacula_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bacula_client_packets'($*)) dnl
')
########################################
##
## Send and receive bacula_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bacula_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bacula_client_packets'($*)) dnl
corenet_send_bacula_client_packets($1)
corenet_receive_bacula_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bacula_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bacula_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bacula_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bacula_client_packets'($*)) dnl
corenet_dontaudit_send_bacula_client_packets($1)
corenet_dontaudit_receive_bacula_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bacula_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to bacula_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bacula_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bacula_client_packets'($*)) dnl
gen_require(`
type bacula_client_packet_t;
')
allow $1 bacula_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bacula_client_packets'($*)) dnl
')
########################################
##
## Send bacula_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bacula_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bacula_server_packets'($*)) dnl
gen_require(`
type bacula_server_packet_t;
')
allow $1 bacula_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bacula_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bacula_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bacula_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bacula_server_packets'($*)) dnl
gen_require(`
type bacula_server_packet_t;
')
dontaudit $1 bacula_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bacula_server_packets'($*)) dnl
')
########################################
##
## Receive bacula_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bacula_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bacula_server_packets'($*)) dnl
gen_require(`
type bacula_server_packet_t;
')
allow $1 bacula_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bacula_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bacula_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bacula_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bacula_server_packets'($*)) dnl
gen_require(`
type bacula_server_packet_t;
')
dontaudit $1 bacula_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bacula_server_packets'($*)) dnl
')
########################################
##
## Send and receive bacula_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bacula_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bacula_server_packets'($*)) dnl
corenet_send_bacula_server_packets($1)
corenet_receive_bacula_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bacula_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bacula_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bacula_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bacula_server_packets'($*)) dnl
corenet_dontaudit_send_bacula_server_packets($1)
corenet_dontaudit_receive_bacula_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bacula_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to bacula_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bacula_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bacula_server_packets'($*)) dnl
gen_require(`
type bacula_server_packet_t;
')
allow $1 bacula_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bacula_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the babel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
allow $1 babel_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_babel_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the babel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
allow $1 babel_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_babel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the babel port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
dontaudit $1 babel_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_babel_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the babel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
allow $1 babel_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_babel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the babel port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
dontaudit $1 babel_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_babel_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the babel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_babel_port'($*)) dnl
corenet_udp_send_babel_port($1)
corenet_udp_receive_babel_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_babel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the babel port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_babel_port'($*)) dnl
corenet_dontaudit_udp_send_babel_port($1)
corenet_dontaudit_udp_receive_babel_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_babel_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the babel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
allow $1 babel_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_babel_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the babel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
allow $1 babel_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_babel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to babel port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
dontaudit $1 babel_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_babel_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the babel port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
allow $1 babel_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_babel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to babel port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_babel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_babel_port'($*)) dnl
gen_require(`
type babel_port_t;
')
dontaudit $1 babel_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_babel_port'($*)) dnl
')
########################################
##
## Send babel_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_babel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_babel_client_packets'($*)) dnl
gen_require(`
type babel_client_packet_t;
')
allow $1 babel_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_babel_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send babel_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_babel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_babel_client_packets'($*)) dnl
gen_require(`
type babel_client_packet_t;
')
dontaudit $1 babel_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_babel_client_packets'($*)) dnl
')
########################################
##
## Receive babel_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_babel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_babel_client_packets'($*)) dnl
gen_require(`
type babel_client_packet_t;
')
allow $1 babel_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_babel_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive babel_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_babel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_babel_client_packets'($*)) dnl
gen_require(`
type babel_client_packet_t;
')
dontaudit $1 babel_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_babel_client_packets'($*)) dnl
')
########################################
##
## Send and receive babel_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_babel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_babel_client_packets'($*)) dnl
corenet_send_babel_client_packets($1)
corenet_receive_babel_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_babel_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive babel_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_babel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_babel_client_packets'($*)) dnl
corenet_dontaudit_send_babel_client_packets($1)
corenet_dontaudit_receive_babel_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_babel_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to babel_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_babel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_babel_client_packets'($*)) dnl
gen_require(`
type babel_client_packet_t;
')
allow $1 babel_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_babel_client_packets'($*)) dnl
')
########################################
##
## Send babel_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_babel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_babel_server_packets'($*)) dnl
gen_require(`
type babel_server_packet_t;
')
allow $1 babel_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_babel_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send babel_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_babel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_babel_server_packets'($*)) dnl
gen_require(`
type babel_server_packet_t;
')
dontaudit $1 babel_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_babel_server_packets'($*)) dnl
')
########################################
##
## Receive babel_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_babel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_babel_server_packets'($*)) dnl
gen_require(`
type babel_server_packet_t;
')
allow $1 babel_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_babel_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive babel_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_babel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_babel_server_packets'($*)) dnl
gen_require(`
type babel_server_packet_t;
')
dontaudit $1 babel_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_babel_server_packets'($*)) dnl
')
########################################
##
## Send and receive babel_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_babel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_babel_server_packets'($*)) dnl
corenet_send_babel_server_packets($1)
corenet_receive_babel_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_babel_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive babel_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_babel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_babel_server_packets'($*)) dnl
corenet_dontaudit_send_babel_server_packets($1)
corenet_dontaudit_receive_babel_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_babel_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to babel_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_babel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_babel_server_packets'($*)) dnl
gen_require(`
type babel_server_packet_t;
')
allow $1 babel_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_babel_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the bctp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
allow $1 bctp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bctp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the bctp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
allow $1 bctp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_bctp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the bctp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
dontaudit $1 bctp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bctp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the bctp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
allow $1 bctp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bctp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the bctp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
dontaudit $1 bctp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bctp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the bctp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bctp_port'($*)) dnl
corenet_udp_send_bctp_port($1)
corenet_udp_receive_bctp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bctp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the bctp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bctp_port'($*)) dnl
corenet_dontaudit_udp_send_bctp_port($1)
corenet_dontaudit_udp_receive_bctp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bctp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the bctp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
allow $1 bctp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bctp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the bctp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
allow $1 bctp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bctp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to bctp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
dontaudit $1 bctp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bctp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the bctp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
allow $1 bctp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bctp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to bctp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_bctp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bctp_port'($*)) dnl
gen_require(`
type bctp_port_t;
')
dontaudit $1 bctp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bctp_port'($*)) dnl
')
########################################
##
## Send bctp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bctp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bctp_client_packets'($*)) dnl
gen_require(`
type bctp_client_packet_t;
')
allow $1 bctp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bctp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bctp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bctp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bctp_client_packets'($*)) dnl
gen_require(`
type bctp_client_packet_t;
')
dontaudit $1 bctp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bctp_client_packets'($*)) dnl
')
########################################
##
## Receive bctp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bctp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bctp_client_packets'($*)) dnl
gen_require(`
type bctp_client_packet_t;
')
allow $1 bctp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bctp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bctp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bctp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bctp_client_packets'($*)) dnl
gen_require(`
type bctp_client_packet_t;
')
dontaudit $1 bctp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bctp_client_packets'($*)) dnl
')
########################################
##
## Send and receive bctp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bctp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bctp_client_packets'($*)) dnl
corenet_send_bctp_client_packets($1)
corenet_receive_bctp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bctp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bctp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bctp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bctp_client_packets'($*)) dnl
corenet_dontaudit_send_bctp_client_packets($1)
corenet_dontaudit_receive_bctp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bctp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to bctp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bctp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bctp_client_packets'($*)) dnl
gen_require(`
type bctp_client_packet_t;
')
allow $1 bctp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bctp_client_packets'($*)) dnl
')
########################################
##
## Send bctp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bctp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bctp_server_packets'($*)) dnl
gen_require(`
type bctp_server_packet_t;
')
allow $1 bctp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bctp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bctp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bctp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bctp_server_packets'($*)) dnl
gen_require(`
type bctp_server_packet_t;
')
dontaudit $1 bctp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bctp_server_packets'($*)) dnl
')
########################################
##
## Receive bctp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bctp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bctp_server_packets'($*)) dnl
gen_require(`
type bctp_server_packet_t;
')
allow $1 bctp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bctp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bctp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bctp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bctp_server_packets'($*)) dnl
gen_require(`
type bctp_server_packet_t;
')
dontaudit $1 bctp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bctp_server_packets'($*)) dnl
')
########################################
##
## Send and receive bctp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bctp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bctp_server_packets'($*)) dnl
corenet_send_bctp_server_packets($1)
corenet_receive_bctp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bctp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bctp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bctp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bctp_server_packets'($*)) dnl
corenet_dontaudit_send_bctp_server_packets($1)
corenet_dontaudit_receive_bctp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bctp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to bctp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bctp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bctp_server_packets'($*)) dnl
gen_require(`
type bctp_server_packet_t;
')
allow $1 bctp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bctp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the bfd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
allow $1 bfd_control_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bfd_control_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the bfd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
allow $1 bfd_control_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_bfd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the bfd_control port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
dontaudit $1 bfd_control_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bfd_control_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the bfd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
allow $1 bfd_control_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bfd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the bfd_control port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
dontaudit $1 bfd_control_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bfd_control_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the bfd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bfd_control_port'($*)) dnl
corenet_udp_send_bfd_control_port($1)
corenet_udp_receive_bfd_control_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bfd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the bfd_control port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bfd_control_port'($*)) dnl
corenet_dontaudit_udp_send_bfd_control_port($1)
corenet_dontaudit_udp_receive_bfd_control_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bfd_control_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the bfd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
allow $1 bfd_control_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bfd_control_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the bfd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
allow $1 bfd_control_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bfd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to bfd_control port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
dontaudit $1 bfd_control_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bfd_control_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the bfd_control port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
allow $1 bfd_control_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bfd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to bfd_control port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_bfd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bfd_control_port'($*)) dnl
gen_require(`
type bfd_control_port_t;
')
dontaudit $1 bfd_control_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bfd_control_port'($*)) dnl
')
########################################
##
## Send bfd_control_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bfd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bfd_control_client_packets'($*)) dnl
gen_require(`
type bfd_control_client_packet_t;
')
allow $1 bfd_control_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bfd_control_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bfd_control_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bfd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bfd_control_client_packets'($*)) dnl
gen_require(`
type bfd_control_client_packet_t;
')
dontaudit $1 bfd_control_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bfd_control_client_packets'($*)) dnl
')
########################################
##
## Receive bfd_control_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bfd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bfd_control_client_packets'($*)) dnl
gen_require(`
type bfd_control_client_packet_t;
')
allow $1 bfd_control_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bfd_control_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bfd_control_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bfd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bfd_control_client_packets'($*)) dnl
gen_require(`
type bfd_control_client_packet_t;
')
dontaudit $1 bfd_control_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bfd_control_client_packets'($*)) dnl
')
########################################
##
## Send and receive bfd_control_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bfd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bfd_control_client_packets'($*)) dnl
corenet_send_bfd_control_client_packets($1)
corenet_receive_bfd_control_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bfd_control_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bfd_control_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bfd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bfd_control_client_packets'($*)) dnl
corenet_dontaudit_send_bfd_control_client_packets($1)
corenet_dontaudit_receive_bfd_control_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bfd_control_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to bfd_control_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bfd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bfd_control_client_packets'($*)) dnl
gen_require(`
type bfd_control_client_packet_t;
')
allow $1 bfd_control_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bfd_control_client_packets'($*)) dnl
')
########################################
##
## Send bfd_control_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bfd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bfd_control_server_packets'($*)) dnl
gen_require(`
type bfd_control_server_packet_t;
')
allow $1 bfd_control_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bfd_control_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bfd_control_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bfd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bfd_control_server_packets'($*)) dnl
gen_require(`
type bfd_control_server_packet_t;
')
dontaudit $1 bfd_control_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bfd_control_server_packets'($*)) dnl
')
########################################
##
## Receive bfd_control_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bfd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bfd_control_server_packets'($*)) dnl
gen_require(`
type bfd_control_server_packet_t;
')
allow $1 bfd_control_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bfd_control_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bfd_control_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bfd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bfd_control_server_packets'($*)) dnl
gen_require(`
type bfd_control_server_packet_t;
')
dontaudit $1 bfd_control_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bfd_control_server_packets'($*)) dnl
')
########################################
##
## Send and receive bfd_control_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bfd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bfd_control_server_packets'($*)) dnl
corenet_send_bfd_control_server_packets($1)
corenet_receive_bfd_control_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bfd_control_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bfd_control_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bfd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bfd_control_server_packets'($*)) dnl
corenet_dontaudit_send_bfd_control_server_packets($1)
corenet_dontaudit_receive_bfd_control_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bfd_control_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to bfd_control_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bfd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bfd_control_server_packets'($*)) dnl
gen_require(`
type bfd_control_server_packet_t;
')
allow $1 bfd_control_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bfd_control_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the bfd_echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
allow $1 bfd_echo_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bfd_echo_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the bfd_echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
allow $1 bfd_echo_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_bfd_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the bfd_echo port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
dontaudit $1 bfd_echo_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bfd_echo_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the bfd_echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
allow $1 bfd_echo_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bfd_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the bfd_echo port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
dontaudit $1 bfd_echo_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bfd_echo_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the bfd_echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bfd_echo_port'($*)) dnl
corenet_udp_send_bfd_echo_port($1)
corenet_udp_receive_bfd_echo_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bfd_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the bfd_echo port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bfd_echo_port'($*)) dnl
corenet_dontaudit_udp_send_bfd_echo_port($1)
corenet_dontaudit_udp_receive_bfd_echo_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bfd_echo_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the bfd_echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
allow $1 bfd_echo_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bfd_echo_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the bfd_echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
allow $1 bfd_echo_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bfd_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to bfd_echo port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
dontaudit $1 bfd_echo_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bfd_echo_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the bfd_echo port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
allow $1 bfd_echo_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bfd_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to bfd_echo port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_bfd_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bfd_echo_port'($*)) dnl
gen_require(`
type bfd_echo_port_t;
')
dontaudit $1 bfd_echo_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bfd_echo_port'($*)) dnl
')
########################################
##
## Send bfd_echo_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bfd_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bfd_echo_client_packets'($*)) dnl
gen_require(`
type bfd_echo_client_packet_t;
')
allow $1 bfd_echo_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bfd_echo_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bfd_echo_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bfd_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bfd_echo_client_packets'($*)) dnl
gen_require(`
type bfd_echo_client_packet_t;
')
dontaudit $1 bfd_echo_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bfd_echo_client_packets'($*)) dnl
')
########################################
##
## Receive bfd_echo_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bfd_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bfd_echo_client_packets'($*)) dnl
gen_require(`
type bfd_echo_client_packet_t;
')
allow $1 bfd_echo_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bfd_echo_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bfd_echo_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bfd_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bfd_echo_client_packets'($*)) dnl
gen_require(`
type bfd_echo_client_packet_t;
')
dontaudit $1 bfd_echo_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bfd_echo_client_packets'($*)) dnl
')
########################################
##
## Send and receive bfd_echo_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bfd_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bfd_echo_client_packets'($*)) dnl
corenet_send_bfd_echo_client_packets($1)
corenet_receive_bfd_echo_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bfd_echo_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bfd_echo_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bfd_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bfd_echo_client_packets'($*)) dnl
corenet_dontaudit_send_bfd_echo_client_packets($1)
corenet_dontaudit_receive_bfd_echo_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bfd_echo_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to bfd_echo_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bfd_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bfd_echo_client_packets'($*)) dnl
gen_require(`
type bfd_echo_client_packet_t;
')
allow $1 bfd_echo_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bfd_echo_client_packets'($*)) dnl
')
########################################
##
## Send bfd_echo_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bfd_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bfd_echo_server_packets'($*)) dnl
gen_require(`
type bfd_echo_server_packet_t;
')
allow $1 bfd_echo_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bfd_echo_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bfd_echo_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bfd_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bfd_echo_server_packets'($*)) dnl
gen_require(`
type bfd_echo_server_packet_t;
')
dontaudit $1 bfd_echo_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bfd_echo_server_packets'($*)) dnl
')
########################################
##
## Receive bfd_echo_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bfd_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bfd_echo_server_packets'($*)) dnl
gen_require(`
type bfd_echo_server_packet_t;
')
allow $1 bfd_echo_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bfd_echo_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bfd_echo_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bfd_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bfd_echo_server_packets'($*)) dnl
gen_require(`
type bfd_echo_server_packet_t;
')
dontaudit $1 bfd_echo_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bfd_echo_server_packets'($*)) dnl
')
########################################
##
## Send and receive bfd_echo_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bfd_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bfd_echo_server_packets'($*)) dnl
corenet_send_bfd_echo_server_packets($1)
corenet_receive_bfd_echo_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bfd_echo_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bfd_echo_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bfd_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bfd_echo_server_packets'($*)) dnl
corenet_dontaudit_send_bfd_echo_server_packets($1)
corenet_dontaudit_receive_bfd_echo_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bfd_echo_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to bfd_echo_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bfd_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bfd_echo_server_packets'($*)) dnl
gen_require(`
type bfd_echo_server_packet_t;
')
allow $1 bfd_echo_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bfd_echo_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bgp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_bgp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the bgp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
dontaudit $1 bgp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bgp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bgp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the bgp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
dontaudit $1 bgp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bgp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bgp_port'($*)) dnl
corenet_udp_send_bgp_port($1)
corenet_udp_receive_bgp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bgp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the bgp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bgp_port'($*)) dnl
corenet_dontaudit_udp_send_bgp_port($1)
corenet_dontaudit_udp_receive_bgp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bgp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bgp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the bgp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bgp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to bgp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
dontaudit $1 bgp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bgp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the bgp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
allow $1 bgp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bgp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to bgp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_bgp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bgp_port'($*)) dnl
gen_require(`
type bgp_port_t;
')
dontaudit $1 bgp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bgp_port'($*)) dnl
')
########################################
##
## Send bgp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bgp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
allow $1 bgp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bgp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bgp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bgp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
dontaudit $1 bgp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bgp_client_packets'($*)) dnl
')
########################################
##
## Receive bgp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bgp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
allow $1 bgp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bgp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bgp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bgp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
dontaudit $1 bgp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bgp_client_packets'($*)) dnl
')
########################################
##
## Send and receive bgp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bgp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bgp_client_packets'($*)) dnl
corenet_send_bgp_client_packets($1)
corenet_receive_bgp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bgp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bgp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bgp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bgp_client_packets'($*)) dnl
corenet_dontaudit_send_bgp_client_packets($1)
corenet_dontaudit_receive_bgp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bgp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to bgp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bgp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bgp_client_packets'($*)) dnl
gen_require(`
type bgp_client_packet_t;
')
allow $1 bgp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bgp_client_packets'($*)) dnl
')
########################################
##
## Send bgp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_bgp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
allow $1 bgp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_bgp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send bgp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_bgp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
dontaudit $1 bgp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bgp_server_packets'($*)) dnl
')
########################################
##
## Receive bgp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_bgp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
allow $1 bgp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_bgp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive bgp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_bgp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
dontaudit $1 bgp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bgp_server_packets'($*)) dnl
')
########################################
##
## Send and receive bgp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_bgp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bgp_server_packets'($*)) dnl
corenet_send_bgp_server_packets($1)
corenet_receive_bgp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bgp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive bgp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_bgp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bgp_server_packets'($*)) dnl
corenet_dontaudit_send_bgp_server_packets($1)
corenet_dontaudit_receive_bgp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bgp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to bgp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_bgp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bgp_server_packets'($*)) dnl
gen_require(`
type bgp_server_packet_t;
')
allow $1 bgp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_bgp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the boinc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
allow $1 boinc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_boinc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the boinc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
allow $1 boinc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_boinc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the boinc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
dontaudit $1 boinc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_boinc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the boinc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
allow $1 boinc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_boinc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the boinc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
dontaudit $1 boinc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_boinc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the boinc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_boinc_port'($*)) dnl
corenet_udp_send_boinc_port($1)
corenet_udp_receive_boinc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_boinc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the boinc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_boinc_port'($*)) dnl
corenet_dontaudit_udp_send_boinc_port($1)
corenet_dontaudit_udp_receive_boinc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_boinc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the boinc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
allow $1 boinc_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_boinc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the boinc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
allow $1 boinc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_boinc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to boinc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
dontaudit $1 boinc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_boinc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the boinc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
allow $1 boinc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_boinc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to boinc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_boinc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_boinc_port'($*)) dnl
gen_require(`
type boinc_port_t;
')
dontaudit $1 boinc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_boinc_port'($*)) dnl
')
########################################
##
## Send boinc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_boinc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_packets'($*)) dnl
gen_require(`
type boinc_client_packet_t;
')
allow $1 boinc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send boinc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_boinc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_packets'($*)) dnl
gen_require(`
type boinc_client_packet_t;
')
dontaudit $1 boinc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_packets'($*)) dnl
')
########################################
##
## Receive boinc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_boinc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_packets'($*)) dnl
gen_require(`
type boinc_client_packet_t;
')
allow $1 boinc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive boinc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_boinc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_packets'($*)) dnl
gen_require(`
type boinc_client_packet_t;
')
dontaudit $1 boinc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_packets'($*)) dnl
')
########################################
##
## Send and receive boinc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_boinc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_packets'($*)) dnl
corenet_send_boinc_client_packets($1)
corenet_receive_boinc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive boinc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_boinc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_packets'($*)) dnl
corenet_dontaudit_send_boinc_client_packets($1)
corenet_dontaudit_receive_boinc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to boinc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_boinc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_packets'($*)) dnl
gen_require(`
type boinc_client_packet_t;
')
allow $1 boinc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_packets'($*)) dnl
')
########################################
##
## Send boinc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_boinc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_server_packets'($*)) dnl
gen_require(`
type boinc_server_packet_t;
')
allow $1 boinc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_boinc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send boinc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_boinc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_server_packets'($*)) dnl
gen_require(`
type boinc_server_packet_t;
')
dontaudit $1 boinc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_server_packets'($*)) dnl
')
########################################
##
## Receive boinc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_boinc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_server_packets'($*)) dnl
gen_require(`
type boinc_server_packet_t;
')
allow $1 boinc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive boinc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_boinc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_server_packets'($*)) dnl
gen_require(`
type boinc_server_packet_t;
')
dontaudit $1 boinc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_server_packets'($*)) dnl
')
########################################
##
## Send and receive boinc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_boinc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_server_packets'($*)) dnl
corenet_send_boinc_server_packets($1)
corenet_receive_boinc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive boinc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_boinc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_server_packets'($*)) dnl
corenet_dontaudit_send_boinc_server_packets($1)
corenet_dontaudit_receive_boinc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to boinc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_boinc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_server_packets'($*)) dnl
gen_require(`
type boinc_server_packet_t;
')
allow $1 boinc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the boinc_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
allow $1 boinc_client_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_boinc_client_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the boinc_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
allow $1 boinc_client_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_boinc_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the boinc_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
dontaudit $1 boinc_client_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_boinc_client_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the boinc_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
allow $1 boinc_client_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_boinc_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the boinc_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
dontaudit $1 boinc_client_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_boinc_client_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the boinc_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_boinc_client_port'($*)) dnl
corenet_udp_send_boinc_client_port($1)
corenet_udp_receive_boinc_client_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_boinc_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the boinc_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_boinc_client_port'($*)) dnl
corenet_dontaudit_udp_send_boinc_client_port($1)
corenet_dontaudit_udp_receive_boinc_client_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_boinc_client_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the boinc_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
allow $1 boinc_client_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_boinc_client_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the boinc_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
allow $1 boinc_client_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_boinc_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to boinc_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
dontaudit $1 boinc_client_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_boinc_client_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the boinc_client port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
allow $1 boinc_client_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_boinc_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to boinc_client port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_boinc_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_boinc_client_port'($*)) dnl
gen_require(`
type boinc_client_port_t;
')
dontaudit $1 boinc_client_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_boinc_client_port'($*)) dnl
')
########################################
##
## Send boinc_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_boinc_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_client_packets'($*)) dnl
gen_require(`
type boinc_client_client_packet_t;
')
allow $1 boinc_client_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send boinc_client_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_boinc_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_client_packets'($*)) dnl
gen_require(`
type boinc_client_client_packet_t;
')
dontaudit $1 boinc_client_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_client_packets'($*)) dnl
')
########################################
##
## Receive boinc_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_boinc_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_client_packets'($*)) dnl
gen_require(`
type boinc_client_client_packet_t;
')
allow $1 boinc_client_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive boinc_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_boinc_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_client_packets'($*)) dnl
gen_require(`
type boinc_client_client_packet_t;
')
dontaudit $1 boinc_client_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_client_packets'($*)) dnl
')
########################################
##
## Send and receive boinc_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_boinc_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_client_packets'($*)) dnl
corenet_send_boinc_client_client_packets($1)
corenet_receive_boinc_client_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive boinc_client_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_boinc_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_client_packets'($*)) dnl
corenet_dontaudit_send_boinc_client_client_packets($1)
corenet_dontaudit_receive_boinc_client_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to boinc_client_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_boinc_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_client_packets'($*)) dnl
gen_require(`
type boinc_client_client_packet_t;
')
allow $1 boinc_client_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_client_packets'($*)) dnl
')
########################################
##
## Send boinc_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_boinc_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_server_packets'($*)) dnl
gen_require(`
type boinc_client_server_packet_t;
')
allow $1 boinc_client_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send boinc_client_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_boinc_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_server_packets'($*)) dnl
gen_require(`
type boinc_client_server_packet_t;
')
dontaudit $1 boinc_client_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_server_packets'($*)) dnl
')
########################################
##
## Receive boinc_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_boinc_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_server_packets'($*)) dnl
gen_require(`
type boinc_client_server_packet_t;
')
allow $1 boinc_client_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive boinc_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_boinc_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_server_packets'($*)) dnl
gen_require(`
type boinc_client_server_packet_t;
')
dontaudit $1 boinc_client_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_server_packets'($*)) dnl
')
########################################
##
## Send and receive boinc_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_boinc_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_server_packets'($*)) dnl
corenet_send_boinc_client_server_packets($1)
corenet_receive_boinc_client_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive boinc_client_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_boinc_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_server_packets'($*)) dnl
corenet_dontaudit_send_boinc_client_server_packets($1)
corenet_dontaudit_receive_boinc_client_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to boinc_client_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_boinc_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_server_packets'($*)) dnl
gen_require(`
type boinc_client_server_packet_t;
')
allow $1 boinc_client_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the brlp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
allow $1 brlp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_brlp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the brlp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
allow $1 brlp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_brlp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the brlp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
dontaudit $1 brlp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_brlp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the brlp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
allow $1 brlp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_brlp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the brlp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
dontaudit $1 brlp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_brlp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the brlp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_brlp_port'($*)) dnl
corenet_udp_send_brlp_port($1)
corenet_udp_receive_brlp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_brlp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the brlp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_brlp_port'($*)) dnl
corenet_dontaudit_udp_send_brlp_port($1)
corenet_dontaudit_udp_receive_brlp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_brlp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the brlp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
allow $1 brlp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_brlp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the brlp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
allow $1 brlp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_brlp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to brlp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
dontaudit $1 brlp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_brlp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the brlp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
allow $1 brlp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_brlp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to brlp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_brlp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_brlp_port'($*)) dnl
gen_require(`
type brlp_port_t;
')
dontaudit $1 brlp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_brlp_port'($*)) dnl
')
########################################
##
## Send brlp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_brlp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_brlp_client_packets'($*)) dnl
gen_require(`
type brlp_client_packet_t;
')
allow $1 brlp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_brlp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send brlp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_brlp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_brlp_client_packets'($*)) dnl
gen_require(`
type brlp_client_packet_t;
')
dontaudit $1 brlp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_brlp_client_packets'($*)) dnl
')
########################################
##
## Receive brlp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_brlp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_brlp_client_packets'($*)) dnl
gen_require(`
type brlp_client_packet_t;
')
allow $1 brlp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_brlp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive brlp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_brlp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_brlp_client_packets'($*)) dnl
gen_require(`
type brlp_client_packet_t;
')
dontaudit $1 brlp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_brlp_client_packets'($*)) dnl
')
########################################
##
## Send and receive brlp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_brlp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_brlp_client_packets'($*)) dnl
corenet_send_brlp_client_packets($1)
corenet_receive_brlp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_brlp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive brlp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_brlp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_brlp_client_packets'($*)) dnl
corenet_dontaudit_send_brlp_client_packets($1)
corenet_dontaudit_receive_brlp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_brlp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to brlp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_brlp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_brlp_client_packets'($*)) dnl
gen_require(`
type brlp_client_packet_t;
')
allow $1 brlp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_brlp_client_packets'($*)) dnl
')
########################################
##
## Send brlp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_brlp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_brlp_server_packets'($*)) dnl
gen_require(`
type brlp_server_packet_t;
')
allow $1 brlp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_brlp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send brlp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_brlp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_brlp_server_packets'($*)) dnl
gen_require(`
type brlp_server_packet_t;
')
dontaudit $1 brlp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_brlp_server_packets'($*)) dnl
')
########################################
##
## Receive brlp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_brlp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_brlp_server_packets'($*)) dnl
gen_require(`
type brlp_server_packet_t;
')
allow $1 brlp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_brlp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive brlp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_brlp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_brlp_server_packets'($*)) dnl
gen_require(`
type brlp_server_packet_t;
')
dontaudit $1 brlp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_brlp_server_packets'($*)) dnl
')
########################################
##
## Send and receive brlp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_brlp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_brlp_server_packets'($*)) dnl
corenet_send_brlp_server_packets($1)
corenet_receive_brlp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_brlp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive brlp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_brlp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_brlp_server_packets'($*)) dnl
corenet_dontaudit_send_brlp_server_packets($1)
corenet_dontaudit_receive_brlp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_brlp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to brlp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_brlp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_brlp_server_packets'($*)) dnl
gen_require(`
type brlp_server_packet_t;
')
allow $1 brlp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_brlp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the biff port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
allow $1 biff_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_biff_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the biff port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
allow $1 biff_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_biff_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the biff port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
dontaudit $1 biff_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_biff_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the biff port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
allow $1 biff_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_biff_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the biff port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
dontaudit $1 biff_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_biff_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the biff port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_biff_port'($*)) dnl
corenet_udp_send_biff_port($1)
corenet_udp_receive_biff_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_biff_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the biff port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_biff_port'($*)) dnl
corenet_dontaudit_udp_send_biff_port($1)
corenet_dontaudit_udp_receive_biff_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_biff_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the biff port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
allow $1 biff_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_biff_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the biff port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
allow $1 biff_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_biff_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to biff port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
dontaudit $1 biff_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_biff_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the biff port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
allow $1 biff_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_biff_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to biff port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_biff_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_biff_port'($*)) dnl
gen_require(`
type biff_port_t;
')
dontaudit $1 biff_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_biff_port'($*)) dnl
')
########################################
##
## Send biff_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_biff_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_biff_client_packets'($*)) dnl
gen_require(`
type biff_client_packet_t;
')
allow $1 biff_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_biff_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send biff_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_biff_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_biff_client_packets'($*)) dnl
gen_require(`
type biff_client_packet_t;
')
dontaudit $1 biff_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_biff_client_packets'($*)) dnl
')
########################################
##
## Receive biff_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_biff_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_biff_client_packets'($*)) dnl
gen_require(`
type biff_client_packet_t;
')
allow $1 biff_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_biff_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive biff_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_biff_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_biff_client_packets'($*)) dnl
gen_require(`
type biff_client_packet_t;
')
dontaudit $1 biff_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_biff_client_packets'($*)) dnl
')
########################################
##
## Send and receive biff_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_biff_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_biff_client_packets'($*)) dnl
corenet_send_biff_client_packets($1)
corenet_receive_biff_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_biff_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive biff_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_biff_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_biff_client_packets'($*)) dnl
corenet_dontaudit_send_biff_client_packets($1)
corenet_dontaudit_receive_biff_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_biff_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to biff_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_biff_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_biff_client_packets'($*)) dnl
gen_require(`
type biff_client_packet_t;
')
allow $1 biff_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_biff_client_packets'($*)) dnl
')
########################################
##
## Send biff_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_biff_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_biff_server_packets'($*)) dnl
gen_require(`
type biff_server_packet_t;
')
allow $1 biff_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_biff_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send biff_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_biff_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_biff_server_packets'($*)) dnl
gen_require(`
type biff_server_packet_t;
')
dontaudit $1 biff_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_biff_server_packets'($*)) dnl
')
########################################
##
## Receive biff_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_biff_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_biff_server_packets'($*)) dnl
gen_require(`
type biff_server_packet_t;
')
allow $1 biff_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_biff_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive biff_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_biff_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_biff_server_packets'($*)) dnl
gen_require(`
type biff_server_packet_t;
')
dontaudit $1 biff_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_biff_server_packets'($*)) dnl
')
########################################
##
## Send and receive biff_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_biff_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_biff_server_packets'($*)) dnl
corenet_send_biff_server_packets($1)
corenet_receive_biff_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_biff_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive biff_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_biff_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_biff_server_packets'($*)) dnl
corenet_dontaudit_send_biff_server_packets($1)
corenet_dontaudit_receive_biff_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_biff_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to biff_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_biff_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_biff_server_packets'($*)) dnl
gen_require(`
type biff_server_packet_t;
')
allow $1 biff_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_biff_server_packets'($*)) dnl
')
# no defined portcon
########################################
##
## Send and receive TCP traffic on the certmaster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
allow $1 certmaster_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_certmaster_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the certmaster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
allow $1 certmaster_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_certmaster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the certmaster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
dontaudit $1 certmaster_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_certmaster_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the certmaster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
allow $1 certmaster_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_certmaster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the certmaster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
dontaudit $1 certmaster_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_certmaster_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the certmaster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_certmaster_port'($*)) dnl
corenet_udp_send_certmaster_port($1)
corenet_udp_receive_certmaster_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_certmaster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the certmaster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_certmaster_port'($*)) dnl
corenet_dontaudit_udp_send_certmaster_port($1)
corenet_dontaudit_udp_receive_certmaster_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_certmaster_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the certmaster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
allow $1 certmaster_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_certmaster_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the certmaster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
allow $1 certmaster_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_certmaster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to certmaster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
dontaudit $1 certmaster_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_certmaster_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the certmaster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
allow $1 certmaster_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_certmaster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to certmaster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_certmaster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_certmaster_port'($*)) dnl
gen_require(`
type certmaster_port_t;
')
dontaudit $1 certmaster_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_certmaster_port'($*)) dnl
')
########################################
##
## Send certmaster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_certmaster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_certmaster_client_packets'($*)) dnl
gen_require(`
type certmaster_client_packet_t;
')
allow $1 certmaster_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_certmaster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send certmaster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_certmaster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_certmaster_client_packets'($*)) dnl
gen_require(`
type certmaster_client_packet_t;
')
dontaudit $1 certmaster_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_certmaster_client_packets'($*)) dnl
')
########################################
##
## Receive certmaster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_certmaster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_certmaster_client_packets'($*)) dnl
gen_require(`
type certmaster_client_packet_t;
')
allow $1 certmaster_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_certmaster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive certmaster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_certmaster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_certmaster_client_packets'($*)) dnl
gen_require(`
type certmaster_client_packet_t;
')
dontaudit $1 certmaster_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_certmaster_client_packets'($*)) dnl
')
########################################
##
## Send and receive certmaster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_certmaster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_certmaster_client_packets'($*)) dnl
corenet_send_certmaster_client_packets($1)
corenet_receive_certmaster_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_certmaster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive certmaster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_certmaster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_certmaster_client_packets'($*)) dnl
corenet_dontaudit_send_certmaster_client_packets($1)
corenet_dontaudit_receive_certmaster_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_certmaster_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to certmaster_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_certmaster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_certmaster_client_packets'($*)) dnl
gen_require(`
type certmaster_client_packet_t;
')
allow $1 certmaster_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_certmaster_client_packets'($*)) dnl
')
########################################
##
## Send certmaster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_certmaster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_certmaster_server_packets'($*)) dnl
gen_require(`
type certmaster_server_packet_t;
')
allow $1 certmaster_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_certmaster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send certmaster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_certmaster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_certmaster_server_packets'($*)) dnl
gen_require(`
type certmaster_server_packet_t;
')
dontaudit $1 certmaster_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_certmaster_server_packets'($*)) dnl
')
########################################
##
## Receive certmaster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_certmaster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_certmaster_server_packets'($*)) dnl
gen_require(`
type certmaster_server_packet_t;
')
allow $1 certmaster_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_certmaster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive certmaster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_certmaster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_certmaster_server_packets'($*)) dnl
gen_require(`
type certmaster_server_packet_t;
')
dontaudit $1 certmaster_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_certmaster_server_packets'($*)) dnl
')
########################################
##
## Send and receive certmaster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_certmaster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_certmaster_server_packets'($*)) dnl
corenet_send_certmaster_server_packets($1)
corenet_receive_certmaster_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_certmaster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive certmaster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_certmaster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_certmaster_server_packets'($*)) dnl
corenet_dontaudit_send_certmaster_server_packets($1)
corenet_dontaudit_receive_certmaster_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_certmaster_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to certmaster_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_certmaster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_certmaster_server_packets'($*)) dnl
gen_require(`
type certmaster_server_packet_t;
')
allow $1 certmaster_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_certmaster_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the collectd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
allow $1 collectd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_collectd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the collectd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
allow $1 collectd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_collectd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the collectd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
dontaudit $1 collectd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_collectd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the collectd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
allow $1 collectd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_collectd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the collectd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
dontaudit $1 collectd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_collectd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the collectd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_collectd_port'($*)) dnl
corenet_udp_send_collectd_port($1)
corenet_udp_receive_collectd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_collectd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the collectd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_collectd_port'($*)) dnl
corenet_dontaudit_udp_send_collectd_port($1)
corenet_dontaudit_udp_receive_collectd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_collectd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the collectd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
allow $1 collectd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_collectd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the collectd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
allow $1 collectd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_collectd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to collectd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
dontaudit $1 collectd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_collectd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the collectd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
allow $1 collectd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_collectd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to collectd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_collectd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_collectd_port'($*)) dnl
gen_require(`
type collectd_port_t;
')
dontaudit $1 collectd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_collectd_port'($*)) dnl
')
########################################
##
## Send collectd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_collectd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_collectd_client_packets'($*)) dnl
gen_require(`
type collectd_client_packet_t;
')
allow $1 collectd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_collectd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send collectd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_collectd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_collectd_client_packets'($*)) dnl
gen_require(`
type collectd_client_packet_t;
')
dontaudit $1 collectd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_collectd_client_packets'($*)) dnl
')
########################################
##
## Receive collectd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_collectd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_collectd_client_packets'($*)) dnl
gen_require(`
type collectd_client_packet_t;
')
allow $1 collectd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_collectd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive collectd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_collectd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_collectd_client_packets'($*)) dnl
gen_require(`
type collectd_client_packet_t;
')
dontaudit $1 collectd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_collectd_client_packets'($*)) dnl
')
########################################
##
## Send and receive collectd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_collectd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_collectd_client_packets'($*)) dnl
corenet_send_collectd_client_packets($1)
corenet_receive_collectd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_collectd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive collectd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_collectd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_collectd_client_packets'($*)) dnl
corenet_dontaudit_send_collectd_client_packets($1)
corenet_dontaudit_receive_collectd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_collectd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to collectd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_collectd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_collectd_client_packets'($*)) dnl
gen_require(`
type collectd_client_packet_t;
')
allow $1 collectd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_collectd_client_packets'($*)) dnl
')
########################################
##
## Send collectd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_collectd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_collectd_server_packets'($*)) dnl
gen_require(`
type collectd_server_packet_t;
')
allow $1 collectd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_collectd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send collectd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_collectd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_collectd_server_packets'($*)) dnl
gen_require(`
type collectd_server_packet_t;
')
dontaudit $1 collectd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_collectd_server_packets'($*)) dnl
')
########################################
##
## Receive collectd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_collectd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_collectd_server_packets'($*)) dnl
gen_require(`
type collectd_server_packet_t;
')
allow $1 collectd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_collectd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive collectd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_collectd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_collectd_server_packets'($*)) dnl
gen_require(`
type collectd_server_packet_t;
')
dontaudit $1 collectd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_collectd_server_packets'($*)) dnl
')
########################################
##
## Send and receive collectd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_collectd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_collectd_server_packets'($*)) dnl
corenet_send_collectd_server_packets($1)
corenet_receive_collectd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_collectd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive collectd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_collectd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_collectd_server_packets'($*)) dnl
corenet_dontaudit_send_collectd_server_packets($1)
corenet_dontaudit_receive_collectd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_collectd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to collectd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_collectd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_collectd_server_packets'($*)) dnl
gen_require(`
type collectd_server_packet_t;
')
allow $1 collectd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_collectd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the chronyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
allow $1 chronyd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_chronyd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the chronyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
allow $1 chronyd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_chronyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the chronyd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
dontaudit $1 chronyd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_chronyd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the chronyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
allow $1 chronyd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_chronyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the chronyd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
dontaudit $1 chronyd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_chronyd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the chronyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_chronyd_port'($*)) dnl
corenet_udp_send_chronyd_port($1)
corenet_udp_receive_chronyd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_chronyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the chronyd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_chronyd_port'($*)) dnl
corenet_dontaudit_udp_send_chronyd_port($1)
corenet_dontaudit_udp_receive_chronyd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_chronyd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the chronyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
allow $1 chronyd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_chronyd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the chronyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
allow $1 chronyd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_chronyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to chronyd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
dontaudit $1 chronyd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_chronyd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the chronyd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
allow $1 chronyd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_chronyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to chronyd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_chronyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_chronyd_port'($*)) dnl
gen_require(`
type chronyd_port_t;
')
dontaudit $1 chronyd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_chronyd_port'($*)) dnl
')
########################################
##
## Send chronyd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_chronyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_chronyd_client_packets'($*)) dnl
gen_require(`
type chronyd_client_packet_t;
')
allow $1 chronyd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_chronyd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send chronyd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_chronyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_chronyd_client_packets'($*)) dnl
gen_require(`
type chronyd_client_packet_t;
')
dontaudit $1 chronyd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_chronyd_client_packets'($*)) dnl
')
########################################
##
## Receive chronyd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_chronyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_chronyd_client_packets'($*)) dnl
gen_require(`
type chronyd_client_packet_t;
')
allow $1 chronyd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_chronyd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive chronyd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_chronyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_chronyd_client_packets'($*)) dnl
gen_require(`
type chronyd_client_packet_t;
')
dontaudit $1 chronyd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_chronyd_client_packets'($*)) dnl
')
########################################
##
## Send and receive chronyd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_chronyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_chronyd_client_packets'($*)) dnl
corenet_send_chronyd_client_packets($1)
corenet_receive_chronyd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_chronyd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive chronyd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_chronyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_chronyd_client_packets'($*)) dnl
corenet_dontaudit_send_chronyd_client_packets($1)
corenet_dontaudit_receive_chronyd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_chronyd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to chronyd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_chronyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_chronyd_client_packets'($*)) dnl
gen_require(`
type chronyd_client_packet_t;
')
allow $1 chronyd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_chronyd_client_packets'($*)) dnl
')
########################################
##
## Send chronyd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_chronyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_chronyd_server_packets'($*)) dnl
gen_require(`
type chronyd_server_packet_t;
')
allow $1 chronyd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_chronyd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send chronyd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_chronyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_chronyd_server_packets'($*)) dnl
gen_require(`
type chronyd_server_packet_t;
')
dontaudit $1 chronyd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_chronyd_server_packets'($*)) dnl
')
########################################
##
## Receive chronyd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_chronyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_chronyd_server_packets'($*)) dnl
gen_require(`
type chronyd_server_packet_t;
')
allow $1 chronyd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_chronyd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive chronyd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_chronyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_chronyd_server_packets'($*)) dnl
gen_require(`
type chronyd_server_packet_t;
')
dontaudit $1 chronyd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_chronyd_server_packets'($*)) dnl
')
########################################
##
## Send and receive chronyd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_chronyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_chronyd_server_packets'($*)) dnl
corenet_send_chronyd_server_packets($1)
corenet_receive_chronyd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_chronyd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive chronyd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_chronyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_chronyd_server_packets'($*)) dnl
corenet_dontaudit_send_chronyd_server_packets($1)
corenet_dontaudit_receive_chronyd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_chronyd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to chronyd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_chronyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_chronyd_server_packets'($*)) dnl
gen_require(`
type chronyd_server_packet_t;
')
allow $1 chronyd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_chronyd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_clamd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_clamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the clamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
dontaudit $1 clamd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_clamd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_clamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the clamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
dontaudit $1 clamd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_clamd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_clamd_port'($*)) dnl
corenet_udp_send_clamd_port($1)
corenet_udp_receive_clamd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_clamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the clamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_clamd_port'($*)) dnl
corenet_dontaudit_udp_send_clamd_port($1)
corenet_dontaudit_udp_receive_clamd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_clamd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_clamd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the clamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_clamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to clamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
dontaudit $1 clamd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_clamd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the clamd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
allow $1 clamd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_clamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to clamd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_clamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_clamd_port'($*)) dnl
gen_require(`
type clamd_port_t;
')
dontaudit $1 clamd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_clamd_port'($*)) dnl
')
########################################
##
## Send clamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_clamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
allow $1 clamd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_clamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send clamd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_clamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
dontaudit $1 clamd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clamd_client_packets'($*)) dnl
')
########################################
##
## Receive clamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_clamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
allow $1 clamd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_clamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive clamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_clamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
dontaudit $1 clamd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clamd_client_packets'($*)) dnl
')
########################################
##
## Send and receive clamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_clamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clamd_client_packets'($*)) dnl
corenet_send_clamd_client_packets($1)
corenet_receive_clamd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive clamd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_clamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clamd_client_packets'($*)) dnl
corenet_dontaudit_send_clamd_client_packets($1)
corenet_dontaudit_receive_clamd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clamd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to clamd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_clamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clamd_client_packets'($*)) dnl
gen_require(`
type clamd_client_packet_t;
')
allow $1 clamd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_clamd_client_packets'($*)) dnl
')
########################################
##
## Send clamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_clamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
allow $1 clamd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_clamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send clamd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_clamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
dontaudit $1 clamd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clamd_server_packets'($*)) dnl
')
########################################
##
## Receive clamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_clamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
allow $1 clamd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_clamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive clamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_clamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
dontaudit $1 clamd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clamd_server_packets'($*)) dnl
')
########################################
##
## Send and receive clamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_clamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clamd_server_packets'($*)) dnl
corenet_send_clamd_server_packets($1)
corenet_receive_clamd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive clamd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_clamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clamd_server_packets'($*)) dnl
corenet_dontaudit_send_clamd_server_packets($1)
corenet_dontaudit_receive_clamd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clamd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to clamd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_clamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clamd_server_packets'($*)) dnl
gen_require(`
type clamd_server_packet_t;
')
allow $1 clamd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_clamd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_clockspeed_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_clockspeed_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the clockspeed port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
dontaudit $1 clockspeed_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_clockspeed_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_clockspeed_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the clockspeed port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
dontaudit $1 clockspeed_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_clockspeed_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_clockspeed_port'($*)) dnl
corenet_udp_send_clockspeed_port($1)
corenet_udp_receive_clockspeed_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_clockspeed_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the clockspeed port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_clockspeed_port'($*)) dnl
corenet_dontaudit_udp_send_clockspeed_port($1)
corenet_dontaudit_udp_receive_clockspeed_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_clockspeed_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_clockspeed_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the clockspeed port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_clockspeed_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to clockspeed port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
dontaudit $1 clockspeed_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_clockspeed_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the clockspeed port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
allow $1 clockspeed_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_clockspeed_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to clockspeed port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_clockspeed_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_clockspeed_port'($*)) dnl
gen_require(`
type clockspeed_port_t;
')
dontaudit $1 clockspeed_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_clockspeed_port'($*)) dnl
')
########################################
##
## Send clockspeed_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_clockspeed_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
allow $1 clockspeed_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send clockspeed_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_clockspeed_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
dontaudit $1 clockspeed_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Receive clockspeed_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_clockspeed_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
allow $1 clockspeed_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive clockspeed_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_clockspeed_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
dontaudit $1 clockspeed_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Send and receive clockspeed_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_clockspeed_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clockspeed_client_packets'($*)) dnl
corenet_send_clockspeed_client_packets($1)
corenet_receive_clockspeed_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive clockspeed_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_clockspeed_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clockspeed_client_packets'($*)) dnl
corenet_dontaudit_send_clockspeed_client_packets($1)
corenet_dontaudit_receive_clockspeed_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to clockspeed_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_clockspeed_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clockspeed_client_packets'($*)) dnl
gen_require(`
type clockspeed_client_packet_t;
')
allow $1 clockspeed_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_clockspeed_client_packets'($*)) dnl
')
########################################
##
## Send clockspeed_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_clockspeed_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
allow $1 clockspeed_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send clockspeed_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_clockspeed_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
dontaudit $1 clockspeed_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Receive clockspeed_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_clockspeed_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
allow $1 clockspeed_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive clockspeed_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_clockspeed_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
dontaudit $1 clockspeed_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Send and receive clockspeed_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_clockspeed_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clockspeed_server_packets'($*)) dnl
corenet_send_clockspeed_server_packets($1)
corenet_receive_clockspeed_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive clockspeed_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_clockspeed_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clockspeed_server_packets'($*)) dnl
corenet_dontaudit_send_clockspeed_server_packets($1)
corenet_dontaudit_receive_clockspeed_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to clockspeed_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_clockspeed_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clockspeed_server_packets'($*)) dnl
gen_require(`
type clockspeed_server_packet_t;
')
allow $1 clockspeed_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_clockspeed_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cluster_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
dontaudit $1 cluster_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cluster_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
dontaudit $1 cluster_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cluster_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cluster_port'($*)) dnl
corenet_udp_send_cluster_port($1)
corenet_udp_receive_cluster_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cluster_port'($*)) dnl
corenet_dontaudit_udp_send_cluster_port($1)
corenet_dontaudit_udp_receive_cluster_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cluster_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cluster_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to cluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
dontaudit $1 cluster_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cluster_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cluster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
allow $1 cluster_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to cluster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_cluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cluster_port'($*)) dnl
gen_require(`
type cluster_port_t;
')
dontaudit $1 cluster_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cluster_port'($*)) dnl
')
########################################
##
## Send cluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
allow $1 cluster_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
dontaudit $1 cluster_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cluster_client_packets'($*)) dnl
')
########################################
##
## Receive cluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
allow $1 cluster_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
dontaudit $1 cluster_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cluster_client_packets'($*)) dnl
')
########################################
##
## Send and receive cluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cluster_client_packets'($*)) dnl
corenet_send_cluster_client_packets($1)
corenet_receive_cluster_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cluster_client_packets'($*)) dnl
corenet_dontaudit_send_cluster_client_packets($1)
corenet_dontaudit_receive_cluster_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cluster_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cluster_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cluster_client_packets'($*)) dnl
gen_require(`
type cluster_client_packet_t;
')
allow $1 cluster_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cluster_client_packets'($*)) dnl
')
########################################
##
## Send cluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
allow $1 cluster_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
dontaudit $1 cluster_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cluster_server_packets'($*)) dnl
')
########################################
##
## Receive cluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
allow $1 cluster_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
dontaudit $1 cluster_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive cluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cluster_server_packets'($*)) dnl
corenet_send_cluster_server_packets($1)
corenet_receive_cluster_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cluster_server_packets'($*)) dnl
corenet_dontaudit_send_cluster_server_packets($1)
corenet_dontaudit_receive_cluster_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cluster_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cluster_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cluster_server_packets'($*)) dnl
gen_require(`
type cluster_server_packet_t;
')
allow $1 cluster_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cma port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
allow $1 cma_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cma_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cma port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
allow $1 cma_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cma_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cma port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
dontaudit $1 cma_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cma_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cma port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
allow $1 cma_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cma_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cma port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
dontaudit $1 cma_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cma_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cma port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cma_port'($*)) dnl
corenet_udp_send_cma_port($1)
corenet_udp_receive_cma_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cma_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cma port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cma_port'($*)) dnl
corenet_dontaudit_udp_send_cma_port($1)
corenet_dontaudit_udp_receive_cma_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cma_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cma port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
allow $1 cma_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cma_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cma port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
allow $1 cma_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cma_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to cma port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
dontaudit $1 cma_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cma_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cma port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
allow $1 cma_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cma_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to cma port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_cma_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cma_port'($*)) dnl
gen_require(`
type cma_port_t;
')
dontaudit $1 cma_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cma_port'($*)) dnl
')
########################################
##
## Send cma_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cma_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cma_client_packets'($*)) dnl
gen_require(`
type cma_client_packet_t;
')
allow $1 cma_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cma_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cma_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cma_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cma_client_packets'($*)) dnl
gen_require(`
type cma_client_packet_t;
')
dontaudit $1 cma_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cma_client_packets'($*)) dnl
')
########################################
##
## Receive cma_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cma_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cma_client_packets'($*)) dnl
gen_require(`
type cma_client_packet_t;
')
allow $1 cma_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cma_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cma_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cma_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cma_client_packets'($*)) dnl
gen_require(`
type cma_client_packet_t;
')
dontaudit $1 cma_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cma_client_packets'($*)) dnl
')
########################################
##
## Send and receive cma_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cma_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cma_client_packets'($*)) dnl
corenet_send_cma_client_packets($1)
corenet_receive_cma_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cma_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cma_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cma_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cma_client_packets'($*)) dnl
corenet_dontaudit_send_cma_client_packets($1)
corenet_dontaudit_receive_cma_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cma_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cma_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cma_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cma_client_packets'($*)) dnl
gen_require(`
type cma_client_packet_t;
')
allow $1 cma_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cma_client_packets'($*)) dnl
')
########################################
##
## Send cma_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cma_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cma_server_packets'($*)) dnl
gen_require(`
type cma_server_packet_t;
')
allow $1 cma_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cma_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cma_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cma_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cma_server_packets'($*)) dnl
gen_require(`
type cma_server_packet_t;
')
dontaudit $1 cma_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cma_server_packets'($*)) dnl
')
########################################
##
## Receive cma_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cma_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cma_server_packets'($*)) dnl
gen_require(`
type cma_server_packet_t;
')
allow $1 cma_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cma_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cma_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cma_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cma_server_packets'($*)) dnl
gen_require(`
type cma_server_packet_t;
')
dontaudit $1 cma_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cma_server_packets'($*)) dnl
')
########################################
##
## Send and receive cma_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cma_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cma_server_packets'($*)) dnl
corenet_send_cma_server_packets($1)
corenet_receive_cma_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cma_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cma_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cma_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cma_server_packets'($*)) dnl
corenet_dontaudit_send_cma_server_packets($1)
corenet_dontaudit_receive_cma_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cma_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cma_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cma_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cma_server_packets'($*)) dnl
gen_require(`
type cma_server_packet_t;
')
allow $1 cma_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cma_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cmadmin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
allow $1 cmadmin_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cmadmin_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cmadmin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
allow $1 cmadmin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cmadmin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cmadmin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
dontaudit $1 cmadmin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cmadmin_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cmadmin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
allow $1 cmadmin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cmadmin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cmadmin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
dontaudit $1 cmadmin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cmadmin_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cmadmin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cmadmin_port'($*)) dnl
corenet_udp_send_cmadmin_port($1)
corenet_udp_receive_cmadmin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cmadmin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cmadmin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cmadmin_port'($*)) dnl
corenet_dontaudit_udp_send_cmadmin_port($1)
corenet_dontaudit_udp_receive_cmadmin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cmadmin_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cmadmin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
allow $1 cmadmin_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cmadmin_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cmadmin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
allow $1 cmadmin_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cmadmin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to cmadmin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
dontaudit $1 cmadmin_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cmadmin_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cmadmin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
allow $1 cmadmin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cmadmin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to cmadmin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_cmadmin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cmadmin_port'($*)) dnl
gen_require(`
type cmadmin_port_t;
')
dontaudit $1 cmadmin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cmadmin_port'($*)) dnl
')
########################################
##
## Send cmadmin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cmadmin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cmadmin_client_packets'($*)) dnl
gen_require(`
type cmadmin_client_packet_t;
')
allow $1 cmadmin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cmadmin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cmadmin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cmadmin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cmadmin_client_packets'($*)) dnl
gen_require(`
type cmadmin_client_packet_t;
')
dontaudit $1 cmadmin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cmadmin_client_packets'($*)) dnl
')
########################################
##
## Receive cmadmin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cmadmin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cmadmin_client_packets'($*)) dnl
gen_require(`
type cmadmin_client_packet_t;
')
allow $1 cmadmin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cmadmin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cmadmin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cmadmin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cmadmin_client_packets'($*)) dnl
gen_require(`
type cmadmin_client_packet_t;
')
dontaudit $1 cmadmin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cmadmin_client_packets'($*)) dnl
')
########################################
##
## Send and receive cmadmin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cmadmin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cmadmin_client_packets'($*)) dnl
corenet_send_cmadmin_client_packets($1)
corenet_receive_cmadmin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cmadmin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cmadmin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cmadmin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cmadmin_client_packets'($*)) dnl
corenet_dontaudit_send_cmadmin_client_packets($1)
corenet_dontaudit_receive_cmadmin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cmadmin_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cmadmin_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cmadmin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cmadmin_client_packets'($*)) dnl
gen_require(`
type cmadmin_client_packet_t;
')
allow $1 cmadmin_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cmadmin_client_packets'($*)) dnl
')
########################################
##
## Send cmadmin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cmadmin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cmadmin_server_packets'($*)) dnl
gen_require(`
type cmadmin_server_packet_t;
')
allow $1 cmadmin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cmadmin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cmadmin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cmadmin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cmadmin_server_packets'($*)) dnl
gen_require(`
type cmadmin_server_packet_t;
')
dontaudit $1 cmadmin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cmadmin_server_packets'($*)) dnl
')
########################################
##
## Receive cmadmin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cmadmin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cmadmin_server_packets'($*)) dnl
gen_require(`
type cmadmin_server_packet_t;
')
allow $1 cmadmin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cmadmin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cmadmin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cmadmin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cmadmin_server_packets'($*)) dnl
gen_require(`
type cmadmin_server_packet_t;
')
dontaudit $1 cmadmin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cmadmin_server_packets'($*)) dnl
')
########################################
##
## Send and receive cmadmin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cmadmin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cmadmin_server_packets'($*)) dnl
corenet_send_cmadmin_server_packets($1)
corenet_receive_cmadmin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cmadmin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cmadmin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cmadmin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cmadmin_server_packets'($*)) dnl
corenet_dontaudit_send_cmadmin_server_packets($1)
corenet_dontaudit_receive_cmadmin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cmadmin_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cmadmin_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cmadmin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cmadmin_server_packets'($*)) dnl
gen_require(`
type cmadmin_server_packet_t;
')
allow $1 cmadmin_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cmadmin_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cobbler port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
allow $1 cobbler_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cobbler_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cobbler port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
allow $1 cobbler_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cobbler_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cobbler port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
dontaudit $1 cobbler_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cobbler_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cobbler port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
allow $1 cobbler_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cobbler_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cobbler port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
dontaudit $1 cobbler_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cobbler_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cobbler port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cobbler_port'($*)) dnl
corenet_udp_send_cobbler_port($1)
corenet_udp_receive_cobbler_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cobbler_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cobbler port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cobbler_port'($*)) dnl
corenet_dontaudit_udp_send_cobbler_port($1)
corenet_dontaudit_udp_receive_cobbler_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cobbler_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cobbler port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
allow $1 cobbler_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cobbler_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cobbler port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
allow $1 cobbler_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cobbler_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to cobbler port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
dontaudit $1 cobbler_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cobbler_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cobbler port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
allow $1 cobbler_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cobbler_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to cobbler port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_cobbler_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cobbler_port'($*)) dnl
gen_require(`
type cobbler_port_t;
')
dontaudit $1 cobbler_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cobbler_port'($*)) dnl
')
########################################
##
## Send cobbler_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cobbler_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cobbler_client_packets'($*)) dnl
gen_require(`
type cobbler_client_packet_t;
')
allow $1 cobbler_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cobbler_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cobbler_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cobbler_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cobbler_client_packets'($*)) dnl
gen_require(`
type cobbler_client_packet_t;
')
dontaudit $1 cobbler_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cobbler_client_packets'($*)) dnl
')
########################################
##
## Receive cobbler_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cobbler_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cobbler_client_packets'($*)) dnl
gen_require(`
type cobbler_client_packet_t;
')
allow $1 cobbler_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cobbler_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cobbler_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cobbler_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cobbler_client_packets'($*)) dnl
gen_require(`
type cobbler_client_packet_t;
')
dontaudit $1 cobbler_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cobbler_client_packets'($*)) dnl
')
########################################
##
## Send and receive cobbler_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cobbler_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cobbler_client_packets'($*)) dnl
corenet_send_cobbler_client_packets($1)
corenet_receive_cobbler_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cobbler_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cobbler_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cobbler_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cobbler_client_packets'($*)) dnl
corenet_dontaudit_send_cobbler_client_packets($1)
corenet_dontaudit_receive_cobbler_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cobbler_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cobbler_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cobbler_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cobbler_client_packets'($*)) dnl
gen_require(`
type cobbler_client_packet_t;
')
allow $1 cobbler_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cobbler_client_packets'($*)) dnl
')
########################################
##
## Send cobbler_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cobbler_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cobbler_server_packets'($*)) dnl
gen_require(`
type cobbler_server_packet_t;
')
allow $1 cobbler_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cobbler_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cobbler_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cobbler_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cobbler_server_packets'($*)) dnl
gen_require(`
type cobbler_server_packet_t;
')
dontaudit $1 cobbler_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cobbler_server_packets'($*)) dnl
')
########################################
##
## Receive cobbler_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cobbler_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cobbler_server_packets'($*)) dnl
gen_require(`
type cobbler_server_packet_t;
')
allow $1 cobbler_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cobbler_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cobbler_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cobbler_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cobbler_server_packets'($*)) dnl
gen_require(`
type cobbler_server_packet_t;
')
dontaudit $1 cobbler_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cobbler_server_packets'($*)) dnl
')
########################################
##
## Send and receive cobbler_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cobbler_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cobbler_server_packets'($*)) dnl
corenet_send_cobbler_server_packets($1)
corenet_receive_cobbler_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cobbler_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cobbler_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cobbler_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cobbler_server_packets'($*)) dnl
corenet_dontaudit_send_cobbler_server_packets($1)
corenet_dontaudit_receive_cobbler_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cobbler_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cobbler_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cobbler_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cobbler_server_packets'($*)) dnl
gen_require(`
type cobbler_server_packet_t;
')
allow $1 cobbler_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cobbler_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the commplex_link port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
allow $1 commplex_link_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_commplex_link_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the commplex_link port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
allow $1 commplex_link_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_commplex_link_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the commplex_link port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
dontaudit $1 commplex_link_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_commplex_link_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the commplex_link port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
allow $1 commplex_link_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_commplex_link_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the commplex_link port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
dontaudit $1 commplex_link_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_commplex_link_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the commplex_link port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_commplex_link_port'($*)) dnl
corenet_udp_send_commplex_link_port($1)
corenet_udp_receive_commplex_link_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_commplex_link_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the commplex_link port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_commplex_link_port'($*)) dnl
corenet_dontaudit_udp_send_commplex_link_port($1)
corenet_dontaudit_udp_receive_commplex_link_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_commplex_link_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the commplex_link port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
allow $1 commplex_link_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_commplex_link_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the commplex_link port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
allow $1 commplex_link_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_commplex_link_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to commplex_link port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
dontaudit $1 commplex_link_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_commplex_link_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the commplex_link port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
allow $1 commplex_link_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_commplex_link_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to commplex_link port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_commplex_link_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_commplex_link_port'($*)) dnl
gen_require(`
type commplex_link_port_t;
')
dontaudit $1 commplex_link_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_commplex_link_port'($*)) dnl
')
########################################
##
## Send commplex_link_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_commplex_link_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_link_client_packets'($*)) dnl
gen_require(`
type commplex_link_client_packet_t;
')
allow $1 commplex_link_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_commplex_link_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send commplex_link_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_commplex_link_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_link_client_packets'($*)) dnl
gen_require(`
type commplex_link_client_packet_t;
')
dontaudit $1 commplex_link_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_link_client_packets'($*)) dnl
')
########################################
##
## Receive commplex_link_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_commplex_link_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_link_client_packets'($*)) dnl
gen_require(`
type commplex_link_client_packet_t;
')
allow $1 commplex_link_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_link_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive commplex_link_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_commplex_link_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_link_client_packets'($*)) dnl
gen_require(`
type commplex_link_client_packet_t;
')
dontaudit $1 commplex_link_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_link_client_packets'($*)) dnl
')
########################################
##
## Send and receive commplex_link_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_commplex_link_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_link_client_packets'($*)) dnl
corenet_send_commplex_link_client_packets($1)
corenet_receive_commplex_link_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_link_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive commplex_link_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_commplex_link_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_link_client_packets'($*)) dnl
corenet_dontaudit_send_commplex_link_client_packets($1)
corenet_dontaudit_receive_commplex_link_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_link_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to commplex_link_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_commplex_link_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_link_client_packets'($*)) dnl
gen_require(`
type commplex_link_client_packet_t;
')
allow $1 commplex_link_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_link_client_packets'($*)) dnl
')
########################################
##
## Send commplex_link_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_commplex_link_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_link_server_packets'($*)) dnl
gen_require(`
type commplex_link_server_packet_t;
')
allow $1 commplex_link_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_commplex_link_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send commplex_link_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_commplex_link_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_link_server_packets'($*)) dnl
gen_require(`
type commplex_link_server_packet_t;
')
dontaudit $1 commplex_link_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_link_server_packets'($*)) dnl
')
########################################
##
## Receive commplex_link_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_commplex_link_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_link_server_packets'($*)) dnl
gen_require(`
type commplex_link_server_packet_t;
')
allow $1 commplex_link_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_link_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive commplex_link_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_commplex_link_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_link_server_packets'($*)) dnl
gen_require(`
type commplex_link_server_packet_t;
')
dontaudit $1 commplex_link_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_link_server_packets'($*)) dnl
')
########################################
##
## Send and receive commplex_link_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_commplex_link_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_link_server_packets'($*)) dnl
corenet_send_commplex_link_server_packets($1)
corenet_receive_commplex_link_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_link_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive commplex_link_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_commplex_link_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_link_server_packets'($*)) dnl
corenet_dontaudit_send_commplex_link_server_packets($1)
corenet_dontaudit_receive_commplex_link_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_link_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to commplex_link_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_commplex_link_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_link_server_packets'($*)) dnl
gen_require(`
type commplex_link_server_packet_t;
')
allow $1 commplex_link_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_link_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the commplex_main port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
allow $1 commplex_main_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_commplex_main_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the commplex_main port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
allow $1 commplex_main_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_commplex_main_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the commplex_main port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
dontaudit $1 commplex_main_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_commplex_main_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the commplex_main port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
allow $1 commplex_main_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_commplex_main_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the commplex_main port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
dontaudit $1 commplex_main_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_commplex_main_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the commplex_main port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_commplex_main_port'($*)) dnl
corenet_udp_send_commplex_main_port($1)
corenet_udp_receive_commplex_main_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_commplex_main_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the commplex_main port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_commplex_main_port'($*)) dnl
corenet_dontaudit_udp_send_commplex_main_port($1)
corenet_dontaudit_udp_receive_commplex_main_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_commplex_main_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the commplex_main port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
allow $1 commplex_main_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_commplex_main_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the commplex_main port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
allow $1 commplex_main_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_commplex_main_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to commplex_main port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
dontaudit $1 commplex_main_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_commplex_main_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the commplex_main port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
allow $1 commplex_main_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_commplex_main_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to commplex_main port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_commplex_main_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_commplex_main_port'($*)) dnl
gen_require(`
type commplex_main_port_t;
')
dontaudit $1 commplex_main_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_commplex_main_port'($*)) dnl
')
########################################
##
## Send commplex_main_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_commplex_main_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_main_client_packets'($*)) dnl
gen_require(`
type commplex_main_client_packet_t;
')
allow $1 commplex_main_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_commplex_main_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send commplex_main_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_commplex_main_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_main_client_packets'($*)) dnl
gen_require(`
type commplex_main_client_packet_t;
')
dontaudit $1 commplex_main_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_main_client_packets'($*)) dnl
')
########################################
##
## Receive commplex_main_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_commplex_main_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_main_client_packets'($*)) dnl
gen_require(`
type commplex_main_client_packet_t;
')
allow $1 commplex_main_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_main_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive commplex_main_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_commplex_main_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_main_client_packets'($*)) dnl
gen_require(`
type commplex_main_client_packet_t;
')
dontaudit $1 commplex_main_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_main_client_packets'($*)) dnl
')
########################################
##
## Send and receive commplex_main_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_commplex_main_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_main_client_packets'($*)) dnl
corenet_send_commplex_main_client_packets($1)
corenet_receive_commplex_main_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_main_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive commplex_main_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_commplex_main_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_main_client_packets'($*)) dnl
corenet_dontaudit_send_commplex_main_client_packets($1)
corenet_dontaudit_receive_commplex_main_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_main_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to commplex_main_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_commplex_main_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_main_client_packets'($*)) dnl
gen_require(`
type commplex_main_client_packet_t;
')
allow $1 commplex_main_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_main_client_packets'($*)) dnl
')
########################################
##
## Send commplex_main_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_commplex_main_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_main_server_packets'($*)) dnl
gen_require(`
type commplex_main_server_packet_t;
')
allow $1 commplex_main_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_commplex_main_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send commplex_main_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_commplex_main_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_main_server_packets'($*)) dnl
gen_require(`
type commplex_main_server_packet_t;
')
dontaudit $1 commplex_main_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_main_server_packets'($*)) dnl
')
########################################
##
## Receive commplex_main_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_commplex_main_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_main_server_packets'($*)) dnl
gen_require(`
type commplex_main_server_packet_t;
')
allow $1 commplex_main_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_main_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive commplex_main_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_commplex_main_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_main_server_packets'($*)) dnl
gen_require(`
type commplex_main_server_packet_t;
')
dontaudit $1 commplex_main_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_main_server_packets'($*)) dnl
')
########################################
##
## Send and receive commplex_main_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_commplex_main_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_main_server_packets'($*)) dnl
corenet_send_commplex_main_server_packets($1)
corenet_receive_commplex_main_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_main_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive commplex_main_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_commplex_main_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_main_server_packets'($*)) dnl
corenet_dontaudit_send_commplex_main_server_packets($1)
corenet_dontaudit_receive_commplex_main_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_main_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to commplex_main_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_commplex_main_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_main_server_packets'($*)) dnl
gen_require(`
type commplex_main_server_packet_t;
')
allow $1 commplex_main_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_main_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_comsat_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_comsat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the comsat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
dontaudit $1 comsat_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_comsat_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_comsat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the comsat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
dontaudit $1 comsat_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_comsat_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_comsat_port'($*)) dnl
corenet_udp_send_comsat_port($1)
corenet_udp_receive_comsat_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_comsat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the comsat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_comsat_port'($*)) dnl
corenet_dontaudit_udp_send_comsat_port($1)
corenet_dontaudit_udp_receive_comsat_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_comsat_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_comsat_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the comsat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_comsat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to comsat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
dontaudit $1 comsat_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_comsat_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the comsat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
allow $1 comsat_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_comsat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to comsat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_comsat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_comsat_port'($*)) dnl
gen_require(`
type comsat_port_t;
')
dontaudit $1 comsat_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_comsat_port'($*)) dnl
')
########################################
##
## Send comsat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_comsat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
allow $1 comsat_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_comsat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send comsat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_comsat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
dontaudit $1 comsat_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_comsat_client_packets'($*)) dnl
')
########################################
##
## Receive comsat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_comsat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
allow $1 comsat_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_comsat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive comsat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_comsat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
dontaudit $1 comsat_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_comsat_client_packets'($*)) dnl
')
########################################
##
## Send and receive comsat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_comsat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_comsat_client_packets'($*)) dnl
corenet_send_comsat_client_packets($1)
corenet_receive_comsat_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_comsat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive comsat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_comsat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_comsat_client_packets'($*)) dnl
corenet_dontaudit_send_comsat_client_packets($1)
corenet_dontaudit_receive_comsat_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_comsat_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to comsat_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_comsat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_comsat_client_packets'($*)) dnl
gen_require(`
type comsat_client_packet_t;
')
allow $1 comsat_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_comsat_client_packets'($*)) dnl
')
########################################
##
## Send comsat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_comsat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
allow $1 comsat_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_comsat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send comsat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_comsat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
dontaudit $1 comsat_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_comsat_server_packets'($*)) dnl
')
########################################
##
## Receive comsat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_comsat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
allow $1 comsat_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_comsat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive comsat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_comsat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
dontaudit $1 comsat_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_comsat_server_packets'($*)) dnl
')
########################################
##
## Send and receive comsat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_comsat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_comsat_server_packets'($*)) dnl
corenet_send_comsat_server_packets($1)
corenet_receive_comsat_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_comsat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive comsat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_comsat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_comsat_server_packets'($*)) dnl
corenet_dontaudit_send_comsat_server_packets($1)
corenet_dontaudit_receive_comsat_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_comsat_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to comsat_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_comsat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_comsat_server_packets'($*)) dnl
gen_require(`
type comsat_server_packet_t;
')
allow $1 comsat_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_comsat_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the condor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
allow $1 condor_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_condor_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the condor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
allow $1 condor_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_condor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the condor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
dontaudit $1 condor_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_condor_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the condor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
allow $1 condor_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_condor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the condor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
dontaudit $1 condor_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_condor_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the condor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_condor_port'($*)) dnl
corenet_udp_send_condor_port($1)
corenet_udp_receive_condor_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_condor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the condor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_condor_port'($*)) dnl
corenet_dontaudit_udp_send_condor_port($1)
corenet_dontaudit_udp_receive_condor_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_condor_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the condor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
allow $1 condor_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_condor_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the condor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
allow $1 condor_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_condor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to condor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
dontaudit $1 condor_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_condor_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the condor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
allow $1 condor_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_condor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to condor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_condor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_condor_port'($*)) dnl
gen_require(`
type condor_port_t;
')
dontaudit $1 condor_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_condor_port'($*)) dnl
')
########################################
##
## Send condor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_condor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_condor_client_packets'($*)) dnl
gen_require(`
type condor_client_packet_t;
')
allow $1 condor_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_condor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send condor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_condor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_condor_client_packets'($*)) dnl
gen_require(`
type condor_client_packet_t;
')
dontaudit $1 condor_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_condor_client_packets'($*)) dnl
')
########################################
##
## Receive condor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_condor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_condor_client_packets'($*)) dnl
gen_require(`
type condor_client_packet_t;
')
allow $1 condor_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_condor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive condor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_condor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_condor_client_packets'($*)) dnl
gen_require(`
type condor_client_packet_t;
')
dontaudit $1 condor_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_condor_client_packets'($*)) dnl
')
########################################
##
## Send and receive condor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_condor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_condor_client_packets'($*)) dnl
corenet_send_condor_client_packets($1)
corenet_receive_condor_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_condor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive condor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_condor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_condor_client_packets'($*)) dnl
corenet_dontaudit_send_condor_client_packets($1)
corenet_dontaudit_receive_condor_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_condor_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to condor_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_condor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_condor_client_packets'($*)) dnl
gen_require(`
type condor_client_packet_t;
')
allow $1 condor_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_condor_client_packets'($*)) dnl
')
########################################
##
## Send condor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_condor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_condor_server_packets'($*)) dnl
gen_require(`
type condor_server_packet_t;
')
allow $1 condor_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_condor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send condor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_condor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_condor_server_packets'($*)) dnl
gen_require(`
type condor_server_packet_t;
')
dontaudit $1 condor_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_condor_server_packets'($*)) dnl
')
########################################
##
## Receive condor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_condor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_condor_server_packets'($*)) dnl
gen_require(`
type condor_server_packet_t;
')
allow $1 condor_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_condor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive condor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_condor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_condor_server_packets'($*)) dnl
gen_require(`
type condor_server_packet_t;
')
dontaudit $1 condor_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_condor_server_packets'($*)) dnl
')
########################################
##
## Send and receive condor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_condor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_condor_server_packets'($*)) dnl
corenet_send_condor_server_packets($1)
corenet_receive_condor_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_condor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive condor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_condor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_condor_server_packets'($*)) dnl
corenet_dontaudit_send_condor_server_packets($1)
corenet_dontaudit_receive_condor_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_condor_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to condor_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_condor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_condor_server_packets'($*)) dnl
gen_require(`
type condor_server_packet_t;
')
allow $1 condor_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_condor_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the conman port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
allow $1 conman_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_conman_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the conman port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
allow $1 conman_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_conman_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the conman port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
dontaudit $1 conman_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_conman_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the conman port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
allow $1 conman_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_conman_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the conman port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
dontaudit $1 conman_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_conman_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the conman port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_conman_port'($*)) dnl
corenet_udp_send_conman_port($1)
corenet_udp_receive_conman_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_conman_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the conman port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_conman_port'($*)) dnl
corenet_dontaudit_udp_send_conman_port($1)
corenet_dontaudit_udp_receive_conman_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_conman_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the conman port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
allow $1 conman_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_conman_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the conman port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
allow $1 conman_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_conman_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to conman port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
dontaudit $1 conman_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_conman_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the conman port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
allow $1 conman_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_conman_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to conman port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_conman_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_conman_port'($*)) dnl
gen_require(`
type conman_port_t;
')
dontaudit $1 conman_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_conman_port'($*)) dnl
')
########################################
##
## Send conman_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_conman_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_conman_client_packets'($*)) dnl
gen_require(`
type conman_client_packet_t;
')
allow $1 conman_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_conman_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send conman_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_conman_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_conman_client_packets'($*)) dnl
gen_require(`
type conman_client_packet_t;
')
dontaudit $1 conman_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_conman_client_packets'($*)) dnl
')
########################################
##
## Receive conman_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_conman_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_conman_client_packets'($*)) dnl
gen_require(`
type conman_client_packet_t;
')
allow $1 conman_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_conman_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive conman_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_conman_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_conman_client_packets'($*)) dnl
gen_require(`
type conman_client_packet_t;
')
dontaudit $1 conman_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_conman_client_packets'($*)) dnl
')
########################################
##
## Send and receive conman_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_conman_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_conman_client_packets'($*)) dnl
corenet_send_conman_client_packets($1)
corenet_receive_conman_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_conman_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive conman_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_conman_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_conman_client_packets'($*)) dnl
corenet_dontaudit_send_conman_client_packets($1)
corenet_dontaudit_receive_conman_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_conman_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to conman_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_conman_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_conman_client_packets'($*)) dnl
gen_require(`
type conman_client_packet_t;
')
allow $1 conman_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_conman_client_packets'($*)) dnl
')
########################################
##
## Send conman_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_conman_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_conman_server_packets'($*)) dnl
gen_require(`
type conman_server_packet_t;
')
allow $1 conman_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_conman_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send conman_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_conman_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_conman_server_packets'($*)) dnl
gen_require(`
type conman_server_packet_t;
')
dontaudit $1 conman_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_conman_server_packets'($*)) dnl
')
########################################
##
## Receive conman_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_conman_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_conman_server_packets'($*)) dnl
gen_require(`
type conman_server_packet_t;
')
allow $1 conman_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_conman_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive conman_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_conman_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_conman_server_packets'($*)) dnl
gen_require(`
type conman_server_packet_t;
')
dontaudit $1 conman_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_conman_server_packets'($*)) dnl
')
########################################
##
## Send and receive conman_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_conman_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_conman_server_packets'($*)) dnl
corenet_send_conman_server_packets($1)
corenet_receive_conman_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_conman_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive conman_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_conman_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_conman_server_packets'($*)) dnl
corenet_dontaudit_send_conman_server_packets($1)
corenet_dontaudit_receive_conman_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_conman_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to conman_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_conman_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_conman_server_packets'($*)) dnl
gen_require(`
type conman_server_packet_t;
')
allow $1 conman_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_conman_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the connlcli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
allow $1 connlcli_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_connlcli_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the connlcli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
allow $1 connlcli_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_connlcli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the connlcli port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
dontaudit $1 connlcli_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_connlcli_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the connlcli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
allow $1 connlcli_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_connlcli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the connlcli port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
dontaudit $1 connlcli_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_connlcli_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the connlcli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_connlcli_port'($*)) dnl
corenet_udp_send_connlcli_port($1)
corenet_udp_receive_connlcli_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_connlcli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the connlcli port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_connlcli_port'($*)) dnl
corenet_dontaudit_udp_send_connlcli_port($1)
corenet_dontaudit_udp_receive_connlcli_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_connlcli_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the connlcli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
allow $1 connlcli_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_connlcli_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the connlcli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
allow $1 connlcli_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_connlcli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to connlcli port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
dontaudit $1 connlcli_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_connlcli_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the connlcli port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
allow $1 connlcli_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_connlcli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to connlcli port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_connlcli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_connlcli_port'($*)) dnl
gen_require(`
type connlcli_port_t;
')
dontaudit $1 connlcli_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_connlcli_port'($*)) dnl
')
########################################
##
## Send connlcli_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_connlcli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_connlcli_client_packets'($*)) dnl
gen_require(`
type connlcli_client_packet_t;
')
allow $1 connlcli_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_connlcli_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send connlcli_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_connlcli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_connlcli_client_packets'($*)) dnl
gen_require(`
type connlcli_client_packet_t;
')
dontaudit $1 connlcli_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_connlcli_client_packets'($*)) dnl
')
########################################
##
## Receive connlcli_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_connlcli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_connlcli_client_packets'($*)) dnl
gen_require(`
type connlcli_client_packet_t;
')
allow $1 connlcli_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_connlcli_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive connlcli_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_connlcli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_connlcli_client_packets'($*)) dnl
gen_require(`
type connlcli_client_packet_t;
')
dontaudit $1 connlcli_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_connlcli_client_packets'($*)) dnl
')
########################################
##
## Send and receive connlcli_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_connlcli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_connlcli_client_packets'($*)) dnl
corenet_send_connlcli_client_packets($1)
corenet_receive_connlcli_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_connlcli_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive connlcli_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_connlcli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_connlcli_client_packets'($*)) dnl
corenet_dontaudit_send_connlcli_client_packets($1)
corenet_dontaudit_receive_connlcli_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_connlcli_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to connlcli_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_connlcli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_connlcli_client_packets'($*)) dnl
gen_require(`
type connlcli_client_packet_t;
')
allow $1 connlcli_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_connlcli_client_packets'($*)) dnl
')
########################################
##
## Send connlcli_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_connlcli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_connlcli_server_packets'($*)) dnl
gen_require(`
type connlcli_server_packet_t;
')
allow $1 connlcli_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_connlcli_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send connlcli_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_connlcli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_connlcli_server_packets'($*)) dnl
gen_require(`
type connlcli_server_packet_t;
')
dontaudit $1 connlcli_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_connlcli_server_packets'($*)) dnl
')
########################################
##
## Receive connlcli_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_connlcli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_connlcli_server_packets'($*)) dnl
gen_require(`
type connlcli_server_packet_t;
')
allow $1 connlcli_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_connlcli_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive connlcli_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_connlcli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_connlcli_server_packets'($*)) dnl
gen_require(`
type connlcli_server_packet_t;
')
dontaudit $1 connlcli_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_connlcli_server_packets'($*)) dnl
')
########################################
##
## Send and receive connlcli_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_connlcli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_connlcli_server_packets'($*)) dnl
corenet_send_connlcli_server_packets($1)
corenet_receive_connlcli_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_connlcli_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive connlcli_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_connlcli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_connlcli_server_packets'($*)) dnl
corenet_dontaudit_send_connlcli_server_packets($1)
corenet_dontaudit_receive_connlcli_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_connlcli_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to connlcli_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_connlcli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_connlcli_server_packets'($*)) dnl
gen_require(`
type connlcli_server_packet_t;
')
allow $1 connlcli_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_connlcli_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the conntrackd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
allow $1 conntrackd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_conntrackd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the conntrackd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
allow $1 conntrackd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_conntrackd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the conntrackd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
dontaudit $1 conntrackd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_conntrackd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the conntrackd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
allow $1 conntrackd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_conntrackd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the conntrackd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
dontaudit $1 conntrackd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_conntrackd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the conntrackd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_conntrackd_port'($*)) dnl
corenet_udp_send_conntrackd_port($1)
corenet_udp_receive_conntrackd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_conntrackd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the conntrackd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_conntrackd_port'($*)) dnl
corenet_dontaudit_udp_send_conntrackd_port($1)
corenet_dontaudit_udp_receive_conntrackd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_conntrackd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the conntrackd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
allow $1 conntrackd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_conntrackd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the conntrackd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
allow $1 conntrackd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_conntrackd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to conntrackd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
dontaudit $1 conntrackd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_conntrackd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the conntrackd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
allow $1 conntrackd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_conntrackd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to conntrackd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_conntrackd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_conntrackd_port'($*)) dnl
gen_require(`
type conntrackd_port_t;
')
dontaudit $1 conntrackd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_conntrackd_port'($*)) dnl
')
########################################
##
## Send conntrackd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_conntrackd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_conntrackd_client_packets'($*)) dnl
gen_require(`
type conntrackd_client_packet_t;
')
allow $1 conntrackd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_conntrackd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send conntrackd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_conntrackd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_conntrackd_client_packets'($*)) dnl
gen_require(`
type conntrackd_client_packet_t;
')
dontaudit $1 conntrackd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_conntrackd_client_packets'($*)) dnl
')
########################################
##
## Receive conntrackd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_conntrackd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_conntrackd_client_packets'($*)) dnl
gen_require(`
type conntrackd_client_packet_t;
')
allow $1 conntrackd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_conntrackd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive conntrackd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_conntrackd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_conntrackd_client_packets'($*)) dnl
gen_require(`
type conntrackd_client_packet_t;
')
dontaudit $1 conntrackd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_conntrackd_client_packets'($*)) dnl
')
########################################
##
## Send and receive conntrackd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_conntrackd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_conntrackd_client_packets'($*)) dnl
corenet_send_conntrackd_client_packets($1)
corenet_receive_conntrackd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_conntrackd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive conntrackd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_conntrackd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_conntrackd_client_packets'($*)) dnl
corenet_dontaudit_send_conntrackd_client_packets($1)
corenet_dontaudit_receive_conntrackd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_conntrackd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to conntrackd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_conntrackd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_conntrackd_client_packets'($*)) dnl
gen_require(`
type conntrackd_client_packet_t;
')
allow $1 conntrackd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_conntrackd_client_packets'($*)) dnl
')
########################################
##
## Send conntrackd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_conntrackd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_conntrackd_server_packets'($*)) dnl
gen_require(`
type conntrackd_server_packet_t;
')
allow $1 conntrackd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_conntrackd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send conntrackd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_conntrackd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_conntrackd_server_packets'($*)) dnl
gen_require(`
type conntrackd_server_packet_t;
')
dontaudit $1 conntrackd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_conntrackd_server_packets'($*)) dnl
')
########################################
##
## Receive conntrackd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_conntrackd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_conntrackd_server_packets'($*)) dnl
gen_require(`
type conntrackd_server_packet_t;
')
allow $1 conntrackd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_conntrackd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive conntrackd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_conntrackd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_conntrackd_server_packets'($*)) dnl
gen_require(`
type conntrackd_server_packet_t;
')
dontaudit $1 conntrackd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_conntrackd_server_packets'($*)) dnl
')
########################################
##
## Send and receive conntrackd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_conntrackd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_conntrackd_server_packets'($*)) dnl
corenet_send_conntrackd_server_packets($1)
corenet_receive_conntrackd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_conntrackd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive conntrackd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_conntrackd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_conntrackd_server_packets'($*)) dnl
corenet_dontaudit_send_conntrackd_server_packets($1)
corenet_dontaudit_receive_conntrackd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_conntrackd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to conntrackd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_conntrackd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_conntrackd_server_packets'($*)) dnl
gen_require(`
type conntrackd_server_packet_t;
')
allow $1 conntrackd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_conntrackd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the couchdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
allow $1 couchdb_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_couchdb_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the couchdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
allow $1 couchdb_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_couchdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the couchdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
dontaudit $1 couchdb_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_couchdb_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the couchdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
allow $1 couchdb_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_couchdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the couchdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
dontaudit $1 couchdb_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_couchdb_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the couchdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_couchdb_port'($*)) dnl
corenet_udp_send_couchdb_port($1)
corenet_udp_receive_couchdb_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_couchdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the couchdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_couchdb_port'($*)) dnl
corenet_dontaudit_udp_send_couchdb_port($1)
corenet_dontaudit_udp_receive_couchdb_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_couchdb_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the couchdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
allow $1 couchdb_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_couchdb_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the couchdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
allow $1 couchdb_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_couchdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to couchdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
dontaudit $1 couchdb_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_couchdb_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the couchdb port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
allow $1 couchdb_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_couchdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to couchdb port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_couchdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_couchdb_port'($*)) dnl
gen_require(`
type couchdb_port_t;
')
dontaudit $1 couchdb_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_couchdb_port'($*)) dnl
')
########################################
##
## Send couchdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_couchdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_couchdb_client_packets'($*)) dnl
gen_require(`
type couchdb_client_packet_t;
')
allow $1 couchdb_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_couchdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send couchdb_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_couchdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_couchdb_client_packets'($*)) dnl
gen_require(`
type couchdb_client_packet_t;
')
dontaudit $1 couchdb_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_couchdb_client_packets'($*)) dnl
')
########################################
##
## Receive couchdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_couchdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_couchdb_client_packets'($*)) dnl
gen_require(`
type couchdb_client_packet_t;
')
allow $1 couchdb_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_couchdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive couchdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_couchdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_couchdb_client_packets'($*)) dnl
gen_require(`
type couchdb_client_packet_t;
')
dontaudit $1 couchdb_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_couchdb_client_packets'($*)) dnl
')
########################################
##
## Send and receive couchdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_couchdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_couchdb_client_packets'($*)) dnl
corenet_send_couchdb_client_packets($1)
corenet_receive_couchdb_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_couchdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive couchdb_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_couchdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_couchdb_client_packets'($*)) dnl
corenet_dontaudit_send_couchdb_client_packets($1)
corenet_dontaudit_receive_couchdb_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_couchdb_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to couchdb_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_couchdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_couchdb_client_packets'($*)) dnl
gen_require(`
type couchdb_client_packet_t;
')
allow $1 couchdb_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_couchdb_client_packets'($*)) dnl
')
########################################
##
## Send couchdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_couchdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_couchdb_server_packets'($*)) dnl
gen_require(`
type couchdb_server_packet_t;
')
allow $1 couchdb_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_couchdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send couchdb_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_couchdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_couchdb_server_packets'($*)) dnl
gen_require(`
type couchdb_server_packet_t;
')
dontaudit $1 couchdb_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_couchdb_server_packets'($*)) dnl
')
########################################
##
## Receive couchdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_couchdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_couchdb_server_packets'($*)) dnl
gen_require(`
type couchdb_server_packet_t;
')
allow $1 couchdb_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_couchdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive couchdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_couchdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_couchdb_server_packets'($*)) dnl
gen_require(`
type couchdb_server_packet_t;
')
dontaudit $1 couchdb_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_couchdb_server_packets'($*)) dnl
')
########################################
##
## Send and receive couchdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_couchdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_couchdb_server_packets'($*)) dnl
corenet_send_couchdb_server_packets($1)
corenet_receive_couchdb_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_couchdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive couchdb_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_couchdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_couchdb_server_packets'($*)) dnl
corenet_dontaudit_send_couchdb_server_packets($1)
corenet_dontaudit_receive_couchdb_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_couchdb_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to couchdb_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_couchdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_couchdb_server_packets'($*)) dnl
gen_require(`
type couchdb_server_packet_t;
')
allow $1 couchdb_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_couchdb_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ctdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
allow $1 ctdb_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ctdb_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ctdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
allow $1 ctdb_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ctdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ctdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
dontaudit $1 ctdb_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ctdb_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ctdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
allow $1 ctdb_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ctdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ctdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
dontaudit $1 ctdb_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ctdb_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ctdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ctdb_port'($*)) dnl
corenet_udp_send_ctdb_port($1)
corenet_udp_receive_ctdb_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ctdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ctdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ctdb_port'($*)) dnl
corenet_dontaudit_udp_send_ctdb_port($1)
corenet_dontaudit_udp_receive_ctdb_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ctdb_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ctdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
allow $1 ctdb_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ctdb_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ctdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
allow $1 ctdb_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ctdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ctdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
dontaudit $1 ctdb_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ctdb_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ctdb port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
allow $1 ctdb_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ctdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ctdb port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ctdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ctdb_port'($*)) dnl
gen_require(`
type ctdb_port_t;
')
dontaudit $1 ctdb_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ctdb_port'($*)) dnl
')
########################################
##
## Send ctdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ctdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ctdb_client_packets'($*)) dnl
gen_require(`
type ctdb_client_packet_t;
')
allow $1 ctdb_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ctdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ctdb_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ctdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ctdb_client_packets'($*)) dnl
gen_require(`
type ctdb_client_packet_t;
')
dontaudit $1 ctdb_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ctdb_client_packets'($*)) dnl
')
########################################
##
## Receive ctdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ctdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ctdb_client_packets'($*)) dnl
gen_require(`
type ctdb_client_packet_t;
')
allow $1 ctdb_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ctdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ctdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ctdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ctdb_client_packets'($*)) dnl
gen_require(`
type ctdb_client_packet_t;
')
dontaudit $1 ctdb_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ctdb_client_packets'($*)) dnl
')
########################################
##
## Send and receive ctdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ctdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ctdb_client_packets'($*)) dnl
corenet_send_ctdb_client_packets($1)
corenet_receive_ctdb_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ctdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ctdb_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ctdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ctdb_client_packets'($*)) dnl
corenet_dontaudit_send_ctdb_client_packets($1)
corenet_dontaudit_receive_ctdb_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ctdb_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ctdb_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ctdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ctdb_client_packets'($*)) dnl
gen_require(`
type ctdb_client_packet_t;
')
allow $1 ctdb_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ctdb_client_packets'($*)) dnl
')
########################################
##
## Send ctdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ctdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ctdb_server_packets'($*)) dnl
gen_require(`
type ctdb_server_packet_t;
')
allow $1 ctdb_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ctdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ctdb_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ctdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ctdb_server_packets'($*)) dnl
gen_require(`
type ctdb_server_packet_t;
')
dontaudit $1 ctdb_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ctdb_server_packets'($*)) dnl
')
########################################
##
## Receive ctdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ctdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ctdb_server_packets'($*)) dnl
gen_require(`
type ctdb_server_packet_t;
')
allow $1 ctdb_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ctdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ctdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ctdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ctdb_server_packets'($*)) dnl
gen_require(`
type ctdb_server_packet_t;
')
dontaudit $1 ctdb_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ctdb_server_packets'($*)) dnl
')
########################################
##
## Send and receive ctdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ctdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ctdb_server_packets'($*)) dnl
corenet_send_ctdb_server_packets($1)
corenet_receive_ctdb_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ctdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ctdb_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ctdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ctdb_server_packets'($*)) dnl
corenet_dontaudit_send_ctdb_server_packets($1)
corenet_dontaudit_receive_ctdb_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ctdb_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ctdb_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ctdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ctdb_server_packets'($*)) dnl
gen_require(`
type ctdb_server_packet_t;
')
allow $1 ctdb_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ctdb_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cvs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cvs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cvs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
dontaudit $1 cvs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cvs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cvs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cvs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
dontaudit $1 cvs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cvs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cvs_port'($*)) dnl
corenet_udp_send_cvs_port($1)
corenet_udp_receive_cvs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cvs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cvs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cvs_port'($*)) dnl
corenet_dontaudit_udp_send_cvs_port($1)
corenet_dontaudit_udp_receive_cvs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cvs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cvs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cvs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cvs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to cvs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
dontaudit $1 cvs_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cvs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cvs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
allow $1 cvs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cvs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to cvs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_cvs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cvs_port'($*)) dnl
gen_require(`
type cvs_port_t;
')
dontaudit $1 cvs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cvs_port'($*)) dnl
')
########################################
##
## Send cvs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cvs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
allow $1 cvs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cvs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cvs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cvs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
dontaudit $1 cvs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cvs_client_packets'($*)) dnl
')
########################################
##
## Receive cvs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cvs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
allow $1 cvs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cvs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cvs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cvs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
dontaudit $1 cvs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cvs_client_packets'($*)) dnl
')
########################################
##
## Send and receive cvs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cvs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cvs_client_packets'($*)) dnl
corenet_send_cvs_client_packets($1)
corenet_receive_cvs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cvs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cvs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cvs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cvs_client_packets'($*)) dnl
corenet_dontaudit_send_cvs_client_packets($1)
corenet_dontaudit_receive_cvs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cvs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cvs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cvs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cvs_client_packets'($*)) dnl
gen_require(`
type cvs_client_packet_t;
')
allow $1 cvs_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cvs_client_packets'($*)) dnl
')
########################################
##
## Send cvs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cvs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
allow $1 cvs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cvs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cvs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cvs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
dontaudit $1 cvs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cvs_server_packets'($*)) dnl
')
########################################
##
## Receive cvs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cvs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
allow $1 cvs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cvs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cvs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cvs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
dontaudit $1 cvs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cvs_server_packets'($*)) dnl
')
########################################
##
## Send and receive cvs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cvs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cvs_server_packets'($*)) dnl
corenet_send_cvs_server_packets($1)
corenet_receive_cvs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cvs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cvs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cvs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cvs_server_packets'($*)) dnl
corenet_dontaudit_send_cvs_server_packets($1)
corenet_dontaudit_receive_cvs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cvs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cvs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cvs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cvs_server_packets'($*)) dnl
gen_require(`
type cvs_server_packet_t;
')
allow $1 cvs_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cvs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cyphesis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
allow $1 cyphesis_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cyphesis_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cyphesis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
allow $1 cyphesis_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cyphesis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cyphesis port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
dontaudit $1 cyphesis_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cyphesis_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cyphesis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
allow $1 cyphesis_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cyphesis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cyphesis port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
dontaudit $1 cyphesis_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cyphesis_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cyphesis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cyphesis_port'($*)) dnl
corenet_udp_send_cyphesis_port($1)
corenet_udp_receive_cyphesis_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cyphesis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cyphesis port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cyphesis_port'($*)) dnl
corenet_dontaudit_udp_send_cyphesis_port($1)
corenet_dontaudit_udp_receive_cyphesis_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cyphesis_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cyphesis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
allow $1 cyphesis_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cyphesis_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cyphesis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
allow $1 cyphesis_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cyphesis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to cyphesis port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
dontaudit $1 cyphesis_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cyphesis_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cyphesis port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
allow $1 cyphesis_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cyphesis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to cyphesis port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_cyphesis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cyphesis_port'($*)) dnl
gen_require(`
type cyphesis_port_t;
')
dontaudit $1 cyphesis_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cyphesis_port'($*)) dnl
')
########################################
##
## Send cyphesis_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cyphesis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cyphesis_client_packets'($*)) dnl
gen_require(`
type cyphesis_client_packet_t;
')
allow $1 cyphesis_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cyphesis_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cyphesis_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cyphesis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyphesis_client_packets'($*)) dnl
gen_require(`
type cyphesis_client_packet_t;
')
dontaudit $1 cyphesis_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyphesis_client_packets'($*)) dnl
')
########################################
##
## Receive cyphesis_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cyphesis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cyphesis_client_packets'($*)) dnl
gen_require(`
type cyphesis_client_packet_t;
')
allow $1 cyphesis_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cyphesis_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cyphesis_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cyphesis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyphesis_client_packets'($*)) dnl
gen_require(`
type cyphesis_client_packet_t;
')
dontaudit $1 cyphesis_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyphesis_client_packets'($*)) dnl
')
########################################
##
## Send and receive cyphesis_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cyphesis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyphesis_client_packets'($*)) dnl
corenet_send_cyphesis_client_packets($1)
corenet_receive_cyphesis_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyphesis_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cyphesis_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cyphesis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyphesis_client_packets'($*)) dnl
corenet_dontaudit_send_cyphesis_client_packets($1)
corenet_dontaudit_receive_cyphesis_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyphesis_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cyphesis_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cyphesis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyphesis_client_packets'($*)) dnl
gen_require(`
type cyphesis_client_packet_t;
')
allow $1 cyphesis_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyphesis_client_packets'($*)) dnl
')
########################################
##
## Send cyphesis_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cyphesis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cyphesis_server_packets'($*)) dnl
gen_require(`
type cyphesis_server_packet_t;
')
allow $1 cyphesis_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cyphesis_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cyphesis_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cyphesis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyphesis_server_packets'($*)) dnl
gen_require(`
type cyphesis_server_packet_t;
')
dontaudit $1 cyphesis_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyphesis_server_packets'($*)) dnl
')
########################################
##
## Receive cyphesis_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cyphesis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cyphesis_server_packets'($*)) dnl
gen_require(`
type cyphesis_server_packet_t;
')
allow $1 cyphesis_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cyphesis_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cyphesis_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cyphesis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyphesis_server_packets'($*)) dnl
gen_require(`
type cyphesis_server_packet_t;
')
dontaudit $1 cyphesis_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyphesis_server_packets'($*)) dnl
')
########################################
##
## Send and receive cyphesis_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cyphesis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyphesis_server_packets'($*)) dnl
corenet_send_cyphesis_server_packets($1)
corenet_receive_cyphesis_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyphesis_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cyphesis_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cyphesis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyphesis_server_packets'($*)) dnl
corenet_dontaudit_send_cyphesis_server_packets($1)
corenet_dontaudit_receive_cyphesis_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyphesis_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cyphesis_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cyphesis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyphesis_server_packets'($*)) dnl
gen_require(`
type cyphesis_server_packet_t;
')
allow $1 cyphesis_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyphesis_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the cyrus_imapd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
allow $1 cyrus_imapd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the cyrus_imapd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
allow $1 cyrus_imapd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the cyrus_imapd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
dontaudit $1 cyrus_imapd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the cyrus_imapd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
allow $1 cyrus_imapd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the cyrus_imapd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
dontaudit $1 cyrus_imapd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the cyrus_imapd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cyrus_imapd_port'($*)) dnl
corenet_udp_send_cyrus_imapd_port($1)
corenet_udp_receive_cyrus_imapd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the cyrus_imapd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cyrus_imapd_port'($*)) dnl
corenet_dontaudit_udp_send_cyrus_imapd_port($1)
corenet_dontaudit_udp_receive_cyrus_imapd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the cyrus_imapd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
allow $1 cyrus_imapd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the cyrus_imapd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
allow $1 cyrus_imapd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to cyrus_imapd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
dontaudit $1 cyrus_imapd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the cyrus_imapd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
allow $1 cyrus_imapd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to cyrus_imapd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_cyrus_imapd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cyrus_imapd_port'($*)) dnl
gen_require(`
type cyrus_imapd_port_t;
')
dontaudit $1 cyrus_imapd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cyrus_imapd_port'($*)) dnl
')
########################################
##
## Send cyrus_imapd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cyrus_imapd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cyrus_imapd_client_packets'($*)) dnl
gen_require(`
type cyrus_imapd_client_packet_t;
')
allow $1 cyrus_imapd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cyrus_imapd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cyrus_imapd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cyrus_imapd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyrus_imapd_client_packets'($*)) dnl
gen_require(`
type cyrus_imapd_client_packet_t;
')
dontaudit $1 cyrus_imapd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyrus_imapd_client_packets'($*)) dnl
')
########################################
##
## Receive cyrus_imapd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cyrus_imapd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cyrus_imapd_client_packets'($*)) dnl
gen_require(`
type cyrus_imapd_client_packet_t;
')
allow $1 cyrus_imapd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cyrus_imapd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cyrus_imapd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cyrus_imapd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyrus_imapd_client_packets'($*)) dnl
gen_require(`
type cyrus_imapd_client_packet_t;
')
dontaudit $1 cyrus_imapd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyrus_imapd_client_packets'($*)) dnl
')
########################################
##
## Send and receive cyrus_imapd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cyrus_imapd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyrus_imapd_client_packets'($*)) dnl
corenet_send_cyrus_imapd_client_packets($1)
corenet_receive_cyrus_imapd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyrus_imapd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cyrus_imapd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cyrus_imapd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyrus_imapd_client_packets'($*)) dnl
corenet_dontaudit_send_cyrus_imapd_client_packets($1)
corenet_dontaudit_receive_cyrus_imapd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyrus_imapd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to cyrus_imapd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cyrus_imapd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyrus_imapd_client_packets'($*)) dnl
gen_require(`
type cyrus_imapd_client_packet_t;
')
allow $1 cyrus_imapd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyrus_imapd_client_packets'($*)) dnl
')
########################################
##
## Send cyrus_imapd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_cyrus_imapd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_cyrus_imapd_server_packets'($*)) dnl
gen_require(`
type cyrus_imapd_server_packet_t;
')
allow $1 cyrus_imapd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_cyrus_imapd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send cyrus_imapd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_cyrus_imapd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyrus_imapd_server_packets'($*)) dnl
gen_require(`
type cyrus_imapd_server_packet_t;
')
dontaudit $1 cyrus_imapd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyrus_imapd_server_packets'($*)) dnl
')
########################################
##
## Receive cyrus_imapd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_cyrus_imapd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_cyrus_imapd_server_packets'($*)) dnl
gen_require(`
type cyrus_imapd_server_packet_t;
')
allow $1 cyrus_imapd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_cyrus_imapd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive cyrus_imapd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_cyrus_imapd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyrus_imapd_server_packets'($*)) dnl
gen_require(`
type cyrus_imapd_server_packet_t;
')
dontaudit $1 cyrus_imapd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyrus_imapd_server_packets'($*)) dnl
')
########################################
##
## Send and receive cyrus_imapd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_cyrus_imapd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyrus_imapd_server_packets'($*)) dnl
corenet_send_cyrus_imapd_server_packets($1)
corenet_receive_cyrus_imapd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyrus_imapd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive cyrus_imapd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_cyrus_imapd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyrus_imapd_server_packets'($*)) dnl
corenet_dontaudit_send_cyrus_imapd_server_packets($1)
corenet_dontaudit_receive_cyrus_imapd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyrus_imapd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to cyrus_imapd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_cyrus_imapd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyrus_imapd_server_packets'($*)) dnl
gen_require(`
type cyrus_imapd_server_packet_t;
')
allow $1 cyrus_imapd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyrus_imapd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the daap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
allow $1 daap_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_daap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the daap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
allow $1 daap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_daap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the daap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
dontaudit $1 daap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_daap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the daap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
allow $1 daap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_daap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the daap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
dontaudit $1 daap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_daap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the daap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_daap_port'($*)) dnl
corenet_udp_send_daap_port($1)
corenet_udp_receive_daap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_daap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the daap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_daap_port'($*)) dnl
corenet_dontaudit_udp_send_daap_port($1)
corenet_dontaudit_udp_receive_daap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_daap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the daap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
allow $1 daap_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_daap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the daap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
allow $1 daap_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_daap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to daap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
dontaudit $1 daap_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_daap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the daap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
allow $1 daap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_daap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to daap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_daap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_daap_port'($*)) dnl
gen_require(`
type daap_port_t;
')
dontaudit $1 daap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_daap_port'($*)) dnl
')
########################################
##
## Send daap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_daap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_daap_client_packets'($*)) dnl
gen_require(`
type daap_client_packet_t;
')
allow $1 daap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_daap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send daap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_daap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_daap_client_packets'($*)) dnl
gen_require(`
type daap_client_packet_t;
')
dontaudit $1 daap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_daap_client_packets'($*)) dnl
')
########################################
##
## Receive daap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_daap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_daap_client_packets'($*)) dnl
gen_require(`
type daap_client_packet_t;
')
allow $1 daap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_daap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive daap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_daap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_daap_client_packets'($*)) dnl
gen_require(`
type daap_client_packet_t;
')
dontaudit $1 daap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_daap_client_packets'($*)) dnl
')
########################################
##
## Send and receive daap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_daap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_daap_client_packets'($*)) dnl
corenet_send_daap_client_packets($1)
corenet_receive_daap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_daap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive daap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_daap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_daap_client_packets'($*)) dnl
corenet_dontaudit_send_daap_client_packets($1)
corenet_dontaudit_receive_daap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_daap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to daap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_daap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_daap_client_packets'($*)) dnl
gen_require(`
type daap_client_packet_t;
')
allow $1 daap_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_daap_client_packets'($*)) dnl
')
########################################
##
## Send daap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_daap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_daap_server_packets'($*)) dnl
gen_require(`
type daap_server_packet_t;
')
allow $1 daap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_daap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send daap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_daap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_daap_server_packets'($*)) dnl
gen_require(`
type daap_server_packet_t;
')
dontaudit $1 daap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_daap_server_packets'($*)) dnl
')
########################################
##
## Receive daap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_daap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_daap_server_packets'($*)) dnl
gen_require(`
type daap_server_packet_t;
')
allow $1 daap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_daap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive daap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_daap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_daap_server_packets'($*)) dnl
gen_require(`
type daap_server_packet_t;
')
dontaudit $1 daap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_daap_server_packets'($*)) dnl
')
########################################
##
## Send and receive daap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_daap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_daap_server_packets'($*)) dnl
corenet_send_daap_server_packets($1)
corenet_receive_daap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_daap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive daap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_daap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_daap_server_packets'($*)) dnl
corenet_dontaudit_send_daap_server_packets($1)
corenet_dontaudit_receive_daap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_daap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to daap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_daap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_daap_server_packets'($*)) dnl
gen_require(`
type daap_server_packet_t;
')
allow $1 daap_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_daap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dbskkd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dbskkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dbskkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
dontaudit $1 dbskkd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dbskkd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dbskkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dbskkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
dontaudit $1 dbskkd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dbskkd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dbskkd_port'($*)) dnl
corenet_udp_send_dbskkd_port($1)
corenet_udp_receive_dbskkd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dbskkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dbskkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dbskkd_port'($*)) dnl
corenet_dontaudit_udp_send_dbskkd_port($1)
corenet_dontaudit_udp_receive_dbskkd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dbskkd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dbskkd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dbskkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dbskkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dbskkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
dontaudit $1 dbskkd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dbskkd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dbskkd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
allow $1 dbskkd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dbskkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dbskkd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dbskkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dbskkd_port'($*)) dnl
gen_require(`
type dbskkd_port_t;
')
dontaudit $1 dbskkd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dbskkd_port'($*)) dnl
')
########################################
##
## Send dbskkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dbskkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
allow $1 dbskkd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dbskkd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dbskkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
dontaudit $1 dbskkd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Receive dbskkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dbskkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
allow $1 dbskkd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dbskkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dbskkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
dontaudit $1 dbskkd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Send and receive dbskkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dbskkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dbskkd_client_packets'($*)) dnl
corenet_send_dbskkd_client_packets($1)
corenet_receive_dbskkd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dbskkd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dbskkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dbskkd_client_packets'($*)) dnl
corenet_dontaudit_send_dbskkd_client_packets($1)
corenet_dontaudit_receive_dbskkd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dbskkd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dbskkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dbskkd_client_packets'($*)) dnl
gen_require(`
type dbskkd_client_packet_t;
')
allow $1 dbskkd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dbskkd_client_packets'($*)) dnl
')
########################################
##
## Send dbskkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dbskkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
allow $1 dbskkd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dbskkd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dbskkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
dontaudit $1 dbskkd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Receive dbskkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dbskkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
allow $1 dbskkd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dbskkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dbskkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
dontaudit $1 dbskkd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Send and receive dbskkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dbskkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dbskkd_server_packets'($*)) dnl
corenet_send_dbskkd_server_packets($1)
corenet_receive_dbskkd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dbskkd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dbskkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dbskkd_server_packets'($*)) dnl
corenet_dontaudit_send_dbskkd_server_packets($1)
corenet_dontaudit_receive_dbskkd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dbskkd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dbskkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dbskkd_server_packets'($*)) dnl
gen_require(`
type dbskkd_server_packet_t;
')
allow $1 dbskkd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dbskkd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dcc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
dontaudit $1 dcc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dcc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
dontaudit $1 dcc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dcc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dcc_port'($*)) dnl
corenet_udp_send_dcc_port($1)
corenet_udp_receive_dcc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dcc_port'($*)) dnl
corenet_dontaudit_udp_send_dcc_port($1)
corenet_dontaudit_udp_receive_dcc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dcc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dcc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
dontaudit $1 dcc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dcc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dcc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
allow $1 dcc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dcc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dcc_port'($*)) dnl
gen_require(`
type dcc_port_t;
')
dontaudit $1 dcc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dcc_port'($*)) dnl
')
########################################
##
## Send dcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
allow $1 dcc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dcc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
dontaudit $1 dcc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dcc_client_packets'($*)) dnl
')
########################################
##
## Receive dcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
allow $1 dcc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
dontaudit $1 dcc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dcc_client_packets'($*)) dnl
')
########################################
##
## Send and receive dcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dcc_client_packets'($*)) dnl
corenet_send_dcc_client_packets($1)
corenet_receive_dcc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dcc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dcc_client_packets'($*)) dnl
corenet_dontaudit_send_dcc_client_packets($1)
corenet_dontaudit_receive_dcc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dcc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dcc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dcc_client_packets'($*)) dnl
gen_require(`
type dcc_client_packet_t;
')
allow $1 dcc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dcc_client_packets'($*)) dnl
')
########################################
##
## Send dcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
allow $1 dcc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dcc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
dontaudit $1 dcc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dcc_server_packets'($*)) dnl
')
########################################
##
## Receive dcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
allow $1 dcc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
dontaudit $1 dcc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dcc_server_packets'($*)) dnl
')
########################################
##
## Send and receive dcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dcc_server_packets'($*)) dnl
corenet_send_dcc_server_packets($1)
corenet_receive_dcc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dcc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dcc_server_packets'($*)) dnl
corenet_dontaudit_send_dcc_server_packets($1)
corenet_dontaudit_receive_dcc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dcc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dcc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dcc_server_packets'($*)) dnl
gen_require(`
type dcc_server_packet_t;
')
allow $1 dcc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dcc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dccm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
allow $1 dccm_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dccm_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dccm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
allow $1 dccm_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dccm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dccm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
dontaudit $1 dccm_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dccm_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dccm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
allow $1 dccm_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dccm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dccm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
dontaudit $1 dccm_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dccm_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dccm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dccm_port'($*)) dnl
corenet_udp_send_dccm_port($1)
corenet_udp_receive_dccm_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dccm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dccm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dccm_port'($*)) dnl
corenet_dontaudit_udp_send_dccm_port($1)
corenet_dontaudit_udp_receive_dccm_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dccm_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dccm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
allow $1 dccm_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dccm_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dccm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
allow $1 dccm_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dccm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dccm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
dontaudit $1 dccm_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dccm_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dccm port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
allow $1 dccm_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dccm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dccm port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dccm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dccm_port'($*)) dnl
gen_require(`
type dccm_port_t;
')
dontaudit $1 dccm_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dccm_port'($*)) dnl
')
########################################
##
## Send dccm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dccm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dccm_client_packets'($*)) dnl
gen_require(`
type dccm_client_packet_t;
')
allow $1 dccm_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dccm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dccm_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dccm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dccm_client_packets'($*)) dnl
gen_require(`
type dccm_client_packet_t;
')
dontaudit $1 dccm_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dccm_client_packets'($*)) dnl
')
########################################
##
## Receive dccm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dccm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dccm_client_packets'($*)) dnl
gen_require(`
type dccm_client_packet_t;
')
allow $1 dccm_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dccm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dccm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dccm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dccm_client_packets'($*)) dnl
gen_require(`
type dccm_client_packet_t;
')
dontaudit $1 dccm_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dccm_client_packets'($*)) dnl
')
########################################
##
## Send and receive dccm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dccm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dccm_client_packets'($*)) dnl
corenet_send_dccm_client_packets($1)
corenet_receive_dccm_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dccm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dccm_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dccm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dccm_client_packets'($*)) dnl
corenet_dontaudit_send_dccm_client_packets($1)
corenet_dontaudit_receive_dccm_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dccm_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dccm_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dccm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dccm_client_packets'($*)) dnl
gen_require(`
type dccm_client_packet_t;
')
allow $1 dccm_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dccm_client_packets'($*)) dnl
')
########################################
##
## Send dccm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dccm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dccm_server_packets'($*)) dnl
gen_require(`
type dccm_server_packet_t;
')
allow $1 dccm_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dccm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dccm_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dccm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dccm_server_packets'($*)) dnl
gen_require(`
type dccm_server_packet_t;
')
dontaudit $1 dccm_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dccm_server_packets'($*)) dnl
')
########################################
##
## Receive dccm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dccm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dccm_server_packets'($*)) dnl
gen_require(`
type dccm_server_packet_t;
')
allow $1 dccm_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dccm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dccm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dccm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dccm_server_packets'($*)) dnl
gen_require(`
type dccm_server_packet_t;
')
dontaudit $1 dccm_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dccm_server_packets'($*)) dnl
')
########################################
##
## Send and receive dccm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dccm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dccm_server_packets'($*)) dnl
corenet_send_dccm_server_packets($1)
corenet_receive_dccm_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dccm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dccm_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dccm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dccm_server_packets'($*)) dnl
corenet_dontaudit_send_dccm_server_packets($1)
corenet_dontaudit_receive_dccm_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dccm_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dccm_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dccm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dccm_server_packets'($*)) dnl
gen_require(`
type dccm_server_packet_t;
')
allow $1 dccm_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dccm_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dey_keyneg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
allow $1 dey_keyneg_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dey_keyneg_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dey_keyneg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
allow $1 dey_keyneg_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dey_keyneg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dey_keyneg port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
dontaudit $1 dey_keyneg_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dey_keyneg_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dey_keyneg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
allow $1 dey_keyneg_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dey_keyneg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dey_keyneg port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
dontaudit $1 dey_keyneg_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dey_keyneg_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dey_keyneg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dey_keyneg_port'($*)) dnl
corenet_udp_send_dey_keyneg_port($1)
corenet_udp_receive_dey_keyneg_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dey_keyneg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dey_keyneg port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dey_keyneg_port'($*)) dnl
corenet_dontaudit_udp_send_dey_keyneg_port($1)
corenet_dontaudit_udp_receive_dey_keyneg_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dey_keyneg_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dey_keyneg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
allow $1 dey_keyneg_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dey_keyneg_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dey_keyneg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
allow $1 dey_keyneg_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dey_keyneg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dey_keyneg port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
dontaudit $1 dey_keyneg_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dey_keyneg_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dey_keyneg port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
allow $1 dey_keyneg_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dey_keyneg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dey_keyneg port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dey_keyneg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dey_keyneg_port'($*)) dnl
gen_require(`
type dey_keyneg_port_t;
')
dontaudit $1 dey_keyneg_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dey_keyneg_port'($*)) dnl
')
########################################
##
## Send dey_keyneg_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dey_keyneg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dey_keyneg_client_packets'($*)) dnl
gen_require(`
type dey_keyneg_client_packet_t;
')
allow $1 dey_keyneg_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dey_keyneg_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dey_keyneg_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dey_keyneg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dey_keyneg_client_packets'($*)) dnl
gen_require(`
type dey_keyneg_client_packet_t;
')
dontaudit $1 dey_keyneg_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dey_keyneg_client_packets'($*)) dnl
')
########################################
##
## Receive dey_keyneg_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dey_keyneg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dey_keyneg_client_packets'($*)) dnl
gen_require(`
type dey_keyneg_client_packet_t;
')
allow $1 dey_keyneg_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dey_keyneg_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dey_keyneg_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dey_keyneg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dey_keyneg_client_packets'($*)) dnl
gen_require(`
type dey_keyneg_client_packet_t;
')
dontaudit $1 dey_keyneg_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dey_keyneg_client_packets'($*)) dnl
')
########################################
##
## Send and receive dey_keyneg_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dey_keyneg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dey_keyneg_client_packets'($*)) dnl
corenet_send_dey_keyneg_client_packets($1)
corenet_receive_dey_keyneg_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dey_keyneg_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dey_keyneg_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dey_keyneg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dey_keyneg_client_packets'($*)) dnl
corenet_dontaudit_send_dey_keyneg_client_packets($1)
corenet_dontaudit_receive_dey_keyneg_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dey_keyneg_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dey_keyneg_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dey_keyneg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dey_keyneg_client_packets'($*)) dnl
gen_require(`
type dey_keyneg_client_packet_t;
')
allow $1 dey_keyneg_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dey_keyneg_client_packets'($*)) dnl
')
########################################
##
## Send dey_keyneg_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dey_keyneg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dey_keyneg_server_packets'($*)) dnl
gen_require(`
type dey_keyneg_server_packet_t;
')
allow $1 dey_keyneg_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dey_keyneg_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dey_keyneg_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dey_keyneg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dey_keyneg_server_packets'($*)) dnl
gen_require(`
type dey_keyneg_server_packet_t;
')
dontaudit $1 dey_keyneg_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dey_keyneg_server_packets'($*)) dnl
')
########################################
##
## Receive dey_keyneg_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dey_keyneg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dey_keyneg_server_packets'($*)) dnl
gen_require(`
type dey_keyneg_server_packet_t;
')
allow $1 dey_keyneg_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dey_keyneg_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dey_keyneg_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dey_keyneg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dey_keyneg_server_packets'($*)) dnl
gen_require(`
type dey_keyneg_server_packet_t;
')
dontaudit $1 dey_keyneg_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dey_keyneg_server_packets'($*)) dnl
')
########################################
##
## Send and receive dey_keyneg_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dey_keyneg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dey_keyneg_server_packets'($*)) dnl
corenet_send_dey_keyneg_server_packets($1)
corenet_receive_dey_keyneg_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dey_keyneg_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dey_keyneg_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dey_keyneg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dey_keyneg_server_packets'($*)) dnl
corenet_dontaudit_send_dey_keyneg_server_packets($1)
corenet_dontaudit_receive_dey_keyneg_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dey_keyneg_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dey_keyneg_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dey_keyneg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dey_keyneg_server_packets'($*)) dnl
gen_require(`
type dey_keyneg_server_packet_t;
')
allow $1 dey_keyneg_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dey_keyneg_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dey_sapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
allow $1 dey_sapi_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dey_sapi_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dey_sapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
allow $1 dey_sapi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dey_sapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dey_sapi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
dontaudit $1 dey_sapi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dey_sapi_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dey_sapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
allow $1 dey_sapi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dey_sapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dey_sapi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
dontaudit $1 dey_sapi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dey_sapi_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dey_sapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dey_sapi_port'($*)) dnl
corenet_udp_send_dey_sapi_port($1)
corenet_udp_receive_dey_sapi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dey_sapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dey_sapi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dey_sapi_port'($*)) dnl
corenet_dontaudit_udp_send_dey_sapi_port($1)
corenet_dontaudit_udp_receive_dey_sapi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dey_sapi_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dey_sapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
allow $1 dey_sapi_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dey_sapi_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dey_sapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
allow $1 dey_sapi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dey_sapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dey_sapi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
dontaudit $1 dey_sapi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dey_sapi_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dey_sapi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
allow $1 dey_sapi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dey_sapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dey_sapi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dey_sapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dey_sapi_port'($*)) dnl
gen_require(`
type dey_sapi_port_t;
')
dontaudit $1 dey_sapi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dey_sapi_port'($*)) dnl
')
########################################
##
## Send dey_sapi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dey_sapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dey_sapi_client_packets'($*)) dnl
gen_require(`
type dey_sapi_client_packet_t;
')
allow $1 dey_sapi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dey_sapi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dey_sapi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dey_sapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dey_sapi_client_packets'($*)) dnl
gen_require(`
type dey_sapi_client_packet_t;
')
dontaudit $1 dey_sapi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dey_sapi_client_packets'($*)) dnl
')
########################################
##
## Receive dey_sapi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dey_sapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dey_sapi_client_packets'($*)) dnl
gen_require(`
type dey_sapi_client_packet_t;
')
allow $1 dey_sapi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dey_sapi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dey_sapi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dey_sapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dey_sapi_client_packets'($*)) dnl
gen_require(`
type dey_sapi_client_packet_t;
')
dontaudit $1 dey_sapi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dey_sapi_client_packets'($*)) dnl
')
########################################
##
## Send and receive dey_sapi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dey_sapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dey_sapi_client_packets'($*)) dnl
corenet_send_dey_sapi_client_packets($1)
corenet_receive_dey_sapi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dey_sapi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dey_sapi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dey_sapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dey_sapi_client_packets'($*)) dnl
corenet_dontaudit_send_dey_sapi_client_packets($1)
corenet_dontaudit_receive_dey_sapi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dey_sapi_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dey_sapi_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dey_sapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dey_sapi_client_packets'($*)) dnl
gen_require(`
type dey_sapi_client_packet_t;
')
allow $1 dey_sapi_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dey_sapi_client_packets'($*)) dnl
')
########################################
##
## Send dey_sapi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dey_sapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dey_sapi_server_packets'($*)) dnl
gen_require(`
type dey_sapi_server_packet_t;
')
allow $1 dey_sapi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dey_sapi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dey_sapi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dey_sapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dey_sapi_server_packets'($*)) dnl
gen_require(`
type dey_sapi_server_packet_t;
')
dontaudit $1 dey_sapi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dey_sapi_server_packets'($*)) dnl
')
########################################
##
## Receive dey_sapi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dey_sapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dey_sapi_server_packets'($*)) dnl
gen_require(`
type dey_sapi_server_packet_t;
')
allow $1 dey_sapi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dey_sapi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dey_sapi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dey_sapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dey_sapi_server_packets'($*)) dnl
gen_require(`
type dey_sapi_server_packet_t;
')
dontaudit $1 dey_sapi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dey_sapi_server_packets'($*)) dnl
')
########################################
##
## Send and receive dey_sapi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dey_sapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dey_sapi_server_packets'($*)) dnl
corenet_send_dey_sapi_server_packets($1)
corenet_receive_dey_sapi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dey_sapi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dey_sapi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dey_sapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dey_sapi_server_packets'($*)) dnl
corenet_dontaudit_send_dey_sapi_server_packets($1)
corenet_dontaudit_receive_dey_sapi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dey_sapi_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dey_sapi_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dey_sapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dey_sapi_server_packets'($*)) dnl
gen_require(`
type dey_sapi_server_packet_t;
')
allow $1 dey_sapi_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dey_sapi_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dhcpc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dhcpc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dhcpc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
dontaudit $1 dhcpc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dhcpc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dhcpc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dhcpc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
dontaudit $1 dhcpc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dhcpc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dhcpc_port'($*)) dnl
corenet_udp_send_dhcpc_port($1)
corenet_udp_receive_dhcpc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dhcpc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dhcpc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dhcpc_port'($*)) dnl
corenet_dontaudit_udp_send_dhcpc_port($1)
corenet_dontaudit_udp_receive_dhcpc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dhcpc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dhcpc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dhcpc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dhcpc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dhcpc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
dontaudit $1 dhcpc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dhcpc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dhcpc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
allow $1 dhcpc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dhcpc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dhcpc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dhcpc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dhcpc_port'($*)) dnl
gen_require(`
type dhcpc_port_t;
')
dontaudit $1 dhcpc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dhcpc_port'($*)) dnl
')
########################################
##
## Send dhcpc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dhcpc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
allow $1 dhcpc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dhcpc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dhcpc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
dontaudit $1 dhcpc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Receive dhcpc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dhcpc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
allow $1 dhcpc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dhcpc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dhcpc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
dontaudit $1 dhcpc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Send and receive dhcpc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dhcpc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpc_client_packets'($*)) dnl
corenet_send_dhcpc_client_packets($1)
corenet_receive_dhcpc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dhcpc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dhcpc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpc_client_packets'($*)) dnl
corenet_dontaudit_send_dhcpc_client_packets($1)
corenet_dontaudit_receive_dhcpc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dhcpc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dhcpc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpc_client_packets'($*)) dnl
gen_require(`
type dhcpc_client_packet_t;
')
allow $1 dhcpc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpc_client_packets'($*)) dnl
')
########################################
##
## Send dhcpc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dhcpc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
allow $1 dhcpc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dhcpc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dhcpc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
dontaudit $1 dhcpc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Receive dhcpc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dhcpc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
allow $1 dhcpc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dhcpc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dhcpc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
dontaudit $1 dhcpc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Send and receive dhcpc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dhcpc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpc_server_packets'($*)) dnl
corenet_send_dhcpc_server_packets($1)
corenet_receive_dhcpc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dhcpc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dhcpc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpc_server_packets'($*)) dnl
corenet_dontaudit_send_dhcpc_server_packets($1)
corenet_dontaudit_receive_dhcpc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dhcpc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dhcpc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpc_server_packets'($*)) dnl
gen_require(`
type dhcpc_server_packet_t;
')
allow $1 dhcpc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dhcpd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dhcpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dhcpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
dontaudit $1 dhcpd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dhcpd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dhcpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dhcpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
dontaudit $1 dhcpd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dhcpd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dhcpd_port'($*)) dnl
corenet_udp_send_dhcpd_port($1)
corenet_udp_receive_dhcpd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dhcpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dhcpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dhcpd_port'($*)) dnl
corenet_dontaudit_udp_send_dhcpd_port($1)
corenet_dontaudit_udp_receive_dhcpd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dhcpd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dhcpd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dhcpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dhcpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dhcpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
dontaudit $1 dhcpd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dhcpd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dhcpd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
allow $1 dhcpd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dhcpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dhcpd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dhcpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dhcpd_port'($*)) dnl
gen_require(`
type dhcpd_port_t;
')
dontaudit $1 dhcpd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dhcpd_port'($*)) dnl
')
########################################
##
## Send dhcpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dhcpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
allow $1 dhcpd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dhcpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dhcpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
dontaudit $1 dhcpd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Receive dhcpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dhcpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
allow $1 dhcpd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dhcpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dhcpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
dontaudit $1 dhcpd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Send and receive dhcpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dhcpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpd_client_packets'($*)) dnl
corenet_send_dhcpd_client_packets($1)
corenet_receive_dhcpd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dhcpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dhcpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpd_client_packets'($*)) dnl
corenet_dontaudit_send_dhcpd_client_packets($1)
corenet_dontaudit_receive_dhcpd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dhcpd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dhcpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpd_client_packets'($*)) dnl
gen_require(`
type dhcpd_client_packet_t;
')
allow $1 dhcpd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpd_client_packets'($*)) dnl
')
########################################
##
## Send dhcpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dhcpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
allow $1 dhcpd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dhcpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dhcpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
dontaudit $1 dhcpd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Receive dhcpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dhcpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
allow $1 dhcpd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dhcpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dhcpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
dontaudit $1 dhcpd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive dhcpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dhcpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpd_server_packets'($*)) dnl
corenet_send_dhcpd_server_packets($1)
corenet_receive_dhcpd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dhcpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dhcpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpd_server_packets'($*)) dnl
corenet_dontaudit_send_dhcpd_server_packets($1)
corenet_dontaudit_receive_dhcpd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dhcpd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dhcpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpd_server_packets'($*)) dnl
gen_require(`
type dhcpd_server_packet_t;
')
allow $1 dhcpd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dict_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dict_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dict port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
dontaudit $1 dict_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dict_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dict_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dict port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
dontaudit $1 dict_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dict_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dict_port'($*)) dnl
corenet_udp_send_dict_port($1)
corenet_udp_receive_dict_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dict_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dict port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dict_port'($*)) dnl
corenet_dontaudit_udp_send_dict_port($1)
corenet_dontaudit_udp_receive_dict_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dict_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dict_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dict port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dict_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dict port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
dontaudit $1 dict_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dict_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dict port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
allow $1 dict_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dict_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dict port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dict_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dict_port'($*)) dnl
gen_require(`
type dict_port_t;
')
dontaudit $1 dict_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dict_port'($*)) dnl
')
########################################
##
## Send dict_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dict_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
allow $1 dict_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dict_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dict_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dict_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
dontaudit $1 dict_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dict_client_packets'($*)) dnl
')
########################################
##
## Receive dict_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dict_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
allow $1 dict_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dict_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dict_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dict_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
dontaudit $1 dict_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dict_client_packets'($*)) dnl
')
########################################
##
## Send and receive dict_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dict_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dict_client_packets'($*)) dnl
corenet_send_dict_client_packets($1)
corenet_receive_dict_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dict_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dict_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dict_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dict_client_packets'($*)) dnl
corenet_dontaudit_send_dict_client_packets($1)
corenet_dontaudit_receive_dict_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dict_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dict_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dict_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dict_client_packets'($*)) dnl
gen_require(`
type dict_client_packet_t;
')
allow $1 dict_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dict_client_packets'($*)) dnl
')
########################################
##
## Send dict_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dict_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
allow $1 dict_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dict_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dict_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dict_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
dontaudit $1 dict_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dict_server_packets'($*)) dnl
')
########################################
##
## Receive dict_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dict_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
allow $1 dict_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dict_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dict_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dict_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
dontaudit $1 dict_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dict_server_packets'($*)) dnl
')
########################################
##
## Send and receive dict_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dict_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dict_server_packets'($*)) dnl
corenet_send_dict_server_packets($1)
corenet_receive_dict_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dict_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dict_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dict_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dict_server_packets'($*)) dnl
corenet_dontaudit_send_dict_server_packets($1)
corenet_dontaudit_receive_dict_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dict_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dict_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dict_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dict_server_packets'($*)) dnl
gen_require(`
type dict_server_packet_t;
')
allow $1 dict_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dict_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_distccd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_distccd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the distccd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
dontaudit $1 distccd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_distccd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_distccd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the distccd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
dontaudit $1 distccd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_distccd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_distccd_port'($*)) dnl
corenet_udp_send_distccd_port($1)
corenet_udp_receive_distccd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_distccd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the distccd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_distccd_port'($*)) dnl
corenet_dontaudit_udp_send_distccd_port($1)
corenet_dontaudit_udp_receive_distccd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_distccd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_distccd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the distccd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_distccd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to distccd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
dontaudit $1 distccd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_distccd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the distccd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
allow $1 distccd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_distccd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to distccd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_distccd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_distccd_port'($*)) dnl
gen_require(`
type distccd_port_t;
')
dontaudit $1 distccd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_distccd_port'($*)) dnl
')
########################################
##
## Send distccd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_distccd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
allow $1 distccd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_distccd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send distccd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_distccd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
dontaudit $1 distccd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_distccd_client_packets'($*)) dnl
')
########################################
##
## Receive distccd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_distccd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
allow $1 distccd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_distccd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive distccd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_distccd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
dontaudit $1 distccd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_distccd_client_packets'($*)) dnl
')
########################################
##
## Send and receive distccd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_distccd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_distccd_client_packets'($*)) dnl
corenet_send_distccd_client_packets($1)
corenet_receive_distccd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_distccd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive distccd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_distccd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_distccd_client_packets'($*)) dnl
corenet_dontaudit_send_distccd_client_packets($1)
corenet_dontaudit_receive_distccd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_distccd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to distccd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_distccd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_distccd_client_packets'($*)) dnl
gen_require(`
type distccd_client_packet_t;
')
allow $1 distccd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_distccd_client_packets'($*)) dnl
')
########################################
##
## Send distccd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_distccd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
allow $1 distccd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_distccd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send distccd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_distccd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
dontaudit $1 distccd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_distccd_server_packets'($*)) dnl
')
########################################
##
## Receive distccd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_distccd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
allow $1 distccd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_distccd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive distccd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_distccd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
dontaudit $1 distccd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_distccd_server_packets'($*)) dnl
')
########################################
##
## Send and receive distccd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_distccd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_distccd_server_packets'($*)) dnl
corenet_send_distccd_server_packets($1)
corenet_receive_distccd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_distccd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive distccd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_distccd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_distccd_server_packets'($*)) dnl
corenet_dontaudit_send_distccd_server_packets($1)
corenet_dontaudit_receive_distccd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_distccd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to distccd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_distccd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_distccd_server_packets'($*)) dnl
gen_require(`
type distccd_server_packet_t;
')
allow $1 distccd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_distccd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dogtag port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
allow $1 dogtag_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dogtag_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dogtag port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
allow $1 dogtag_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dogtag_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dogtag port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
dontaudit $1 dogtag_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dogtag_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dogtag port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
allow $1 dogtag_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dogtag_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dogtag port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
dontaudit $1 dogtag_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dogtag_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dogtag port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dogtag_port'($*)) dnl
corenet_udp_send_dogtag_port($1)
corenet_udp_receive_dogtag_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dogtag_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dogtag port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dogtag_port'($*)) dnl
corenet_dontaudit_udp_send_dogtag_port($1)
corenet_dontaudit_udp_receive_dogtag_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dogtag_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dogtag port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
allow $1 dogtag_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dogtag_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dogtag port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
allow $1 dogtag_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dogtag_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dogtag port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
dontaudit $1 dogtag_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dogtag_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dogtag port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
allow $1 dogtag_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dogtag_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dogtag port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dogtag_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dogtag_port'($*)) dnl
gen_require(`
type dogtag_port_t;
')
dontaudit $1 dogtag_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dogtag_port'($*)) dnl
')
########################################
##
## Send dogtag_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dogtag_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dogtag_client_packets'($*)) dnl
gen_require(`
type dogtag_client_packet_t;
')
allow $1 dogtag_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dogtag_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dogtag_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dogtag_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dogtag_client_packets'($*)) dnl
gen_require(`
type dogtag_client_packet_t;
')
dontaudit $1 dogtag_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dogtag_client_packets'($*)) dnl
')
########################################
##
## Receive dogtag_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dogtag_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dogtag_client_packets'($*)) dnl
gen_require(`
type dogtag_client_packet_t;
')
allow $1 dogtag_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dogtag_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dogtag_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dogtag_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dogtag_client_packets'($*)) dnl
gen_require(`
type dogtag_client_packet_t;
')
dontaudit $1 dogtag_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dogtag_client_packets'($*)) dnl
')
########################################
##
## Send and receive dogtag_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dogtag_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dogtag_client_packets'($*)) dnl
corenet_send_dogtag_client_packets($1)
corenet_receive_dogtag_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dogtag_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dogtag_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dogtag_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dogtag_client_packets'($*)) dnl
corenet_dontaudit_send_dogtag_client_packets($1)
corenet_dontaudit_receive_dogtag_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dogtag_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dogtag_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dogtag_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dogtag_client_packets'($*)) dnl
gen_require(`
type dogtag_client_packet_t;
')
allow $1 dogtag_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dogtag_client_packets'($*)) dnl
')
########################################
##
## Send dogtag_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dogtag_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dogtag_server_packets'($*)) dnl
gen_require(`
type dogtag_server_packet_t;
')
allow $1 dogtag_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dogtag_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dogtag_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dogtag_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dogtag_server_packets'($*)) dnl
gen_require(`
type dogtag_server_packet_t;
')
dontaudit $1 dogtag_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dogtag_server_packets'($*)) dnl
')
########################################
##
## Receive dogtag_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dogtag_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dogtag_server_packets'($*)) dnl
gen_require(`
type dogtag_server_packet_t;
')
allow $1 dogtag_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dogtag_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dogtag_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dogtag_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dogtag_server_packets'($*)) dnl
gen_require(`
type dogtag_server_packet_t;
')
dontaudit $1 dogtag_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dogtag_server_packets'($*)) dnl
')
########################################
##
## Send and receive dogtag_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dogtag_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dogtag_server_packets'($*)) dnl
corenet_send_dogtag_server_packets($1)
corenet_receive_dogtag_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dogtag_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dogtag_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dogtag_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dogtag_server_packets'($*)) dnl
corenet_dontaudit_send_dogtag_server_packets($1)
corenet_dontaudit_receive_dogtag_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dogtag_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dogtag_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dogtag_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dogtag_server_packets'($*)) dnl
gen_require(`
type dogtag_server_packet_t;
')
allow $1 dogtag_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dogtag_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dns_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
dontaudit $1 dns_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dns_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
dontaudit $1 dns_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dns_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dns_port'($*)) dnl
corenet_udp_send_dns_port($1)
corenet_udp_receive_dns_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dns_port'($*)) dnl
corenet_dontaudit_udp_send_dns_port($1)
corenet_dontaudit_udp_receive_dns_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dns_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dns_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
dontaudit $1 dns_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dns_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dns port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
allow $1 dns_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dns port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dns_port'($*)) dnl
gen_require(`
type dns_port_t;
')
dontaudit $1 dns_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dns_port'($*)) dnl
')
########################################
##
## Send dns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
allow $1 dns_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dns_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
dontaudit $1 dns_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dns_client_packets'($*)) dnl
')
########################################
##
## Receive dns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
allow $1 dns_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
dontaudit $1 dns_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dns_client_packets'($*)) dnl
')
########################################
##
## Send and receive dns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dns_client_packets'($*)) dnl
corenet_send_dns_client_packets($1)
corenet_receive_dns_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dns_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dns_client_packets'($*)) dnl
corenet_dontaudit_send_dns_client_packets($1)
corenet_dontaudit_receive_dns_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dns_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dns_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dns_client_packets'($*)) dnl
gen_require(`
type dns_client_packet_t;
')
allow $1 dns_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dns_client_packets'($*)) dnl
')
########################################
##
## Send dns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
allow $1 dns_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dns_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
dontaudit $1 dns_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dns_server_packets'($*)) dnl
')
########################################
##
## Receive dns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
allow $1 dns_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
dontaudit $1 dns_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dns_server_packets'($*)) dnl
')
########################################
##
## Send and receive dns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dns_server_packets'($*)) dnl
corenet_send_dns_server_packets($1)
corenet_receive_dns_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dns_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dns_server_packets'($*)) dnl
corenet_dontaudit_send_dns_server_packets($1)
corenet_dontaudit_receive_dns_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dns_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dns_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dns_server_packets'($*)) dnl
gen_require(`
type dns_server_packet_t;
')
allow $1 dns_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dns_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the dnssec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
allow $1 dnssec_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dnssec_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the dnssec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
allow $1 dnssec_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_dnssec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the dnssec port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
dontaudit $1 dnssec_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dnssec_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the dnssec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
allow $1 dnssec_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dnssec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the dnssec port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
dontaudit $1 dnssec_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dnssec_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the dnssec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dnssec_port'($*)) dnl
corenet_udp_send_dnssec_port($1)
corenet_udp_receive_dnssec_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dnssec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the dnssec port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dnssec_port'($*)) dnl
corenet_dontaudit_udp_send_dnssec_port($1)
corenet_dontaudit_udp_receive_dnssec_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dnssec_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the dnssec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
allow $1 dnssec_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dnssec_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the dnssec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
allow $1 dnssec_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dnssec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to dnssec port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
dontaudit $1 dnssec_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dnssec_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the dnssec port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
allow $1 dnssec_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dnssec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to dnssec port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_dnssec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dnssec_port'($*)) dnl
gen_require(`
type dnssec_port_t;
')
dontaudit $1 dnssec_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dnssec_port'($*)) dnl
')
########################################
##
## Send dnssec_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dnssec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dnssec_client_packets'($*)) dnl
gen_require(`
type dnssec_client_packet_t;
')
allow $1 dnssec_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dnssec_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dnssec_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dnssec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dnssec_client_packets'($*)) dnl
gen_require(`
type dnssec_client_packet_t;
')
dontaudit $1 dnssec_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dnssec_client_packets'($*)) dnl
')
########################################
##
## Receive dnssec_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dnssec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dnssec_client_packets'($*)) dnl
gen_require(`
type dnssec_client_packet_t;
')
allow $1 dnssec_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dnssec_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dnssec_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dnssec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dnssec_client_packets'($*)) dnl
gen_require(`
type dnssec_client_packet_t;
')
dontaudit $1 dnssec_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dnssec_client_packets'($*)) dnl
')
########################################
##
## Send and receive dnssec_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dnssec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dnssec_client_packets'($*)) dnl
corenet_send_dnssec_client_packets($1)
corenet_receive_dnssec_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dnssec_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dnssec_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dnssec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dnssec_client_packets'($*)) dnl
corenet_dontaudit_send_dnssec_client_packets($1)
corenet_dontaudit_receive_dnssec_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dnssec_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to dnssec_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dnssec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dnssec_client_packets'($*)) dnl
gen_require(`
type dnssec_client_packet_t;
')
allow $1 dnssec_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dnssec_client_packets'($*)) dnl
')
########################################
##
## Send dnssec_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_dnssec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_dnssec_server_packets'($*)) dnl
gen_require(`
type dnssec_server_packet_t;
')
allow $1 dnssec_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_dnssec_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send dnssec_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_dnssec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dnssec_server_packets'($*)) dnl
gen_require(`
type dnssec_server_packet_t;
')
dontaudit $1 dnssec_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dnssec_server_packets'($*)) dnl
')
########################################
##
## Receive dnssec_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_dnssec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_dnssec_server_packets'($*)) dnl
gen_require(`
type dnssec_server_packet_t;
')
allow $1 dnssec_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_dnssec_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive dnssec_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_dnssec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dnssec_server_packets'($*)) dnl
gen_require(`
type dnssec_server_packet_t;
')
dontaudit $1 dnssec_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dnssec_server_packets'($*)) dnl
')
########################################
##
## Send and receive dnssec_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_dnssec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dnssec_server_packets'($*)) dnl
corenet_send_dnssec_server_packets($1)
corenet_receive_dnssec_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dnssec_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive dnssec_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_dnssec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dnssec_server_packets'($*)) dnl
corenet_dontaudit_send_dnssec_server_packets($1)
corenet_dontaudit_receive_dnssec_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dnssec_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to dnssec_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_dnssec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dnssec_server_packets'($*)) dnl
gen_require(`
type dnssec_server_packet_t;
')
allow $1 dnssec_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_dnssec_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
allow $1 echo_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_echo_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
allow $1 echo_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the echo port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
dontaudit $1 echo_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_echo_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
allow $1 echo_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the echo port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
dontaudit $1 echo_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_echo_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_echo_port'($*)) dnl
corenet_udp_send_echo_port($1)
corenet_udp_receive_echo_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the echo port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_echo_port'($*)) dnl
corenet_dontaudit_udp_send_echo_port($1)
corenet_dontaudit_udp_receive_echo_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_echo_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
allow $1 echo_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_echo_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the echo port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
allow $1 echo_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to echo port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
dontaudit $1 echo_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_echo_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the echo port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
allow $1 echo_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_echo_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to echo port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_echo_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_echo_port'($*)) dnl
gen_require(`
type echo_port_t;
')
dontaudit $1 echo_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_echo_port'($*)) dnl
')
########################################
##
## Send echo_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_echo_client_packets'($*)) dnl
gen_require(`
type echo_client_packet_t;
')
allow $1 echo_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_echo_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send echo_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_echo_client_packets'($*)) dnl
gen_require(`
type echo_client_packet_t;
')
dontaudit $1 echo_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_echo_client_packets'($*)) dnl
')
########################################
##
## Receive echo_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_echo_client_packets'($*)) dnl
gen_require(`
type echo_client_packet_t;
')
allow $1 echo_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_echo_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive echo_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_echo_client_packets'($*)) dnl
gen_require(`
type echo_client_packet_t;
')
dontaudit $1 echo_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_echo_client_packets'($*)) dnl
')
########################################
##
## Send and receive echo_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_echo_client_packets'($*)) dnl
corenet_send_echo_client_packets($1)
corenet_receive_echo_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_echo_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive echo_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_echo_client_packets'($*)) dnl
corenet_dontaudit_send_echo_client_packets($1)
corenet_dontaudit_receive_echo_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_echo_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to echo_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_echo_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_echo_client_packets'($*)) dnl
gen_require(`
type echo_client_packet_t;
')
allow $1 echo_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_echo_client_packets'($*)) dnl
')
########################################
##
## Send echo_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_echo_server_packets'($*)) dnl
gen_require(`
type echo_server_packet_t;
')
allow $1 echo_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_echo_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send echo_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_echo_server_packets'($*)) dnl
gen_require(`
type echo_server_packet_t;
')
dontaudit $1 echo_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_echo_server_packets'($*)) dnl
')
########################################
##
## Receive echo_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_echo_server_packets'($*)) dnl
gen_require(`
type echo_server_packet_t;
')
allow $1 echo_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_echo_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive echo_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_echo_server_packets'($*)) dnl
gen_require(`
type echo_server_packet_t;
')
dontaudit $1 echo_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_echo_server_packets'($*)) dnl
')
########################################
##
## Send and receive echo_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_echo_server_packets'($*)) dnl
corenet_send_echo_server_packets($1)
corenet_receive_echo_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_echo_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive echo_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_echo_server_packets'($*)) dnl
corenet_dontaudit_send_echo_server_packets($1)
corenet_dontaudit_receive_echo_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_echo_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to echo_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_echo_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_echo_server_packets'($*)) dnl
gen_require(`
type echo_server_packet_t;
')
allow $1 echo_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_echo_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the efs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
allow $1 efs_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_efs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the efs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
allow $1 efs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_efs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the efs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
dontaudit $1 efs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_efs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the efs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
allow $1 efs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_efs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the efs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
dontaudit $1 efs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_efs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the efs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_efs_port'($*)) dnl
corenet_udp_send_efs_port($1)
corenet_udp_receive_efs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_efs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the efs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_efs_port'($*)) dnl
corenet_dontaudit_udp_send_efs_port($1)
corenet_dontaudit_udp_receive_efs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_efs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the efs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
allow $1 efs_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_efs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the efs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
allow $1 efs_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_efs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to efs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
dontaudit $1 efs_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_efs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the efs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
allow $1 efs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_efs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to efs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_efs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_efs_port'($*)) dnl
gen_require(`
type efs_port_t;
')
dontaudit $1 efs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_efs_port'($*)) dnl
')
########################################
##
## Send efs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_efs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_efs_client_packets'($*)) dnl
gen_require(`
type efs_client_packet_t;
')
allow $1 efs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_efs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send efs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_efs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_efs_client_packets'($*)) dnl
gen_require(`
type efs_client_packet_t;
')
dontaudit $1 efs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_efs_client_packets'($*)) dnl
')
########################################
##
## Receive efs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_efs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_efs_client_packets'($*)) dnl
gen_require(`
type efs_client_packet_t;
')
allow $1 efs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_efs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive efs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_efs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_efs_client_packets'($*)) dnl
gen_require(`
type efs_client_packet_t;
')
dontaudit $1 efs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_efs_client_packets'($*)) dnl
')
########################################
##
## Send and receive efs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_efs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_efs_client_packets'($*)) dnl
corenet_send_efs_client_packets($1)
corenet_receive_efs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_efs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive efs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_efs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_efs_client_packets'($*)) dnl
corenet_dontaudit_send_efs_client_packets($1)
corenet_dontaudit_receive_efs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_efs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to efs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_efs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_efs_client_packets'($*)) dnl
gen_require(`
type efs_client_packet_t;
')
allow $1 efs_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_efs_client_packets'($*)) dnl
')
########################################
##
## Send efs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_efs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_efs_server_packets'($*)) dnl
gen_require(`
type efs_server_packet_t;
')
allow $1 efs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_efs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send efs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_efs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_efs_server_packets'($*)) dnl
gen_require(`
type efs_server_packet_t;
')
dontaudit $1 efs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_efs_server_packets'($*)) dnl
')
########################################
##
## Receive efs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_efs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_efs_server_packets'($*)) dnl
gen_require(`
type efs_server_packet_t;
')
allow $1 efs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_efs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive efs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_efs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_efs_server_packets'($*)) dnl
gen_require(`
type efs_server_packet_t;
')
dontaudit $1 efs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_efs_server_packets'($*)) dnl
')
########################################
##
## Send and receive efs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_efs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_efs_server_packets'($*)) dnl
corenet_send_efs_server_packets($1)
corenet_receive_efs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_efs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive efs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_efs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_efs_server_packets'($*)) dnl
corenet_dontaudit_send_efs_server_packets($1)
corenet_dontaudit_receive_efs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_efs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to efs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_efs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_efs_server_packets'($*)) dnl
gen_require(`
type efs_server_packet_t;
')
allow $1 efs_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_efs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the embrace_dp_c port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
allow $1 embrace_dp_c_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the embrace_dp_c port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
allow $1 embrace_dp_c_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the embrace_dp_c port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
dontaudit $1 embrace_dp_c_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the embrace_dp_c port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
allow $1 embrace_dp_c_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the embrace_dp_c port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
dontaudit $1 embrace_dp_c_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the embrace_dp_c port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_embrace_dp_c_port'($*)) dnl
corenet_udp_send_embrace_dp_c_port($1)
corenet_udp_receive_embrace_dp_c_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the embrace_dp_c port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_embrace_dp_c_port'($*)) dnl
corenet_dontaudit_udp_send_embrace_dp_c_port($1)
corenet_dontaudit_udp_receive_embrace_dp_c_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the embrace_dp_c port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
allow $1 embrace_dp_c_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the embrace_dp_c port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
allow $1 embrace_dp_c_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to embrace_dp_c port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
dontaudit $1 embrace_dp_c_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the embrace_dp_c port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
allow $1 embrace_dp_c_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to embrace_dp_c port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_embrace_dp_c_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_embrace_dp_c_port'($*)) dnl
gen_require(`
type embrace_dp_c_port_t;
')
dontaudit $1 embrace_dp_c_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_embrace_dp_c_port'($*)) dnl
')
########################################
##
## Send embrace_dp_c_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_embrace_dp_c_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_embrace_dp_c_client_packets'($*)) dnl
gen_require(`
type embrace_dp_c_client_packet_t;
')
allow $1 embrace_dp_c_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_embrace_dp_c_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send embrace_dp_c_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_embrace_dp_c_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_embrace_dp_c_client_packets'($*)) dnl
gen_require(`
type embrace_dp_c_client_packet_t;
')
dontaudit $1 embrace_dp_c_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_embrace_dp_c_client_packets'($*)) dnl
')
########################################
##
## Receive embrace_dp_c_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_embrace_dp_c_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_embrace_dp_c_client_packets'($*)) dnl
gen_require(`
type embrace_dp_c_client_packet_t;
')
allow $1 embrace_dp_c_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_embrace_dp_c_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive embrace_dp_c_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_embrace_dp_c_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_embrace_dp_c_client_packets'($*)) dnl
gen_require(`
type embrace_dp_c_client_packet_t;
')
dontaudit $1 embrace_dp_c_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_embrace_dp_c_client_packets'($*)) dnl
')
########################################
##
## Send and receive embrace_dp_c_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_embrace_dp_c_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_embrace_dp_c_client_packets'($*)) dnl
corenet_send_embrace_dp_c_client_packets($1)
corenet_receive_embrace_dp_c_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_embrace_dp_c_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive embrace_dp_c_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_embrace_dp_c_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_embrace_dp_c_client_packets'($*)) dnl
corenet_dontaudit_send_embrace_dp_c_client_packets($1)
corenet_dontaudit_receive_embrace_dp_c_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_embrace_dp_c_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to embrace_dp_c_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_embrace_dp_c_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_embrace_dp_c_client_packets'($*)) dnl
gen_require(`
type embrace_dp_c_client_packet_t;
')
allow $1 embrace_dp_c_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_embrace_dp_c_client_packets'($*)) dnl
')
########################################
##
## Send embrace_dp_c_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_embrace_dp_c_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_embrace_dp_c_server_packets'($*)) dnl
gen_require(`
type embrace_dp_c_server_packet_t;
')
allow $1 embrace_dp_c_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_embrace_dp_c_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send embrace_dp_c_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_embrace_dp_c_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_embrace_dp_c_server_packets'($*)) dnl
gen_require(`
type embrace_dp_c_server_packet_t;
')
dontaudit $1 embrace_dp_c_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_embrace_dp_c_server_packets'($*)) dnl
')
########################################
##
## Receive embrace_dp_c_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_embrace_dp_c_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_embrace_dp_c_server_packets'($*)) dnl
gen_require(`
type embrace_dp_c_server_packet_t;
')
allow $1 embrace_dp_c_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_embrace_dp_c_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive embrace_dp_c_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_embrace_dp_c_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_embrace_dp_c_server_packets'($*)) dnl
gen_require(`
type embrace_dp_c_server_packet_t;
')
dontaudit $1 embrace_dp_c_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_embrace_dp_c_server_packets'($*)) dnl
')
########################################
##
## Send and receive embrace_dp_c_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_embrace_dp_c_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_embrace_dp_c_server_packets'($*)) dnl
corenet_send_embrace_dp_c_server_packets($1)
corenet_receive_embrace_dp_c_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_embrace_dp_c_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive embrace_dp_c_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_embrace_dp_c_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_embrace_dp_c_server_packets'($*)) dnl
corenet_dontaudit_send_embrace_dp_c_server_packets($1)
corenet_dontaudit_receive_embrace_dp_c_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_embrace_dp_c_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to embrace_dp_c_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_embrace_dp_c_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_embrace_dp_c_server_packets'($*)) dnl
gen_require(`
type embrace_dp_c_server_packet_t;
')
allow $1 embrace_dp_c_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_embrace_dp_c_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the epmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
allow $1 epmap_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_epmap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the epmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
allow $1 epmap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_epmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the epmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
dontaudit $1 epmap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_epmap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the epmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
allow $1 epmap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_epmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the epmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
dontaudit $1 epmap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_epmap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the epmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_epmap_port'($*)) dnl
corenet_udp_send_epmap_port($1)
corenet_udp_receive_epmap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_epmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the epmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_epmap_port'($*)) dnl
corenet_dontaudit_udp_send_epmap_port($1)
corenet_dontaudit_udp_receive_epmap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_epmap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the epmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
allow $1 epmap_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_epmap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the epmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
allow $1 epmap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_epmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to epmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
dontaudit $1 epmap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_epmap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the epmap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
allow $1 epmap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_epmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to epmap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_epmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_epmap_port'($*)) dnl
gen_require(`
type epmap_port_t;
')
dontaudit $1 epmap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_epmap_port'($*)) dnl
')
########################################
##
## Send epmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_epmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_epmap_client_packets'($*)) dnl
gen_require(`
type epmap_client_packet_t;
')
allow $1 epmap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_epmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send epmap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_epmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmap_client_packets'($*)) dnl
gen_require(`
type epmap_client_packet_t;
')
dontaudit $1 epmap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmap_client_packets'($*)) dnl
')
########################################
##
## Receive epmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_epmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_epmap_client_packets'($*)) dnl
gen_require(`
type epmap_client_packet_t;
')
allow $1 epmap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_epmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive epmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_epmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmap_client_packets'($*)) dnl
gen_require(`
type epmap_client_packet_t;
')
dontaudit $1 epmap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmap_client_packets'($*)) dnl
')
########################################
##
## Send and receive epmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_epmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmap_client_packets'($*)) dnl
corenet_send_epmap_client_packets($1)
corenet_receive_epmap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive epmap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_epmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmap_client_packets'($*)) dnl
corenet_dontaudit_send_epmap_client_packets($1)
corenet_dontaudit_receive_epmap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to epmap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_epmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmap_client_packets'($*)) dnl
gen_require(`
type epmap_client_packet_t;
')
allow $1 epmap_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmap_client_packets'($*)) dnl
')
########################################
##
## Send epmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_epmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_epmap_server_packets'($*)) dnl
gen_require(`
type epmap_server_packet_t;
')
allow $1 epmap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_epmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send epmap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_epmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmap_server_packets'($*)) dnl
gen_require(`
type epmap_server_packet_t;
')
dontaudit $1 epmap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmap_server_packets'($*)) dnl
')
########################################
##
## Receive epmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_epmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_epmap_server_packets'($*)) dnl
gen_require(`
type epmap_server_packet_t;
')
allow $1 epmap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_epmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive epmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_epmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmap_server_packets'($*)) dnl
gen_require(`
type epmap_server_packet_t;
')
dontaudit $1 epmap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmap_server_packets'($*)) dnl
')
########################################
##
## Send and receive epmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_epmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmap_server_packets'($*)) dnl
corenet_send_epmap_server_packets($1)
corenet_receive_epmap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive epmap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_epmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmap_server_packets'($*)) dnl
corenet_dontaudit_send_epmap_server_packets($1)
corenet_dontaudit_receive_epmap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to epmap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_epmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmap_server_packets'($*)) dnl
gen_require(`
type epmap_server_packet_t;
')
allow $1 epmap_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the epmd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
allow $1 epmd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_epmd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the epmd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
allow $1 epmd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_epmd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the epmd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
dontaudit $1 epmd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_epmd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the epmd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
allow $1 epmd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_epmd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the epmd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
dontaudit $1 epmd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_epmd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the epmd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_epmd_port'($*)) dnl
corenet_udp_send_epmd_port($1)
corenet_udp_receive_epmd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_epmd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the epmd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_epmd_port'($*)) dnl
corenet_dontaudit_udp_send_epmd_port($1)
corenet_dontaudit_udp_receive_epmd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_epmd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the epmd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
allow $1 epmd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_epmd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the epmd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
allow $1 epmd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_epmd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to epmd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
dontaudit $1 epmd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_epmd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the epmd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
allow $1 epmd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_epmd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to epmd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_epmd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_epmd_port'($*)) dnl
gen_require(`
type epmd_port_t;
')
dontaudit $1 epmd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_epmd_port'($*)) dnl
')
########################################
##
## Send epmd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_epmd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_epmd_client_packets'($*)) dnl
gen_require(`
type epmd_client_packet_t;
')
allow $1 epmd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_epmd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send epmd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_epmd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmd_client_packets'($*)) dnl
gen_require(`
type epmd_client_packet_t;
')
dontaudit $1 epmd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmd_client_packets'($*)) dnl
')
########################################
##
## Receive epmd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_epmd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_epmd_client_packets'($*)) dnl
gen_require(`
type epmd_client_packet_t;
')
allow $1 epmd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_epmd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive epmd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_epmd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmd_client_packets'($*)) dnl
gen_require(`
type epmd_client_packet_t;
')
dontaudit $1 epmd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmd_client_packets'($*)) dnl
')
########################################
##
## Send and receive epmd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_epmd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmd_client_packets'($*)) dnl
corenet_send_epmd_client_packets($1)
corenet_receive_epmd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive epmd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_epmd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmd_client_packets'($*)) dnl
corenet_dontaudit_send_epmd_client_packets($1)
corenet_dontaudit_receive_epmd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to epmd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_epmd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmd_client_packets'($*)) dnl
gen_require(`
type epmd_client_packet_t;
')
allow $1 epmd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmd_client_packets'($*)) dnl
')
########################################
##
## Send epmd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_epmd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_epmd_server_packets'($*)) dnl
gen_require(`
type epmd_server_packet_t;
')
allow $1 epmd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_epmd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send epmd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_epmd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmd_server_packets'($*)) dnl
gen_require(`
type epmd_server_packet_t;
')
dontaudit $1 epmd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmd_server_packets'($*)) dnl
')
########################################
##
## Receive epmd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_epmd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_epmd_server_packets'($*)) dnl
gen_require(`
type epmd_server_packet_t;
')
allow $1 epmd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_epmd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive epmd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_epmd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmd_server_packets'($*)) dnl
gen_require(`
type epmd_server_packet_t;
')
dontaudit $1 epmd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmd_server_packets'($*)) dnl
')
########################################
##
## Send and receive epmd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_epmd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmd_server_packets'($*)) dnl
corenet_send_epmd_server_packets($1)
corenet_receive_epmd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive epmd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_epmd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmd_server_packets'($*)) dnl
corenet_dontaudit_send_epmd_server_packets($1)
corenet_dontaudit_receive_epmd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to epmd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_epmd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmd_server_packets'($*)) dnl
gen_require(`
type epmd_server_packet_t;
')
allow $1 epmd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the fac_restore port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
allow $1 fac_restore_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_fac_restore_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the fac_restore port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
allow $1 fac_restore_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_fac_restore_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the fac_restore port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
dontaudit $1 fac_restore_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_fac_restore_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the fac_restore port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
allow $1 fac_restore_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_fac_restore_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the fac_restore port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
dontaudit $1 fac_restore_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_fac_restore_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the fac_restore port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_fac_restore_port'($*)) dnl
corenet_udp_send_fac_restore_port($1)
corenet_udp_receive_fac_restore_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_fac_restore_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the fac_restore port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_fac_restore_port'($*)) dnl
corenet_dontaudit_udp_send_fac_restore_port($1)
corenet_dontaudit_udp_receive_fac_restore_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_fac_restore_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the fac_restore port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
allow $1 fac_restore_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_fac_restore_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the fac_restore port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
allow $1 fac_restore_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_fac_restore_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to fac_restore port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
dontaudit $1 fac_restore_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_fac_restore_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the fac_restore port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
allow $1 fac_restore_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_fac_restore_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to fac_restore port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_fac_restore_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_fac_restore_port'($*)) dnl
gen_require(`
type fac_restore_port_t;
')
dontaudit $1 fac_restore_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_fac_restore_port'($*)) dnl
')
########################################
##
## Send fac_restore_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_fac_restore_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_fac_restore_client_packets'($*)) dnl
gen_require(`
type fac_restore_client_packet_t;
')
allow $1 fac_restore_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_fac_restore_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send fac_restore_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_fac_restore_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fac_restore_client_packets'($*)) dnl
gen_require(`
type fac_restore_client_packet_t;
')
dontaudit $1 fac_restore_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fac_restore_client_packets'($*)) dnl
')
########################################
##
## Receive fac_restore_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_fac_restore_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_fac_restore_client_packets'($*)) dnl
gen_require(`
type fac_restore_client_packet_t;
')
allow $1 fac_restore_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_fac_restore_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive fac_restore_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_fac_restore_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fac_restore_client_packets'($*)) dnl
gen_require(`
type fac_restore_client_packet_t;
')
dontaudit $1 fac_restore_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fac_restore_client_packets'($*)) dnl
')
########################################
##
## Send and receive fac_restore_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_fac_restore_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fac_restore_client_packets'($*)) dnl
corenet_send_fac_restore_client_packets($1)
corenet_receive_fac_restore_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fac_restore_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive fac_restore_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_fac_restore_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fac_restore_client_packets'($*)) dnl
corenet_dontaudit_send_fac_restore_client_packets($1)
corenet_dontaudit_receive_fac_restore_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fac_restore_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to fac_restore_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_fac_restore_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fac_restore_client_packets'($*)) dnl
gen_require(`
type fac_restore_client_packet_t;
')
allow $1 fac_restore_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_fac_restore_client_packets'($*)) dnl
')
########################################
##
## Send fac_restore_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_fac_restore_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_fac_restore_server_packets'($*)) dnl
gen_require(`
type fac_restore_server_packet_t;
')
allow $1 fac_restore_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_fac_restore_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send fac_restore_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_fac_restore_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fac_restore_server_packets'($*)) dnl
gen_require(`
type fac_restore_server_packet_t;
')
dontaudit $1 fac_restore_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fac_restore_server_packets'($*)) dnl
')
########################################
##
## Receive fac_restore_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_fac_restore_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_fac_restore_server_packets'($*)) dnl
gen_require(`
type fac_restore_server_packet_t;
')
allow $1 fac_restore_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_fac_restore_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive fac_restore_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_fac_restore_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fac_restore_server_packets'($*)) dnl
gen_require(`
type fac_restore_server_packet_t;
')
dontaudit $1 fac_restore_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fac_restore_server_packets'($*)) dnl
')
########################################
##
## Send and receive fac_restore_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_fac_restore_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fac_restore_server_packets'($*)) dnl
corenet_send_fac_restore_server_packets($1)
corenet_receive_fac_restore_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fac_restore_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive fac_restore_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_fac_restore_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fac_restore_server_packets'($*)) dnl
corenet_dontaudit_send_fac_restore_server_packets($1)
corenet_dontaudit_receive_fac_restore_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fac_restore_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to fac_restore_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_fac_restore_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fac_restore_server_packets'($*)) dnl
gen_require(`
type fac_restore_server_packet_t;
')
allow $1 fac_restore_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_fac_restore_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_fingerd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_fingerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the fingerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
dontaudit $1 fingerd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_fingerd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_fingerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the fingerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
dontaudit $1 fingerd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_fingerd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_fingerd_port'($*)) dnl
corenet_udp_send_fingerd_port($1)
corenet_udp_receive_fingerd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_fingerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the fingerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_fingerd_port'($*)) dnl
corenet_dontaudit_udp_send_fingerd_port($1)
corenet_dontaudit_udp_receive_fingerd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_fingerd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_fingerd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the fingerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_fingerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to fingerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
dontaudit $1 fingerd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_fingerd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the fingerd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
allow $1 fingerd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_fingerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to fingerd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_fingerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_fingerd_port'($*)) dnl
gen_require(`
type fingerd_port_t;
')
dontaudit $1 fingerd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_fingerd_port'($*)) dnl
')
########################################
##
## Send fingerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_fingerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
allow $1 fingerd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_fingerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send fingerd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_fingerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
dontaudit $1 fingerd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fingerd_client_packets'($*)) dnl
')
########################################
##
## Receive fingerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_fingerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
allow $1 fingerd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_fingerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive fingerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_fingerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
dontaudit $1 fingerd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fingerd_client_packets'($*)) dnl
')
########################################
##
## Send and receive fingerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_fingerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fingerd_client_packets'($*)) dnl
corenet_send_fingerd_client_packets($1)
corenet_receive_fingerd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fingerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive fingerd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_fingerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fingerd_client_packets'($*)) dnl
corenet_dontaudit_send_fingerd_client_packets($1)
corenet_dontaudit_receive_fingerd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fingerd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to fingerd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_fingerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fingerd_client_packets'($*)) dnl
gen_require(`
type fingerd_client_packet_t;
')
allow $1 fingerd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_fingerd_client_packets'($*)) dnl
')
########################################
##
## Send fingerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_fingerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
allow $1 fingerd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_fingerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send fingerd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_fingerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
dontaudit $1 fingerd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fingerd_server_packets'($*)) dnl
')
########################################
##
## Receive fingerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_fingerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
allow $1 fingerd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_fingerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive fingerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_fingerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
dontaudit $1 fingerd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fingerd_server_packets'($*)) dnl
')
########################################
##
## Send and receive fingerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_fingerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fingerd_server_packets'($*)) dnl
corenet_send_fingerd_server_packets($1)
corenet_receive_fingerd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fingerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive fingerd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_fingerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fingerd_server_packets'($*)) dnl
corenet_dontaudit_send_fingerd_server_packets($1)
corenet_dontaudit_receive_fingerd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fingerd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to fingerd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_fingerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fingerd_server_packets'($*)) dnl
gen_require(`
type fingerd_server_packet_t;
')
allow $1 fingerd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_fingerd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the firepower port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
allow $1 firepower_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_firepower_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the firepower port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
allow $1 firepower_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_firepower_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the firepower port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
dontaudit $1 firepower_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_firepower_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the firepower port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
allow $1 firepower_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_firepower_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the firepower port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
dontaudit $1 firepower_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_firepower_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the firepower port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_firepower_port'($*)) dnl
corenet_udp_send_firepower_port($1)
corenet_udp_receive_firepower_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_firepower_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the firepower port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_firepower_port'($*)) dnl
corenet_dontaudit_udp_send_firepower_port($1)
corenet_dontaudit_udp_receive_firepower_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_firepower_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the firepower port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
allow $1 firepower_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_firepower_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the firepower port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
allow $1 firepower_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_firepower_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to firepower port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
dontaudit $1 firepower_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_firepower_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the firepower port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
allow $1 firepower_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_firepower_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to firepower port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_firepower_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_firepower_port'($*)) dnl
gen_require(`
type firepower_port_t;
')
dontaudit $1 firepower_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_firepower_port'($*)) dnl
')
########################################
##
## Send firepower_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_firepower_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_firepower_client_packets'($*)) dnl
gen_require(`
type firepower_client_packet_t;
')
allow $1 firepower_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_firepower_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send firepower_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_firepower_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_firepower_client_packets'($*)) dnl
gen_require(`
type firepower_client_packet_t;
')
dontaudit $1 firepower_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_firepower_client_packets'($*)) dnl
')
########################################
##
## Receive firepower_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_firepower_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_firepower_client_packets'($*)) dnl
gen_require(`
type firepower_client_packet_t;
')
allow $1 firepower_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_firepower_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive firepower_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_firepower_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_firepower_client_packets'($*)) dnl
gen_require(`
type firepower_client_packet_t;
')
dontaudit $1 firepower_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_firepower_client_packets'($*)) dnl
')
########################################
##
## Send and receive firepower_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_firepower_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_firepower_client_packets'($*)) dnl
corenet_send_firepower_client_packets($1)
corenet_receive_firepower_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_firepower_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive firepower_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_firepower_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_firepower_client_packets'($*)) dnl
corenet_dontaudit_send_firepower_client_packets($1)
corenet_dontaudit_receive_firepower_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_firepower_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to firepower_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_firepower_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_firepower_client_packets'($*)) dnl
gen_require(`
type firepower_client_packet_t;
')
allow $1 firepower_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_firepower_client_packets'($*)) dnl
')
########################################
##
## Send firepower_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_firepower_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_firepower_server_packets'($*)) dnl
gen_require(`
type firepower_server_packet_t;
')
allow $1 firepower_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_firepower_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send firepower_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_firepower_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_firepower_server_packets'($*)) dnl
gen_require(`
type firepower_server_packet_t;
')
dontaudit $1 firepower_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_firepower_server_packets'($*)) dnl
')
########################################
##
## Receive firepower_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_firepower_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_firepower_server_packets'($*)) dnl
gen_require(`
type firepower_server_packet_t;
')
allow $1 firepower_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_firepower_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive firepower_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_firepower_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_firepower_server_packets'($*)) dnl
gen_require(`
type firepower_server_packet_t;
')
dontaudit $1 firepower_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_firepower_server_packets'($*)) dnl
')
########################################
##
## Send and receive firepower_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_firepower_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_firepower_server_packets'($*)) dnl
corenet_send_firepower_server_packets($1)
corenet_receive_firepower_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_firepower_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive firepower_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_firepower_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_firepower_server_packets'($*)) dnl
corenet_dontaudit_send_firepower_server_packets($1)
corenet_dontaudit_receive_firepower_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_firepower_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to firepower_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_firepower_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_firepower_server_packets'($*)) dnl
gen_require(`
type firepower_server_packet_t;
')
allow $1 firepower_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_firepower_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the fmpro_internal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
allow $1 fmpro_internal_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_fmpro_internal_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the fmpro_internal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
allow $1 fmpro_internal_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_fmpro_internal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the fmpro_internal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
dontaudit $1 fmpro_internal_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_fmpro_internal_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the fmpro_internal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
allow $1 fmpro_internal_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_fmpro_internal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the fmpro_internal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
dontaudit $1 fmpro_internal_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_fmpro_internal_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the fmpro_internal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_fmpro_internal_port'($*)) dnl
corenet_udp_send_fmpro_internal_port($1)
corenet_udp_receive_fmpro_internal_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_fmpro_internal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the fmpro_internal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_fmpro_internal_port'($*)) dnl
corenet_dontaudit_udp_send_fmpro_internal_port($1)
corenet_dontaudit_udp_receive_fmpro_internal_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_fmpro_internal_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the fmpro_internal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
allow $1 fmpro_internal_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_fmpro_internal_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the fmpro_internal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
allow $1 fmpro_internal_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_fmpro_internal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to fmpro_internal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
dontaudit $1 fmpro_internal_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_fmpro_internal_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the fmpro_internal port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
allow $1 fmpro_internal_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_fmpro_internal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to fmpro_internal port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_fmpro_internal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_fmpro_internal_port'($*)) dnl
gen_require(`
type fmpro_internal_port_t;
')
dontaudit $1 fmpro_internal_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_fmpro_internal_port'($*)) dnl
')
########################################
##
## Send fmpro_internal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_fmpro_internal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_fmpro_internal_client_packets'($*)) dnl
gen_require(`
type fmpro_internal_client_packet_t;
')
allow $1 fmpro_internal_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_fmpro_internal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send fmpro_internal_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_fmpro_internal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fmpro_internal_client_packets'($*)) dnl
gen_require(`
type fmpro_internal_client_packet_t;
')
dontaudit $1 fmpro_internal_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fmpro_internal_client_packets'($*)) dnl
')
########################################
##
## Receive fmpro_internal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_fmpro_internal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_fmpro_internal_client_packets'($*)) dnl
gen_require(`
type fmpro_internal_client_packet_t;
')
allow $1 fmpro_internal_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_fmpro_internal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive fmpro_internal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_fmpro_internal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fmpro_internal_client_packets'($*)) dnl
gen_require(`
type fmpro_internal_client_packet_t;
')
dontaudit $1 fmpro_internal_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fmpro_internal_client_packets'($*)) dnl
')
########################################
##
## Send and receive fmpro_internal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_fmpro_internal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fmpro_internal_client_packets'($*)) dnl
corenet_send_fmpro_internal_client_packets($1)
corenet_receive_fmpro_internal_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fmpro_internal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive fmpro_internal_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_fmpro_internal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fmpro_internal_client_packets'($*)) dnl
corenet_dontaudit_send_fmpro_internal_client_packets($1)
corenet_dontaudit_receive_fmpro_internal_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fmpro_internal_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to fmpro_internal_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_fmpro_internal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fmpro_internal_client_packets'($*)) dnl
gen_require(`
type fmpro_internal_client_packet_t;
')
allow $1 fmpro_internal_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_fmpro_internal_client_packets'($*)) dnl
')
########################################
##
## Send fmpro_internal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_fmpro_internal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_fmpro_internal_server_packets'($*)) dnl
gen_require(`
type fmpro_internal_server_packet_t;
')
allow $1 fmpro_internal_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_fmpro_internal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send fmpro_internal_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_fmpro_internal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fmpro_internal_server_packets'($*)) dnl
gen_require(`
type fmpro_internal_server_packet_t;
')
dontaudit $1 fmpro_internal_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fmpro_internal_server_packets'($*)) dnl
')
########################################
##
## Receive fmpro_internal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_fmpro_internal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_fmpro_internal_server_packets'($*)) dnl
gen_require(`
type fmpro_internal_server_packet_t;
')
allow $1 fmpro_internal_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_fmpro_internal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive fmpro_internal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_fmpro_internal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fmpro_internal_server_packets'($*)) dnl
gen_require(`
type fmpro_internal_server_packet_t;
')
dontaudit $1 fmpro_internal_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fmpro_internal_server_packets'($*)) dnl
')
########################################
##
## Send and receive fmpro_internal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_fmpro_internal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fmpro_internal_server_packets'($*)) dnl
corenet_send_fmpro_internal_server_packets($1)
corenet_receive_fmpro_internal_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fmpro_internal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive fmpro_internal_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_fmpro_internal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fmpro_internal_server_packets'($*)) dnl
corenet_dontaudit_send_fmpro_internal_server_packets($1)
corenet_dontaudit_receive_fmpro_internal_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fmpro_internal_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to fmpro_internal_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_fmpro_internal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fmpro_internal_server_packets'($*)) dnl
gen_require(`
type fmpro_internal_server_packet_t;
')
allow $1 fmpro_internal_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_fmpro_internal_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the flash port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
allow $1 flash_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_flash_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the flash port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
allow $1 flash_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_flash_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the flash port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
dontaudit $1 flash_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_flash_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the flash port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
allow $1 flash_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_flash_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the flash port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
dontaudit $1 flash_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_flash_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the flash port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_flash_port'($*)) dnl
corenet_udp_send_flash_port($1)
corenet_udp_receive_flash_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_flash_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the flash port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_flash_port'($*)) dnl
corenet_dontaudit_udp_send_flash_port($1)
corenet_dontaudit_udp_receive_flash_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_flash_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the flash port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
allow $1 flash_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_flash_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the flash port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
allow $1 flash_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_flash_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to flash port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
dontaudit $1 flash_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_flash_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the flash port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
allow $1 flash_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_flash_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to flash port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_flash_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_flash_port'($*)) dnl
gen_require(`
type flash_port_t;
')
dontaudit $1 flash_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_flash_port'($*)) dnl
')
########################################
##
## Send flash_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_flash_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_flash_client_packets'($*)) dnl
gen_require(`
type flash_client_packet_t;
')
allow $1 flash_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_flash_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send flash_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_flash_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_flash_client_packets'($*)) dnl
gen_require(`
type flash_client_packet_t;
')
dontaudit $1 flash_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_flash_client_packets'($*)) dnl
')
########################################
##
## Receive flash_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_flash_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_flash_client_packets'($*)) dnl
gen_require(`
type flash_client_packet_t;
')
allow $1 flash_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_flash_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive flash_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_flash_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_flash_client_packets'($*)) dnl
gen_require(`
type flash_client_packet_t;
')
dontaudit $1 flash_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_flash_client_packets'($*)) dnl
')
########################################
##
## Send and receive flash_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_flash_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_flash_client_packets'($*)) dnl
corenet_send_flash_client_packets($1)
corenet_receive_flash_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_flash_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive flash_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_flash_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_flash_client_packets'($*)) dnl
corenet_dontaudit_send_flash_client_packets($1)
corenet_dontaudit_receive_flash_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_flash_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to flash_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_flash_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_flash_client_packets'($*)) dnl
gen_require(`
type flash_client_packet_t;
')
allow $1 flash_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_flash_client_packets'($*)) dnl
')
########################################
##
## Send flash_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_flash_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_flash_server_packets'($*)) dnl
gen_require(`
type flash_server_packet_t;
')
allow $1 flash_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_flash_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send flash_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_flash_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_flash_server_packets'($*)) dnl
gen_require(`
type flash_server_packet_t;
')
dontaudit $1 flash_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_flash_server_packets'($*)) dnl
')
########################################
##
## Receive flash_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_flash_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_flash_server_packets'($*)) dnl
gen_require(`
type flash_server_packet_t;
')
allow $1 flash_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_flash_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive flash_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_flash_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_flash_server_packets'($*)) dnl
gen_require(`
type flash_server_packet_t;
')
dontaudit $1 flash_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_flash_server_packets'($*)) dnl
')
########################################
##
## Send and receive flash_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_flash_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_flash_server_packets'($*)) dnl
corenet_send_flash_server_packets($1)
corenet_receive_flash_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_flash_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive flash_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_flash_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_flash_server_packets'($*)) dnl
corenet_dontaudit_send_flash_server_packets($1)
corenet_dontaudit_receive_flash_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_flash_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to flash_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_flash_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_flash_server_packets'($*)) dnl
gen_require(`
type flash_server_packet_t;
')
allow $1 flash_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_flash_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the freeipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
allow $1 freeipmi_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_freeipmi_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the freeipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
allow $1 freeipmi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_freeipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the freeipmi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
dontaudit $1 freeipmi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_freeipmi_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the freeipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
allow $1 freeipmi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_freeipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the freeipmi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
dontaudit $1 freeipmi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_freeipmi_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the freeipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_freeipmi_port'($*)) dnl
corenet_udp_send_freeipmi_port($1)
corenet_udp_receive_freeipmi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_freeipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the freeipmi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_freeipmi_port'($*)) dnl
corenet_dontaudit_udp_send_freeipmi_port($1)
corenet_dontaudit_udp_receive_freeipmi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_freeipmi_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the freeipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
allow $1 freeipmi_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_freeipmi_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the freeipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
allow $1 freeipmi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_freeipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to freeipmi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
dontaudit $1 freeipmi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_freeipmi_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the freeipmi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
allow $1 freeipmi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_freeipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to freeipmi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_freeipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_freeipmi_port'($*)) dnl
gen_require(`
type freeipmi_port_t;
')
dontaudit $1 freeipmi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_freeipmi_port'($*)) dnl
')
########################################
##
## Send freeipmi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_freeipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_freeipmi_client_packets'($*)) dnl
gen_require(`
type freeipmi_client_packet_t;
')
allow $1 freeipmi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_freeipmi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send freeipmi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_freeipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_freeipmi_client_packets'($*)) dnl
gen_require(`
type freeipmi_client_packet_t;
')
dontaudit $1 freeipmi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_freeipmi_client_packets'($*)) dnl
')
########################################
##
## Receive freeipmi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_freeipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_freeipmi_client_packets'($*)) dnl
gen_require(`
type freeipmi_client_packet_t;
')
allow $1 freeipmi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_freeipmi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive freeipmi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_freeipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_freeipmi_client_packets'($*)) dnl
gen_require(`
type freeipmi_client_packet_t;
')
dontaudit $1 freeipmi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_freeipmi_client_packets'($*)) dnl
')
########################################
##
## Send and receive freeipmi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_freeipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_freeipmi_client_packets'($*)) dnl
corenet_send_freeipmi_client_packets($1)
corenet_receive_freeipmi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_freeipmi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive freeipmi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_freeipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_freeipmi_client_packets'($*)) dnl
corenet_dontaudit_send_freeipmi_client_packets($1)
corenet_dontaudit_receive_freeipmi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_freeipmi_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to freeipmi_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_freeipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_freeipmi_client_packets'($*)) dnl
gen_require(`
type freeipmi_client_packet_t;
')
allow $1 freeipmi_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_freeipmi_client_packets'($*)) dnl
')
########################################
##
## Send freeipmi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_freeipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_freeipmi_server_packets'($*)) dnl
gen_require(`
type freeipmi_server_packet_t;
')
allow $1 freeipmi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_freeipmi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send freeipmi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_freeipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_freeipmi_server_packets'($*)) dnl
gen_require(`
type freeipmi_server_packet_t;
')
dontaudit $1 freeipmi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_freeipmi_server_packets'($*)) dnl
')
########################################
##
## Receive freeipmi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_freeipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_freeipmi_server_packets'($*)) dnl
gen_require(`
type freeipmi_server_packet_t;
')
allow $1 freeipmi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_freeipmi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive freeipmi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_freeipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_freeipmi_server_packets'($*)) dnl
gen_require(`
type freeipmi_server_packet_t;
')
dontaudit $1 freeipmi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_freeipmi_server_packets'($*)) dnl
')
########################################
##
## Send and receive freeipmi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_freeipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_freeipmi_server_packets'($*)) dnl
corenet_send_freeipmi_server_packets($1)
corenet_receive_freeipmi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_freeipmi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive freeipmi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_freeipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_freeipmi_server_packets'($*)) dnl
corenet_dontaudit_send_freeipmi_server_packets($1)
corenet_dontaudit_receive_freeipmi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_freeipmi_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to freeipmi_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_freeipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_freeipmi_server_packets'($*)) dnl
gen_require(`
type freeipmi_server_packet_t;
')
allow $1 freeipmi_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_freeipmi_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ftp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
dontaudit $1 ftp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ftp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
dontaudit $1 ftp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ftp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ftp_port'($*)) dnl
corenet_udp_send_ftp_port($1)
corenet_udp_receive_ftp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ftp_port'($*)) dnl
corenet_dontaudit_udp_send_ftp_port($1)
corenet_dontaudit_udp_receive_ftp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ftp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ftp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
dontaudit $1 ftp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ftp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ftp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
allow $1 ftp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ftp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ftp_port'($*)) dnl
gen_require(`
type ftp_port_t;
')
dontaudit $1 ftp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ftp_port'($*)) dnl
')
########################################
##
## Send ftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
allow $1 ftp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ftp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
dontaudit $1 ftp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_client_packets'($*)) dnl
')
########################################
##
## Receive ftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
allow $1 ftp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
dontaudit $1 ftp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_client_packets'($*)) dnl
corenet_send_ftp_client_packets($1)
corenet_receive_ftp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ftp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_client_packets'($*)) dnl
corenet_dontaudit_send_ftp_client_packets($1)
corenet_dontaudit_receive_ftp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ftp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_client_packets'($*)) dnl
gen_require(`
type ftp_client_packet_t;
')
allow $1 ftp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_client_packets'($*)) dnl
')
########################################
##
## Send ftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
allow $1 ftp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ftp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
dontaudit $1 ftp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_server_packets'($*)) dnl
')
########################################
##
## Receive ftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
allow $1 ftp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
dontaudit $1 ftp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_server_packets'($*)) dnl
corenet_send_ftp_server_packets($1)
corenet_receive_ftp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ftp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_server_packets'($*)) dnl
corenet_dontaudit_send_ftp_server_packets($1)
corenet_dontaudit_receive_ftp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ftp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_server_packets'($*)) dnl
gen_require(`
type ftp_server_packet_t;
')
allow $1 ftp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ftp_data_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ftp_data_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ftp_data port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
dontaudit $1 ftp_data_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ftp_data_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ftp_data_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ftp_data port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
dontaudit $1 ftp_data_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ftp_data_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ftp_data_port'($*)) dnl
corenet_udp_send_ftp_data_port($1)
corenet_udp_receive_ftp_data_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ftp_data_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ftp_data port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ftp_data_port'($*)) dnl
corenet_dontaudit_udp_send_ftp_data_port($1)
corenet_dontaudit_udp_receive_ftp_data_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ftp_data_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ftp_data_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ftp_data port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ftp_data_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ftp_data port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
dontaudit $1 ftp_data_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ftp_data_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ftp_data port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
allow $1 ftp_data_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ftp_data_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ftp_data port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ftp_data_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ftp_data_port'($*)) dnl
gen_require(`
type ftp_data_port_t;
')
dontaudit $1 ftp_data_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ftp_data_port'($*)) dnl
')
########################################
##
## Send ftp_data_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ftp_data_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
allow $1 ftp_data_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ftp_data_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ftp_data_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
dontaudit $1 ftp_data_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Receive ftp_data_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ftp_data_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
allow $1 ftp_data_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ftp_data_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ftp_data_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
dontaudit $1 ftp_data_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Send and receive ftp_data_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ftp_data_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_data_client_packets'($*)) dnl
corenet_send_ftp_data_client_packets($1)
corenet_receive_ftp_data_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ftp_data_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ftp_data_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_data_client_packets'($*)) dnl
corenet_dontaudit_send_ftp_data_client_packets($1)
corenet_dontaudit_receive_ftp_data_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ftp_data_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ftp_data_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_data_client_packets'($*)) dnl
gen_require(`
type ftp_data_client_packet_t;
')
allow $1 ftp_data_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_data_client_packets'($*)) dnl
')
########################################
##
## Send ftp_data_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ftp_data_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
allow $1 ftp_data_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ftp_data_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ftp_data_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
dontaudit $1 ftp_data_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Receive ftp_data_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ftp_data_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
allow $1 ftp_data_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ftp_data_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ftp_data_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
dontaudit $1 ftp_data_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Send and receive ftp_data_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ftp_data_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_data_server_packets'($*)) dnl
corenet_send_ftp_data_server_packets($1)
corenet_receive_ftp_data_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ftp_data_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ftp_data_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_data_server_packets'($*)) dnl
corenet_dontaudit_send_ftp_data_server_packets($1)
corenet_dontaudit_receive_ftp_data_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ftp_data_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ftp_data_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_data_server_packets'($*)) dnl
gen_require(`
type ftp_data_server_packet_t;
')
allow $1 ftp_data_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_data_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gatekeeper_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gatekeeper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gatekeeper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
dontaudit $1 gatekeeper_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gatekeeper_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gatekeeper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gatekeeper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
dontaudit $1 gatekeeper_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gatekeeper_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gatekeeper_port'($*)) dnl
corenet_udp_send_gatekeeper_port($1)
corenet_udp_receive_gatekeeper_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gatekeeper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gatekeeper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gatekeeper_port'($*)) dnl
corenet_dontaudit_udp_send_gatekeeper_port($1)
corenet_dontaudit_udp_receive_gatekeeper_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gatekeeper_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gatekeeper_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gatekeeper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to gatekeeper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
dontaudit $1 gatekeeper_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gatekeeper_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gatekeeper port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
allow $1 gatekeeper_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gatekeeper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to gatekeeper port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_gatekeeper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gatekeeper_port'($*)) dnl
gen_require(`
type gatekeeper_port_t;
')
dontaudit $1 gatekeeper_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gatekeeper_port'($*)) dnl
')
########################################
##
## Send gatekeeper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gatekeeper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
allow $1 gatekeeper_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gatekeeper_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gatekeeper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
dontaudit $1 gatekeeper_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Receive gatekeeper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gatekeeper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
allow $1 gatekeeper_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gatekeeper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gatekeeper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
dontaudit $1 gatekeeper_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Send and receive gatekeeper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gatekeeper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gatekeeper_client_packets'($*)) dnl
corenet_send_gatekeeper_client_packets($1)
corenet_receive_gatekeeper_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gatekeeper_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gatekeeper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gatekeeper_client_packets'($*)) dnl
corenet_dontaudit_send_gatekeeper_client_packets($1)
corenet_dontaudit_receive_gatekeeper_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gatekeeper_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gatekeeper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gatekeeper_client_packets'($*)) dnl
gen_require(`
type gatekeeper_client_packet_t;
')
allow $1 gatekeeper_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gatekeeper_client_packets'($*)) dnl
')
########################################
##
## Send gatekeeper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gatekeeper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
allow $1 gatekeeper_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gatekeeper_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gatekeeper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
dontaudit $1 gatekeeper_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Receive gatekeeper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gatekeeper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
allow $1 gatekeeper_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gatekeeper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gatekeeper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
dontaudit $1 gatekeeper_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Send and receive gatekeeper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gatekeeper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gatekeeper_server_packets'($*)) dnl
corenet_send_gatekeeper_server_packets($1)
corenet_receive_gatekeeper_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gatekeeper_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gatekeeper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gatekeeper_server_packets'($*)) dnl
corenet_dontaudit_send_gatekeeper_server_packets($1)
corenet_dontaudit_receive_gatekeeper_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gatekeeper_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gatekeeper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gatekeeper_server_packets'($*)) dnl
gen_require(`
type gatekeeper_server_packet_t;
')
allow $1 gatekeeper_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gatekeeper_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gear port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
allow $1 gear_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gear_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gear port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
allow $1 gear_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gear_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gear port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
dontaudit $1 gear_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gear_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gear port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
allow $1 gear_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gear_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gear port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
dontaudit $1 gear_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gear_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gear port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gear_port'($*)) dnl
corenet_udp_send_gear_port($1)
corenet_udp_receive_gear_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gear_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gear port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gear_port'($*)) dnl
corenet_dontaudit_udp_send_gear_port($1)
corenet_dontaudit_udp_receive_gear_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gear_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gear port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
allow $1 gear_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gear_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gear port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
allow $1 gear_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gear_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to gear port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
dontaudit $1 gear_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gear_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gear port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
allow $1 gear_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gear_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to gear port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_gear_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gear_port'($*)) dnl
gen_require(`
type gear_port_t;
')
dontaudit $1 gear_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gear_port'($*)) dnl
')
########################################
##
## Send gear_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gear_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gear_client_packets'($*)) dnl
gen_require(`
type gear_client_packet_t;
')
allow $1 gear_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gear_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gear_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gear_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gear_client_packets'($*)) dnl
gen_require(`
type gear_client_packet_t;
')
dontaudit $1 gear_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gear_client_packets'($*)) dnl
')
########################################
##
## Receive gear_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gear_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gear_client_packets'($*)) dnl
gen_require(`
type gear_client_packet_t;
')
allow $1 gear_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gear_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gear_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gear_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gear_client_packets'($*)) dnl
gen_require(`
type gear_client_packet_t;
')
dontaudit $1 gear_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gear_client_packets'($*)) dnl
')
########################################
##
## Send and receive gear_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gear_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gear_client_packets'($*)) dnl
corenet_send_gear_client_packets($1)
corenet_receive_gear_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gear_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gear_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gear_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gear_client_packets'($*)) dnl
corenet_dontaudit_send_gear_client_packets($1)
corenet_dontaudit_receive_gear_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gear_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gear_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gear_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gear_client_packets'($*)) dnl
gen_require(`
type gear_client_packet_t;
')
allow $1 gear_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gear_client_packets'($*)) dnl
')
########################################
##
## Send gear_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gear_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gear_server_packets'($*)) dnl
gen_require(`
type gear_server_packet_t;
')
allow $1 gear_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gear_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gear_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gear_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gear_server_packets'($*)) dnl
gen_require(`
type gear_server_packet_t;
')
dontaudit $1 gear_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gear_server_packets'($*)) dnl
')
########################################
##
## Receive gear_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gear_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gear_server_packets'($*)) dnl
gen_require(`
type gear_server_packet_t;
')
allow $1 gear_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gear_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gear_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gear_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gear_server_packets'($*)) dnl
gen_require(`
type gear_server_packet_t;
')
dontaudit $1 gear_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gear_server_packets'($*)) dnl
')
########################################
##
## Send and receive gear_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gear_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gear_server_packets'($*)) dnl
corenet_send_gear_server_packets($1)
corenet_receive_gear_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gear_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gear_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gear_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gear_server_packets'($*)) dnl
corenet_dontaudit_send_gear_server_packets($1)
corenet_dontaudit_receive_gear_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gear_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gear_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gear_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gear_server_packets'($*)) dnl
gen_require(`
type gear_server_packet_t;
')
allow $1 gear_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gear_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the geneve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
allow $1 geneve_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_geneve_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the geneve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
allow $1 geneve_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_geneve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the geneve port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
dontaudit $1 geneve_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_geneve_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the geneve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
allow $1 geneve_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_geneve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the geneve port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
dontaudit $1 geneve_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_geneve_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the geneve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_geneve_port'($*)) dnl
corenet_udp_send_geneve_port($1)
corenet_udp_receive_geneve_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_geneve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the geneve port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_geneve_port'($*)) dnl
corenet_dontaudit_udp_send_geneve_port($1)
corenet_dontaudit_udp_receive_geneve_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_geneve_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the geneve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
allow $1 geneve_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_geneve_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the geneve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
allow $1 geneve_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_geneve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to geneve port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
dontaudit $1 geneve_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_geneve_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the geneve port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
allow $1 geneve_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_geneve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to geneve port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_geneve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_geneve_port'($*)) dnl
gen_require(`
type geneve_port_t;
')
dontaudit $1 geneve_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_geneve_port'($*)) dnl
')
########################################
##
## Send geneve_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_geneve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_geneve_client_packets'($*)) dnl
gen_require(`
type geneve_client_packet_t;
')
allow $1 geneve_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_geneve_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send geneve_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_geneve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_geneve_client_packets'($*)) dnl
gen_require(`
type geneve_client_packet_t;
')
dontaudit $1 geneve_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_geneve_client_packets'($*)) dnl
')
########################################
##
## Receive geneve_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_geneve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_geneve_client_packets'($*)) dnl
gen_require(`
type geneve_client_packet_t;
')
allow $1 geneve_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_geneve_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive geneve_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_geneve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_geneve_client_packets'($*)) dnl
gen_require(`
type geneve_client_packet_t;
')
dontaudit $1 geneve_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_geneve_client_packets'($*)) dnl
')
########################################
##
## Send and receive geneve_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_geneve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_geneve_client_packets'($*)) dnl
corenet_send_geneve_client_packets($1)
corenet_receive_geneve_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_geneve_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive geneve_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_geneve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_geneve_client_packets'($*)) dnl
corenet_dontaudit_send_geneve_client_packets($1)
corenet_dontaudit_receive_geneve_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_geneve_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to geneve_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_geneve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_geneve_client_packets'($*)) dnl
gen_require(`
type geneve_client_packet_t;
')
allow $1 geneve_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_geneve_client_packets'($*)) dnl
')
########################################
##
## Send geneve_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_geneve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_geneve_server_packets'($*)) dnl
gen_require(`
type geneve_server_packet_t;
')
allow $1 geneve_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_geneve_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send geneve_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_geneve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_geneve_server_packets'($*)) dnl
gen_require(`
type geneve_server_packet_t;
')
dontaudit $1 geneve_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_geneve_server_packets'($*)) dnl
')
########################################
##
## Receive geneve_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_geneve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_geneve_server_packets'($*)) dnl
gen_require(`
type geneve_server_packet_t;
')
allow $1 geneve_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_geneve_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive geneve_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_geneve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_geneve_server_packets'($*)) dnl
gen_require(`
type geneve_server_packet_t;
')
dontaudit $1 geneve_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_geneve_server_packets'($*)) dnl
')
########################################
##
## Send and receive geneve_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_geneve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_geneve_server_packets'($*)) dnl
corenet_send_geneve_server_packets($1)
corenet_receive_geneve_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_geneve_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive geneve_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_geneve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_geneve_server_packets'($*)) dnl
corenet_dontaudit_send_geneve_server_packets($1)
corenet_dontaudit_receive_geneve_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_geneve_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to geneve_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_geneve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_geneve_server_packets'($*)) dnl
gen_require(`
type geneve_server_packet_t;
')
allow $1 geneve_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_geneve_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gdomap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
allow $1 gdomap_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gdomap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gdomap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
allow $1 gdomap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gdomap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gdomap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
dontaudit $1 gdomap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gdomap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gdomap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
allow $1 gdomap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gdomap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gdomap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
dontaudit $1 gdomap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gdomap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gdomap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gdomap_port'($*)) dnl
corenet_udp_send_gdomap_port($1)
corenet_udp_receive_gdomap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gdomap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gdomap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gdomap_port'($*)) dnl
corenet_dontaudit_udp_send_gdomap_port($1)
corenet_dontaudit_udp_receive_gdomap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gdomap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gdomap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
allow $1 gdomap_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gdomap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gdomap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
allow $1 gdomap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gdomap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to gdomap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
dontaudit $1 gdomap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gdomap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gdomap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
allow $1 gdomap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gdomap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to gdomap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_gdomap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gdomap_port'($*)) dnl
gen_require(`
type gdomap_port_t;
')
dontaudit $1 gdomap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gdomap_port'($*)) dnl
')
########################################
##
## Send gdomap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gdomap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gdomap_client_packets'($*)) dnl
gen_require(`
type gdomap_client_packet_t;
')
allow $1 gdomap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gdomap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gdomap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gdomap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gdomap_client_packets'($*)) dnl
gen_require(`
type gdomap_client_packet_t;
')
dontaudit $1 gdomap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gdomap_client_packets'($*)) dnl
')
########################################
##
## Receive gdomap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gdomap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gdomap_client_packets'($*)) dnl
gen_require(`
type gdomap_client_packet_t;
')
allow $1 gdomap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gdomap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gdomap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gdomap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gdomap_client_packets'($*)) dnl
gen_require(`
type gdomap_client_packet_t;
')
dontaudit $1 gdomap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gdomap_client_packets'($*)) dnl
')
########################################
##
## Send and receive gdomap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gdomap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gdomap_client_packets'($*)) dnl
corenet_send_gdomap_client_packets($1)
corenet_receive_gdomap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gdomap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gdomap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gdomap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gdomap_client_packets'($*)) dnl
corenet_dontaudit_send_gdomap_client_packets($1)
corenet_dontaudit_receive_gdomap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gdomap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gdomap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gdomap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gdomap_client_packets'($*)) dnl
gen_require(`
type gdomap_client_packet_t;
')
allow $1 gdomap_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gdomap_client_packets'($*)) dnl
')
########################################
##
## Send gdomap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gdomap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gdomap_server_packets'($*)) dnl
gen_require(`
type gdomap_server_packet_t;
')
allow $1 gdomap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gdomap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gdomap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gdomap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gdomap_server_packets'($*)) dnl
gen_require(`
type gdomap_server_packet_t;
')
dontaudit $1 gdomap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gdomap_server_packets'($*)) dnl
')
########################################
##
## Receive gdomap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gdomap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gdomap_server_packets'($*)) dnl
gen_require(`
type gdomap_server_packet_t;
')
allow $1 gdomap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gdomap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gdomap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gdomap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gdomap_server_packets'($*)) dnl
gen_require(`
type gdomap_server_packet_t;
')
dontaudit $1 gdomap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gdomap_server_packets'($*)) dnl
')
########################################
##
## Send and receive gdomap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gdomap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gdomap_server_packets'($*)) dnl
corenet_send_gdomap_server_packets($1)
corenet_receive_gdomap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gdomap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gdomap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gdomap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gdomap_server_packets'($*)) dnl
corenet_dontaudit_send_gdomap_server_packets($1)
corenet_dontaudit_receive_gdomap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gdomap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gdomap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gdomap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gdomap_server_packets'($*)) dnl
gen_require(`
type gdomap_server_packet_t;
')
allow $1 gdomap_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gdomap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gds_db port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
allow $1 gds_db_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gds_db_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gds_db port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
allow $1 gds_db_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gds_db_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gds_db port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
dontaudit $1 gds_db_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gds_db_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gds_db port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
allow $1 gds_db_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gds_db_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gds_db port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
dontaudit $1 gds_db_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gds_db_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gds_db port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gds_db_port'($*)) dnl
corenet_udp_send_gds_db_port($1)
corenet_udp_receive_gds_db_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gds_db_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gds_db port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gds_db_port'($*)) dnl
corenet_dontaudit_udp_send_gds_db_port($1)
corenet_dontaudit_udp_receive_gds_db_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gds_db_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gds_db port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
allow $1 gds_db_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gds_db_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gds_db port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
allow $1 gds_db_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gds_db_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to gds_db port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
dontaudit $1 gds_db_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gds_db_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gds_db port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
allow $1 gds_db_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gds_db_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to gds_db port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_gds_db_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gds_db_port'($*)) dnl
gen_require(`
type gds_db_port_t;
')
dontaudit $1 gds_db_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gds_db_port'($*)) dnl
')
########################################
##
## Send gds_db_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gds_db_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gds_db_client_packets'($*)) dnl
gen_require(`
type gds_db_client_packet_t;
')
allow $1 gds_db_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gds_db_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gds_db_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gds_db_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gds_db_client_packets'($*)) dnl
gen_require(`
type gds_db_client_packet_t;
')
dontaudit $1 gds_db_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gds_db_client_packets'($*)) dnl
')
########################################
##
## Receive gds_db_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gds_db_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gds_db_client_packets'($*)) dnl
gen_require(`
type gds_db_client_packet_t;
')
allow $1 gds_db_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gds_db_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gds_db_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gds_db_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gds_db_client_packets'($*)) dnl
gen_require(`
type gds_db_client_packet_t;
')
dontaudit $1 gds_db_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gds_db_client_packets'($*)) dnl
')
########################################
##
## Send and receive gds_db_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gds_db_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gds_db_client_packets'($*)) dnl
corenet_send_gds_db_client_packets($1)
corenet_receive_gds_db_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gds_db_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gds_db_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gds_db_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gds_db_client_packets'($*)) dnl
corenet_dontaudit_send_gds_db_client_packets($1)
corenet_dontaudit_receive_gds_db_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gds_db_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gds_db_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gds_db_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gds_db_client_packets'($*)) dnl
gen_require(`
type gds_db_client_packet_t;
')
allow $1 gds_db_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gds_db_client_packets'($*)) dnl
')
########################################
##
## Send gds_db_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gds_db_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gds_db_server_packets'($*)) dnl
gen_require(`
type gds_db_server_packet_t;
')
allow $1 gds_db_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gds_db_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gds_db_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gds_db_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gds_db_server_packets'($*)) dnl
gen_require(`
type gds_db_server_packet_t;
')
dontaudit $1 gds_db_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gds_db_server_packets'($*)) dnl
')
########################################
##
## Receive gds_db_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gds_db_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gds_db_server_packets'($*)) dnl
gen_require(`
type gds_db_server_packet_t;
')
allow $1 gds_db_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gds_db_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gds_db_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gds_db_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gds_db_server_packets'($*)) dnl
gen_require(`
type gds_db_server_packet_t;
')
dontaudit $1 gds_db_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gds_db_server_packets'($*)) dnl
')
########################################
##
## Send and receive gds_db_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gds_db_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gds_db_server_packets'($*)) dnl
corenet_send_gds_db_server_packets($1)
corenet_receive_gds_db_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gds_db_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gds_db_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gds_db_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gds_db_server_packets'($*)) dnl
corenet_dontaudit_send_gds_db_server_packets($1)
corenet_dontaudit_receive_gds_db_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gds_db_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gds_db_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gds_db_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gds_db_server_packets'($*)) dnl
gen_require(`
type gds_db_server_packet_t;
')
allow $1 gds_db_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gds_db_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_giftd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_giftd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the giftd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
dontaudit $1 giftd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_giftd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_giftd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the giftd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
dontaudit $1 giftd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_giftd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_giftd_port'($*)) dnl
corenet_udp_send_giftd_port($1)
corenet_udp_receive_giftd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_giftd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the giftd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_giftd_port'($*)) dnl
corenet_dontaudit_udp_send_giftd_port($1)
corenet_dontaudit_udp_receive_giftd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_giftd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_giftd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the giftd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_giftd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to giftd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
dontaudit $1 giftd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_giftd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the giftd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
allow $1 giftd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_giftd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to giftd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_giftd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_giftd_port'($*)) dnl
gen_require(`
type giftd_port_t;
')
dontaudit $1 giftd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_giftd_port'($*)) dnl
')
########################################
##
## Send giftd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_giftd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
allow $1 giftd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_giftd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send giftd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_giftd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
dontaudit $1 giftd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_giftd_client_packets'($*)) dnl
')
########################################
##
## Receive giftd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_giftd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
allow $1 giftd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_giftd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive giftd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_giftd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
dontaudit $1 giftd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_giftd_client_packets'($*)) dnl
')
########################################
##
## Send and receive giftd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_giftd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_giftd_client_packets'($*)) dnl
corenet_send_giftd_client_packets($1)
corenet_receive_giftd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_giftd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive giftd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_giftd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_giftd_client_packets'($*)) dnl
corenet_dontaudit_send_giftd_client_packets($1)
corenet_dontaudit_receive_giftd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_giftd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to giftd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_giftd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_giftd_client_packets'($*)) dnl
gen_require(`
type giftd_client_packet_t;
')
allow $1 giftd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_giftd_client_packets'($*)) dnl
')
########################################
##
## Send giftd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_giftd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
allow $1 giftd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_giftd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send giftd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_giftd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
dontaudit $1 giftd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_giftd_server_packets'($*)) dnl
')
########################################
##
## Receive giftd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_giftd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
allow $1 giftd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_giftd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive giftd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_giftd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
dontaudit $1 giftd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_giftd_server_packets'($*)) dnl
')
########################################
##
## Send and receive giftd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_giftd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_giftd_server_packets'($*)) dnl
corenet_send_giftd_server_packets($1)
corenet_receive_giftd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_giftd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive giftd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_giftd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_giftd_server_packets'($*)) dnl
corenet_dontaudit_send_giftd_server_packets($1)
corenet_dontaudit_receive_giftd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_giftd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to giftd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_giftd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_giftd_server_packets'($*)) dnl
gen_require(`
type giftd_server_packet_t;
')
allow $1 giftd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_giftd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the git port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
allow $1 git_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_git_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the git port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
allow $1 git_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_git_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the git port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
dontaudit $1 git_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_git_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the git port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
allow $1 git_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_git_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the git port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
dontaudit $1 git_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_git_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the git port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_git_port'($*)) dnl
corenet_udp_send_git_port($1)
corenet_udp_receive_git_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_git_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the git port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_git_port'($*)) dnl
corenet_dontaudit_udp_send_git_port($1)
corenet_dontaudit_udp_receive_git_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_git_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the git port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
allow $1 git_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_git_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the git port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
allow $1 git_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_git_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to git port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
dontaudit $1 git_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_git_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the git port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
allow $1 git_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_git_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to git port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_git_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_git_port'($*)) dnl
gen_require(`
type git_port_t;
')
dontaudit $1 git_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_git_port'($*)) dnl
')
########################################
##
## Send git_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_git_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_git_client_packets'($*)) dnl
gen_require(`
type git_client_packet_t;
')
allow $1 git_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_git_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send git_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_git_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_git_client_packets'($*)) dnl
gen_require(`
type git_client_packet_t;
')
dontaudit $1 git_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_git_client_packets'($*)) dnl
')
########################################
##
## Receive git_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_git_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_git_client_packets'($*)) dnl
gen_require(`
type git_client_packet_t;
')
allow $1 git_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_git_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive git_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_git_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_git_client_packets'($*)) dnl
gen_require(`
type git_client_packet_t;
')
dontaudit $1 git_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_git_client_packets'($*)) dnl
')
########################################
##
## Send and receive git_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_git_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_git_client_packets'($*)) dnl
corenet_send_git_client_packets($1)
corenet_receive_git_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_git_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive git_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_git_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_git_client_packets'($*)) dnl
corenet_dontaudit_send_git_client_packets($1)
corenet_dontaudit_receive_git_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_git_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to git_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_git_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_git_client_packets'($*)) dnl
gen_require(`
type git_client_packet_t;
')
allow $1 git_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_git_client_packets'($*)) dnl
')
########################################
##
## Send git_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_git_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_git_server_packets'($*)) dnl
gen_require(`
type git_server_packet_t;
')
allow $1 git_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_git_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send git_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_git_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_git_server_packets'($*)) dnl
gen_require(`
type git_server_packet_t;
')
dontaudit $1 git_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_git_server_packets'($*)) dnl
')
########################################
##
## Receive git_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_git_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_git_server_packets'($*)) dnl
gen_require(`
type git_server_packet_t;
')
allow $1 git_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_git_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive git_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_git_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_git_server_packets'($*)) dnl
gen_require(`
type git_server_packet_t;
')
dontaudit $1 git_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_git_server_packets'($*)) dnl
')
########################################
##
## Send and receive git_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_git_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_git_server_packets'($*)) dnl
corenet_send_git_server_packets($1)
corenet_receive_git_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_git_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive git_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_git_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_git_server_packets'($*)) dnl
corenet_dontaudit_send_git_server_packets($1)
corenet_dontaudit_receive_git_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_git_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to git_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_git_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_git_server_packets'($*)) dnl
gen_require(`
type git_server_packet_t;
')
allow $1 git_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_git_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the glance port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
allow $1 glance_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_glance_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the glance port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
allow $1 glance_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_glance_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the glance port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
dontaudit $1 glance_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_glance_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the glance port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
allow $1 glance_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_glance_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the glance port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
dontaudit $1 glance_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_glance_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the glance port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_glance_port'($*)) dnl
corenet_udp_send_glance_port($1)
corenet_udp_receive_glance_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_glance_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the glance port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_glance_port'($*)) dnl
corenet_dontaudit_udp_send_glance_port($1)
corenet_dontaudit_udp_receive_glance_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_glance_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the glance port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
allow $1 glance_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_glance_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the glance port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
allow $1 glance_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_glance_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to glance port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
dontaudit $1 glance_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_glance_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the glance port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
allow $1 glance_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_glance_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to glance port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_glance_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_glance_port'($*)) dnl
gen_require(`
type glance_port_t;
')
dontaudit $1 glance_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_glance_port'($*)) dnl
')
########################################
##
## Send glance_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_glance_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_glance_client_packets'($*)) dnl
gen_require(`
type glance_client_packet_t;
')
allow $1 glance_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_glance_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send glance_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_glance_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_client_packets'($*)) dnl
gen_require(`
type glance_client_packet_t;
')
dontaudit $1 glance_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_client_packets'($*)) dnl
')
########################################
##
## Receive glance_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_glance_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_client_packets'($*)) dnl
gen_require(`
type glance_client_packet_t;
')
allow $1 glance_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_glance_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive glance_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_glance_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_client_packets'($*)) dnl
gen_require(`
type glance_client_packet_t;
')
dontaudit $1 glance_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_client_packets'($*)) dnl
')
########################################
##
## Send and receive glance_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_glance_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_client_packets'($*)) dnl
corenet_send_glance_client_packets($1)
corenet_receive_glance_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive glance_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_glance_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_client_packets'($*)) dnl
corenet_dontaudit_send_glance_client_packets($1)
corenet_dontaudit_receive_glance_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to glance_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_glance_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_client_packets'($*)) dnl
gen_require(`
type glance_client_packet_t;
')
allow $1 glance_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_client_packets'($*)) dnl
')
########################################
##
## Send glance_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_glance_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_glance_server_packets'($*)) dnl
gen_require(`
type glance_server_packet_t;
')
allow $1 glance_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_glance_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send glance_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_glance_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_server_packets'($*)) dnl
gen_require(`
type glance_server_packet_t;
')
dontaudit $1 glance_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_server_packets'($*)) dnl
')
########################################
##
## Receive glance_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_glance_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_server_packets'($*)) dnl
gen_require(`
type glance_server_packet_t;
')
allow $1 glance_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_glance_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive glance_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_glance_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_server_packets'($*)) dnl
gen_require(`
type glance_server_packet_t;
')
dontaudit $1 glance_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_server_packets'($*)) dnl
')
########################################
##
## Send and receive glance_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_glance_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_server_packets'($*)) dnl
corenet_send_glance_server_packets($1)
corenet_receive_glance_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive glance_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_glance_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_server_packets'($*)) dnl
corenet_dontaudit_send_glance_server_packets($1)
corenet_dontaudit_receive_glance_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to glance_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_glance_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_server_packets'($*)) dnl
gen_require(`
type glance_server_packet_t;
')
allow $1 glance_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the glance_registry port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
allow $1 glance_registry_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_glance_registry_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the glance_registry port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
allow $1 glance_registry_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_glance_registry_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the glance_registry port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
dontaudit $1 glance_registry_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_glance_registry_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the glance_registry port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
allow $1 glance_registry_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_glance_registry_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the glance_registry port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
dontaudit $1 glance_registry_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_glance_registry_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the glance_registry port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_glance_registry_port'($*)) dnl
corenet_udp_send_glance_registry_port($1)
corenet_udp_receive_glance_registry_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_glance_registry_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the glance_registry port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_glance_registry_port'($*)) dnl
corenet_dontaudit_udp_send_glance_registry_port($1)
corenet_dontaudit_udp_receive_glance_registry_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_glance_registry_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the glance_registry port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
allow $1 glance_registry_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_glance_registry_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the glance_registry port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
allow $1 glance_registry_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_glance_registry_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to glance_registry port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
dontaudit $1 glance_registry_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_glance_registry_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the glance_registry port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
allow $1 glance_registry_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_glance_registry_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to glance_registry port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_glance_registry_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_glance_registry_port'($*)) dnl
gen_require(`
type glance_registry_port_t;
')
dontaudit $1 glance_registry_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_glance_registry_port'($*)) dnl
')
########################################
##
## Send glance_registry_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_glance_registry_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_glance_registry_client_packets'($*)) dnl
gen_require(`
type glance_registry_client_packet_t;
')
allow $1 glance_registry_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_glance_registry_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send glance_registry_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_glance_registry_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_registry_client_packets'($*)) dnl
gen_require(`
type glance_registry_client_packet_t;
')
dontaudit $1 glance_registry_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_registry_client_packets'($*)) dnl
')
########################################
##
## Receive glance_registry_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_glance_registry_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_registry_client_packets'($*)) dnl
gen_require(`
type glance_registry_client_packet_t;
')
allow $1 glance_registry_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_glance_registry_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive glance_registry_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_glance_registry_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_registry_client_packets'($*)) dnl
gen_require(`
type glance_registry_client_packet_t;
')
dontaudit $1 glance_registry_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_registry_client_packets'($*)) dnl
')
########################################
##
## Send and receive glance_registry_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_glance_registry_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_registry_client_packets'($*)) dnl
corenet_send_glance_registry_client_packets($1)
corenet_receive_glance_registry_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_registry_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive glance_registry_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_glance_registry_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_registry_client_packets'($*)) dnl
corenet_dontaudit_send_glance_registry_client_packets($1)
corenet_dontaudit_receive_glance_registry_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_registry_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to glance_registry_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_glance_registry_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_registry_client_packets'($*)) dnl
gen_require(`
type glance_registry_client_packet_t;
')
allow $1 glance_registry_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_registry_client_packets'($*)) dnl
')
########################################
##
## Send glance_registry_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_glance_registry_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_glance_registry_server_packets'($*)) dnl
gen_require(`
type glance_registry_server_packet_t;
')
allow $1 glance_registry_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_glance_registry_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send glance_registry_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_glance_registry_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_registry_server_packets'($*)) dnl
gen_require(`
type glance_registry_server_packet_t;
')
dontaudit $1 glance_registry_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_registry_server_packets'($*)) dnl
')
########################################
##
## Receive glance_registry_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_glance_registry_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_registry_server_packets'($*)) dnl
gen_require(`
type glance_registry_server_packet_t;
')
allow $1 glance_registry_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_glance_registry_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive glance_registry_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_glance_registry_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_registry_server_packets'($*)) dnl
gen_require(`
type glance_registry_server_packet_t;
')
dontaudit $1 glance_registry_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_registry_server_packets'($*)) dnl
')
########################################
##
## Send and receive glance_registry_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_glance_registry_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_registry_server_packets'($*)) dnl
corenet_send_glance_registry_server_packets($1)
corenet_receive_glance_registry_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_registry_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive glance_registry_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_glance_registry_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_registry_server_packets'($*)) dnl
corenet_dontaudit_send_glance_registry_server_packets($1)
corenet_dontaudit_receive_glance_registry_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_registry_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to glance_registry_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_glance_registry_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_registry_server_packets'($*)) dnl
gen_require(`
type glance_registry_server_packet_t;
')
allow $1 glance_registry_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_registry_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
allow $1 gluster_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gluster_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
allow $1 gluster_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
dontaudit $1 gluster_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gluster_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
allow $1 gluster_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
dontaudit $1 gluster_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gluster_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gluster_port'($*)) dnl
corenet_udp_send_gluster_port($1)
corenet_udp_receive_gluster_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gluster_port'($*)) dnl
corenet_dontaudit_udp_send_gluster_port($1)
corenet_dontaudit_udp_receive_gluster_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gluster_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
allow $1 gluster_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gluster_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
allow $1 gluster_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to gluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
dontaudit $1 gluster_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gluster_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gluster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
allow $1 gluster_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to gluster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_gluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gluster_port'($*)) dnl
gen_require(`
type gluster_port_t;
')
dontaudit $1 gluster_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gluster_port'($*)) dnl
')
########################################
##
## Send gluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gluster_client_packets'($*)) dnl
gen_require(`
type gluster_client_packet_t;
')
allow $1 gluster_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gluster_client_packets'($*)) dnl
gen_require(`
type gluster_client_packet_t;
')
dontaudit $1 gluster_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gluster_client_packets'($*)) dnl
')
########################################
##
## Receive gluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gluster_client_packets'($*)) dnl
gen_require(`
type gluster_client_packet_t;
')
allow $1 gluster_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gluster_client_packets'($*)) dnl
gen_require(`
type gluster_client_packet_t;
')
dontaudit $1 gluster_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gluster_client_packets'($*)) dnl
')
########################################
##
## Send and receive gluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gluster_client_packets'($*)) dnl
corenet_send_gluster_client_packets($1)
corenet_receive_gluster_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gluster_client_packets'($*)) dnl
corenet_dontaudit_send_gluster_client_packets($1)
corenet_dontaudit_receive_gluster_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gluster_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gluster_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gluster_client_packets'($*)) dnl
gen_require(`
type gluster_client_packet_t;
')
allow $1 gluster_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gluster_client_packets'($*)) dnl
')
########################################
##
## Send gluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gluster_server_packets'($*)) dnl
gen_require(`
type gluster_server_packet_t;
')
allow $1 gluster_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gluster_server_packets'($*)) dnl
gen_require(`
type gluster_server_packet_t;
')
dontaudit $1 gluster_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gluster_server_packets'($*)) dnl
')
########################################
##
## Receive gluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gluster_server_packets'($*)) dnl
gen_require(`
type gluster_server_packet_t;
')
allow $1 gluster_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gluster_server_packets'($*)) dnl
gen_require(`
type gluster_server_packet_t;
')
dontaudit $1 gluster_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive gluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gluster_server_packets'($*)) dnl
corenet_send_gluster_server_packets($1)
corenet_receive_gluster_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gluster_server_packets'($*)) dnl
corenet_dontaudit_send_gluster_server_packets($1)
corenet_dontaudit_receive_gluster_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gluster_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gluster_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gluster_server_packets'($*)) dnl
gen_require(`
type gluster_server_packet_t;
')
allow $1 gluster_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gopher_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gopher_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gopher port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
dontaudit $1 gopher_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gopher_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gopher_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gopher port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
dontaudit $1 gopher_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gopher_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gopher_port'($*)) dnl
corenet_udp_send_gopher_port($1)
corenet_udp_receive_gopher_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gopher_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gopher port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gopher_port'($*)) dnl
corenet_dontaudit_udp_send_gopher_port($1)
corenet_dontaudit_udp_receive_gopher_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gopher_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gopher_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gopher port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gopher_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to gopher port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
dontaudit $1 gopher_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gopher_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gopher port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
allow $1 gopher_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gopher_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to gopher port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_gopher_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gopher_port'($*)) dnl
gen_require(`
type gopher_port_t;
')
dontaudit $1 gopher_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gopher_port'($*)) dnl
')
########################################
##
## Send gopher_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gopher_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
allow $1 gopher_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gopher_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gopher_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gopher_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
dontaudit $1 gopher_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gopher_client_packets'($*)) dnl
')
########################################
##
## Receive gopher_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gopher_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
allow $1 gopher_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gopher_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gopher_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gopher_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
dontaudit $1 gopher_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gopher_client_packets'($*)) dnl
')
########################################
##
## Send and receive gopher_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gopher_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gopher_client_packets'($*)) dnl
corenet_send_gopher_client_packets($1)
corenet_receive_gopher_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gopher_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gopher_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gopher_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gopher_client_packets'($*)) dnl
corenet_dontaudit_send_gopher_client_packets($1)
corenet_dontaudit_receive_gopher_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gopher_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gopher_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gopher_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gopher_client_packets'($*)) dnl
gen_require(`
type gopher_client_packet_t;
')
allow $1 gopher_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gopher_client_packets'($*)) dnl
')
########################################
##
## Send gopher_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gopher_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
allow $1 gopher_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gopher_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gopher_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gopher_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
dontaudit $1 gopher_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gopher_server_packets'($*)) dnl
')
########################################
##
## Receive gopher_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gopher_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
allow $1 gopher_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gopher_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gopher_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gopher_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
dontaudit $1 gopher_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gopher_server_packets'($*)) dnl
')
########################################
##
## Send and receive gopher_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gopher_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gopher_server_packets'($*)) dnl
corenet_send_gopher_server_packets($1)
corenet_receive_gopher_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gopher_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gopher_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gopher_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gopher_server_packets'($*)) dnl
corenet_dontaudit_send_gopher_server_packets($1)
corenet_dontaudit_receive_gopher_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gopher_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gopher_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gopher_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gopher_server_packets'($*)) dnl
gen_require(`
type gopher_server_packet_t;
')
allow $1 gopher_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gopher_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the gpsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
allow $1 gpsd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gpsd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the gpsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
allow $1 gpsd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_gpsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the gpsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
dontaudit $1 gpsd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gpsd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the gpsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
allow $1 gpsd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gpsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the gpsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
dontaudit $1 gpsd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gpsd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the gpsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gpsd_port'($*)) dnl
corenet_udp_send_gpsd_port($1)
corenet_udp_receive_gpsd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gpsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the gpsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gpsd_port'($*)) dnl
corenet_dontaudit_udp_send_gpsd_port($1)
corenet_dontaudit_udp_receive_gpsd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gpsd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the gpsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
allow $1 gpsd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gpsd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the gpsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
allow $1 gpsd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gpsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to gpsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
dontaudit $1 gpsd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gpsd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the gpsd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
allow $1 gpsd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gpsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to gpsd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_gpsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gpsd_port'($*)) dnl
gen_require(`
type gpsd_port_t;
')
dontaudit $1 gpsd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gpsd_port'($*)) dnl
')
########################################
##
## Send gpsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gpsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gpsd_client_packets'($*)) dnl
gen_require(`
type gpsd_client_packet_t;
')
allow $1 gpsd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gpsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gpsd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gpsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gpsd_client_packets'($*)) dnl
gen_require(`
type gpsd_client_packet_t;
')
dontaudit $1 gpsd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gpsd_client_packets'($*)) dnl
')
########################################
##
## Receive gpsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gpsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gpsd_client_packets'($*)) dnl
gen_require(`
type gpsd_client_packet_t;
')
allow $1 gpsd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gpsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gpsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gpsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gpsd_client_packets'($*)) dnl
gen_require(`
type gpsd_client_packet_t;
')
dontaudit $1 gpsd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gpsd_client_packets'($*)) dnl
')
########################################
##
## Send and receive gpsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gpsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gpsd_client_packets'($*)) dnl
corenet_send_gpsd_client_packets($1)
corenet_receive_gpsd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gpsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gpsd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gpsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gpsd_client_packets'($*)) dnl
corenet_dontaudit_send_gpsd_client_packets($1)
corenet_dontaudit_receive_gpsd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gpsd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to gpsd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gpsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gpsd_client_packets'($*)) dnl
gen_require(`
type gpsd_client_packet_t;
')
allow $1 gpsd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gpsd_client_packets'($*)) dnl
')
########################################
##
## Send gpsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_gpsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_gpsd_server_packets'($*)) dnl
gen_require(`
type gpsd_server_packet_t;
')
allow $1 gpsd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_gpsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send gpsd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_gpsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gpsd_server_packets'($*)) dnl
gen_require(`
type gpsd_server_packet_t;
')
dontaudit $1 gpsd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gpsd_server_packets'($*)) dnl
')
########################################
##
## Receive gpsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_gpsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_gpsd_server_packets'($*)) dnl
gen_require(`
type gpsd_server_packet_t;
')
allow $1 gpsd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_gpsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive gpsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_gpsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gpsd_server_packets'($*)) dnl
gen_require(`
type gpsd_server_packet_t;
')
dontaudit $1 gpsd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gpsd_server_packets'($*)) dnl
')
########################################
##
## Send and receive gpsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_gpsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gpsd_server_packets'($*)) dnl
corenet_send_gpsd_server_packets($1)
corenet_receive_gpsd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gpsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive gpsd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_gpsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gpsd_server_packets'($*)) dnl
corenet_dontaudit_send_gpsd_server_packets($1)
corenet_dontaudit_receive_gpsd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gpsd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to gpsd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_gpsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gpsd_server_packets'($*)) dnl
gen_require(`
type gpsd_server_packet_t;
')
allow $1 gpsd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_gpsd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the hadoop_datanode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
allow $1 hadoop_datanode_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the hadoop_datanode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
allow $1 hadoop_datanode_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the hadoop_datanode port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
dontaudit $1 hadoop_datanode_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the hadoop_datanode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
allow $1 hadoop_datanode_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the hadoop_datanode port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
dontaudit $1 hadoop_datanode_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the hadoop_datanode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hadoop_datanode_port'($*)) dnl
corenet_udp_send_hadoop_datanode_port($1)
corenet_udp_receive_hadoop_datanode_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the hadoop_datanode port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hadoop_datanode_port'($*)) dnl
corenet_dontaudit_udp_send_hadoop_datanode_port($1)
corenet_dontaudit_udp_receive_hadoop_datanode_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the hadoop_datanode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
allow $1 hadoop_datanode_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the hadoop_datanode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
allow $1 hadoop_datanode_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to hadoop_datanode port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
dontaudit $1 hadoop_datanode_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the hadoop_datanode port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
allow $1 hadoop_datanode_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to hadoop_datanode port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_hadoop_datanode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_hadoop_datanode_port'($*)) dnl
gen_require(`
type hadoop_datanode_port_t;
')
dontaudit $1 hadoop_datanode_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_hadoop_datanode_port'($*)) dnl
')
########################################
##
## Send hadoop_datanode_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hadoop_datanode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_datanode_client_packets'($*)) dnl
gen_require(`
type hadoop_datanode_client_packet_t;
')
allow $1 hadoop_datanode_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_datanode_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hadoop_datanode_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hadoop_datanode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_datanode_client_packets'($*)) dnl
gen_require(`
type hadoop_datanode_client_packet_t;
')
dontaudit $1 hadoop_datanode_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_datanode_client_packets'($*)) dnl
')
########################################
##
## Receive hadoop_datanode_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hadoop_datanode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_datanode_client_packets'($*)) dnl
gen_require(`
type hadoop_datanode_client_packet_t;
')
allow $1 hadoop_datanode_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_datanode_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hadoop_datanode_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hadoop_datanode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_datanode_client_packets'($*)) dnl
gen_require(`
type hadoop_datanode_client_packet_t;
')
dontaudit $1 hadoop_datanode_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_datanode_client_packets'($*)) dnl
')
########################################
##
## Send and receive hadoop_datanode_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hadoop_datanode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_datanode_client_packets'($*)) dnl
corenet_send_hadoop_datanode_client_packets($1)
corenet_receive_hadoop_datanode_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_datanode_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hadoop_datanode_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hadoop_datanode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_datanode_client_packets'($*)) dnl
corenet_dontaudit_send_hadoop_datanode_client_packets($1)
corenet_dontaudit_receive_hadoop_datanode_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_datanode_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to hadoop_datanode_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hadoop_datanode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_datanode_client_packets'($*)) dnl
gen_require(`
type hadoop_datanode_client_packet_t;
')
allow $1 hadoop_datanode_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_datanode_client_packets'($*)) dnl
')
########################################
##
## Send hadoop_datanode_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hadoop_datanode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_datanode_server_packets'($*)) dnl
gen_require(`
type hadoop_datanode_server_packet_t;
')
allow $1 hadoop_datanode_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_datanode_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hadoop_datanode_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hadoop_datanode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_datanode_server_packets'($*)) dnl
gen_require(`
type hadoop_datanode_server_packet_t;
')
dontaudit $1 hadoop_datanode_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_datanode_server_packets'($*)) dnl
')
########################################
##
## Receive hadoop_datanode_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hadoop_datanode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_datanode_server_packets'($*)) dnl
gen_require(`
type hadoop_datanode_server_packet_t;
')
allow $1 hadoop_datanode_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_datanode_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hadoop_datanode_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hadoop_datanode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_datanode_server_packets'($*)) dnl
gen_require(`
type hadoop_datanode_server_packet_t;
')
dontaudit $1 hadoop_datanode_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_datanode_server_packets'($*)) dnl
')
########################################
##
## Send and receive hadoop_datanode_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hadoop_datanode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_datanode_server_packets'($*)) dnl
corenet_send_hadoop_datanode_server_packets($1)
corenet_receive_hadoop_datanode_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_datanode_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hadoop_datanode_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hadoop_datanode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_datanode_server_packets'($*)) dnl
corenet_dontaudit_send_hadoop_datanode_server_packets($1)
corenet_dontaudit_receive_hadoop_datanode_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_datanode_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to hadoop_datanode_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hadoop_datanode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_datanode_server_packets'($*)) dnl
gen_require(`
type hadoop_datanode_server_packet_t;
')
allow $1 hadoop_datanode_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_datanode_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the hadoop_namenode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
allow $1 hadoop_namenode_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the hadoop_namenode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
allow $1 hadoop_namenode_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the hadoop_namenode port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
dontaudit $1 hadoop_namenode_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the hadoop_namenode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
allow $1 hadoop_namenode_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the hadoop_namenode port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
dontaudit $1 hadoop_namenode_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the hadoop_namenode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hadoop_namenode_port'($*)) dnl
corenet_udp_send_hadoop_namenode_port($1)
corenet_udp_receive_hadoop_namenode_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the hadoop_namenode port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hadoop_namenode_port'($*)) dnl
corenet_dontaudit_udp_send_hadoop_namenode_port($1)
corenet_dontaudit_udp_receive_hadoop_namenode_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the hadoop_namenode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
allow $1 hadoop_namenode_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the hadoop_namenode port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
allow $1 hadoop_namenode_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to hadoop_namenode port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
dontaudit $1 hadoop_namenode_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the hadoop_namenode port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
allow $1 hadoop_namenode_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to hadoop_namenode port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_hadoop_namenode_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_hadoop_namenode_port'($*)) dnl
gen_require(`
type hadoop_namenode_port_t;
')
dontaudit $1 hadoop_namenode_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_hadoop_namenode_port'($*)) dnl
')
########################################
##
## Send hadoop_namenode_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hadoop_namenode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_namenode_client_packets'($*)) dnl
gen_require(`
type hadoop_namenode_client_packet_t;
')
allow $1 hadoop_namenode_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_namenode_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hadoop_namenode_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hadoop_namenode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_namenode_client_packets'($*)) dnl
gen_require(`
type hadoop_namenode_client_packet_t;
')
dontaudit $1 hadoop_namenode_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_namenode_client_packets'($*)) dnl
')
########################################
##
## Receive hadoop_namenode_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hadoop_namenode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_namenode_client_packets'($*)) dnl
gen_require(`
type hadoop_namenode_client_packet_t;
')
allow $1 hadoop_namenode_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_namenode_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hadoop_namenode_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hadoop_namenode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_namenode_client_packets'($*)) dnl
gen_require(`
type hadoop_namenode_client_packet_t;
')
dontaudit $1 hadoop_namenode_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_namenode_client_packets'($*)) dnl
')
########################################
##
## Send and receive hadoop_namenode_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hadoop_namenode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_namenode_client_packets'($*)) dnl
corenet_send_hadoop_namenode_client_packets($1)
corenet_receive_hadoop_namenode_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_namenode_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hadoop_namenode_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hadoop_namenode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_namenode_client_packets'($*)) dnl
corenet_dontaudit_send_hadoop_namenode_client_packets($1)
corenet_dontaudit_receive_hadoop_namenode_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_namenode_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to hadoop_namenode_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hadoop_namenode_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_namenode_client_packets'($*)) dnl
gen_require(`
type hadoop_namenode_client_packet_t;
')
allow $1 hadoop_namenode_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_namenode_client_packets'($*)) dnl
')
########################################
##
## Send hadoop_namenode_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hadoop_namenode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_namenode_server_packets'($*)) dnl
gen_require(`
type hadoop_namenode_server_packet_t;
')
allow $1 hadoop_namenode_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_namenode_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hadoop_namenode_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hadoop_namenode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_namenode_server_packets'($*)) dnl
gen_require(`
type hadoop_namenode_server_packet_t;
')
dontaudit $1 hadoop_namenode_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_namenode_server_packets'($*)) dnl
')
########################################
##
## Receive hadoop_namenode_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hadoop_namenode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_namenode_server_packets'($*)) dnl
gen_require(`
type hadoop_namenode_server_packet_t;
')
allow $1 hadoop_namenode_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_namenode_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hadoop_namenode_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hadoop_namenode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_namenode_server_packets'($*)) dnl
gen_require(`
type hadoop_namenode_server_packet_t;
')
dontaudit $1 hadoop_namenode_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_namenode_server_packets'($*)) dnl
')
########################################
##
## Send and receive hadoop_namenode_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hadoop_namenode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_namenode_server_packets'($*)) dnl
corenet_send_hadoop_namenode_server_packets($1)
corenet_receive_hadoop_namenode_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_namenode_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hadoop_namenode_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hadoop_namenode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_namenode_server_packets'($*)) dnl
corenet_dontaudit_send_hadoop_namenode_server_packets($1)
corenet_dontaudit_receive_hadoop_namenode_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_namenode_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to hadoop_namenode_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hadoop_namenode_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_namenode_server_packets'($*)) dnl
gen_require(`
type hadoop_namenode_server_packet_t;
')
allow $1 hadoop_namenode_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_namenode_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the hddtemp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
allow $1 hddtemp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hddtemp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the hddtemp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
allow $1 hddtemp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_hddtemp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the hddtemp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
dontaudit $1 hddtemp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hddtemp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the hddtemp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
allow $1 hddtemp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hddtemp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the hddtemp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
dontaudit $1 hddtemp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hddtemp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the hddtemp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hddtemp_port'($*)) dnl
corenet_udp_send_hddtemp_port($1)
corenet_udp_receive_hddtemp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hddtemp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the hddtemp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hddtemp_port'($*)) dnl
corenet_dontaudit_udp_send_hddtemp_port($1)
corenet_dontaudit_udp_receive_hddtemp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hddtemp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the hddtemp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
allow $1 hddtemp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hddtemp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the hddtemp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
allow $1 hddtemp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hddtemp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to hddtemp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
dontaudit $1 hddtemp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_hddtemp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the hddtemp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
allow $1 hddtemp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hddtemp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to hddtemp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_hddtemp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_hddtemp_port'($*)) dnl
gen_require(`
type hddtemp_port_t;
')
dontaudit $1 hddtemp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_hddtemp_port'($*)) dnl
')
########################################
##
## Send hddtemp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hddtemp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hddtemp_client_packets'($*)) dnl
gen_require(`
type hddtemp_client_packet_t;
')
allow $1 hddtemp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hddtemp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hddtemp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hddtemp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hddtemp_client_packets'($*)) dnl
gen_require(`
type hddtemp_client_packet_t;
')
dontaudit $1 hddtemp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hddtemp_client_packets'($*)) dnl
')
########################################
##
## Receive hddtemp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hddtemp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hddtemp_client_packets'($*)) dnl
gen_require(`
type hddtemp_client_packet_t;
')
allow $1 hddtemp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hddtemp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hddtemp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hddtemp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hddtemp_client_packets'($*)) dnl
gen_require(`
type hddtemp_client_packet_t;
')
dontaudit $1 hddtemp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hddtemp_client_packets'($*)) dnl
')
########################################
##
## Send and receive hddtemp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hddtemp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hddtemp_client_packets'($*)) dnl
corenet_send_hddtemp_client_packets($1)
corenet_receive_hddtemp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hddtemp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hddtemp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hddtemp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hddtemp_client_packets'($*)) dnl
corenet_dontaudit_send_hddtemp_client_packets($1)
corenet_dontaudit_receive_hddtemp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hddtemp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to hddtemp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hddtemp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hddtemp_client_packets'($*)) dnl
gen_require(`
type hddtemp_client_packet_t;
')
allow $1 hddtemp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hddtemp_client_packets'($*)) dnl
')
########################################
##
## Send hddtemp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hddtemp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hddtemp_server_packets'($*)) dnl
gen_require(`
type hddtemp_server_packet_t;
')
allow $1 hddtemp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hddtemp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hddtemp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hddtemp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hddtemp_server_packets'($*)) dnl
gen_require(`
type hddtemp_server_packet_t;
')
dontaudit $1 hddtemp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hddtemp_server_packets'($*)) dnl
')
########################################
##
## Receive hddtemp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hddtemp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hddtemp_server_packets'($*)) dnl
gen_require(`
type hddtemp_server_packet_t;
')
allow $1 hddtemp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hddtemp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hddtemp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hddtemp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hddtemp_server_packets'($*)) dnl
gen_require(`
type hddtemp_server_packet_t;
')
dontaudit $1 hddtemp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hddtemp_server_packets'($*)) dnl
')
########################################
##
## Send and receive hddtemp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hddtemp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hddtemp_server_packets'($*)) dnl
corenet_send_hddtemp_server_packets($1)
corenet_receive_hddtemp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hddtemp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hddtemp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hddtemp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hddtemp_server_packets'($*)) dnl
corenet_dontaudit_send_hddtemp_server_packets($1)
corenet_dontaudit_receive_hddtemp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hddtemp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to hddtemp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hddtemp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hddtemp_server_packets'($*)) dnl
gen_require(`
type hddtemp_server_packet_t;
')
allow $1 hddtemp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hddtemp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_howl_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_howl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the howl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
dontaudit $1 howl_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_howl_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_howl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the howl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
dontaudit $1 howl_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_howl_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_howl_port'($*)) dnl
corenet_udp_send_howl_port($1)
corenet_udp_receive_howl_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_howl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the howl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_howl_port'($*)) dnl
corenet_dontaudit_udp_send_howl_port($1)
corenet_dontaudit_udp_receive_howl_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_howl_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_howl_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the howl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_howl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to howl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
dontaudit $1 howl_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_howl_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the howl port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
allow $1 howl_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_howl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to howl port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_howl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_howl_port'($*)) dnl
gen_require(`
type howl_port_t;
')
dontaudit $1 howl_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_howl_port'($*)) dnl
')
########################################
##
## Send howl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_howl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
allow $1 howl_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_howl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send howl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_howl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
dontaudit $1 howl_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_howl_client_packets'($*)) dnl
')
########################################
##
## Receive howl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_howl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
allow $1 howl_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_howl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive howl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_howl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
dontaudit $1 howl_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_howl_client_packets'($*)) dnl
')
########################################
##
## Send and receive howl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_howl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_howl_client_packets'($*)) dnl
corenet_send_howl_client_packets($1)
corenet_receive_howl_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_howl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive howl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_howl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_howl_client_packets'($*)) dnl
corenet_dontaudit_send_howl_client_packets($1)
corenet_dontaudit_receive_howl_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_howl_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to howl_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_howl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_howl_client_packets'($*)) dnl
gen_require(`
type howl_client_packet_t;
')
allow $1 howl_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_howl_client_packets'($*)) dnl
')
########################################
##
## Send howl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_howl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
allow $1 howl_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_howl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send howl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_howl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
dontaudit $1 howl_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_howl_server_packets'($*)) dnl
')
########################################
##
## Receive howl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_howl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
allow $1 howl_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_howl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive howl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_howl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
dontaudit $1 howl_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_howl_server_packets'($*)) dnl
')
########################################
##
## Send and receive howl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_howl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_howl_server_packets'($*)) dnl
corenet_send_howl_server_packets($1)
corenet_receive_howl_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_howl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive howl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_howl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_howl_server_packets'($*)) dnl
corenet_dontaudit_send_howl_server_packets($1)
corenet_dontaudit_receive_howl_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_howl_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to howl_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_howl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_howl_server_packets'($*)) dnl
gen_require(`
type howl_server_packet_t;
')
allow $1 howl_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_howl_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hplip_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_hplip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the hplip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
dontaudit $1 hplip_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hplip_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hplip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the hplip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
dontaudit $1 hplip_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hplip_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hplip_port'($*)) dnl
corenet_udp_send_hplip_port($1)
corenet_udp_receive_hplip_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hplip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the hplip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hplip_port'($*)) dnl
corenet_dontaudit_udp_send_hplip_port($1)
corenet_dontaudit_udp_receive_hplip_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hplip_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hplip_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the hplip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hplip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to hplip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
dontaudit $1 hplip_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_hplip_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the hplip port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
allow $1 hplip_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hplip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to hplip port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_hplip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_hplip_port'($*)) dnl
gen_require(`
type hplip_port_t;
')
dontaudit $1 hplip_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_hplip_port'($*)) dnl
')
########################################
##
## Send hplip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hplip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
allow $1 hplip_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hplip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hplip_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hplip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
dontaudit $1 hplip_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hplip_client_packets'($*)) dnl
')
########################################
##
## Receive hplip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hplip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
allow $1 hplip_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hplip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hplip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hplip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
dontaudit $1 hplip_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hplip_client_packets'($*)) dnl
')
########################################
##
## Send and receive hplip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hplip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hplip_client_packets'($*)) dnl
corenet_send_hplip_client_packets($1)
corenet_receive_hplip_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hplip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hplip_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hplip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hplip_client_packets'($*)) dnl
corenet_dontaudit_send_hplip_client_packets($1)
corenet_dontaudit_receive_hplip_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hplip_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to hplip_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hplip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hplip_client_packets'($*)) dnl
gen_require(`
type hplip_client_packet_t;
')
allow $1 hplip_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hplip_client_packets'($*)) dnl
')
########################################
##
## Send hplip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_hplip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
allow $1 hplip_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_hplip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send hplip_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_hplip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
dontaudit $1 hplip_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hplip_server_packets'($*)) dnl
')
########################################
##
## Receive hplip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_hplip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
allow $1 hplip_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_hplip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive hplip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_hplip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
dontaudit $1 hplip_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hplip_server_packets'($*)) dnl
')
########################################
##
## Send and receive hplip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_hplip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hplip_server_packets'($*)) dnl
corenet_send_hplip_server_packets($1)
corenet_receive_hplip_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hplip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive hplip_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_hplip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hplip_server_packets'($*)) dnl
corenet_dontaudit_send_hplip_server_packets($1)
corenet_dontaudit_receive_hplip_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hplip_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to hplip_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_hplip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hplip_server_packets'($*)) dnl
gen_require(`
type hplip_server_packet_t;
')
allow $1 hplip_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_hplip_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_http_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
dontaudit $1 http_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_http_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
dontaudit $1 http_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_http_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_http_port'($*)) dnl
corenet_udp_send_http_port($1)
corenet_udp_receive_http_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_http_port'($*)) dnl
corenet_dontaudit_udp_send_http_port($1)
corenet_dontaudit_udp_receive_http_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_http_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_http_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
dontaudit $1 http_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_http_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the http port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
allow $1 http_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to http port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_http_port'($*)) dnl
gen_require(`
type http_port_t;
')
dontaudit $1 http_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_http_port'($*)) dnl
')
########################################
##
## Send http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
allow $1 http_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send http_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
dontaudit $1 http_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_client_packets'($*)) dnl
')
########################################
##
## Receive http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
allow $1 http_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
dontaudit $1 http_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_client_packets'($*)) dnl
')
########################################
##
## Send and receive http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_client_packets'($*)) dnl
corenet_send_http_client_packets($1)
corenet_receive_http_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive http_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_client_packets'($*)) dnl
corenet_dontaudit_send_http_client_packets($1)
corenet_dontaudit_receive_http_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to http_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_client_packets'($*)) dnl
gen_require(`
type http_client_packet_t;
')
allow $1 http_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_client_packets'($*)) dnl
')
########################################
##
## Send http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
allow $1 http_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send http_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
dontaudit $1 http_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_server_packets'($*)) dnl
')
########################################
##
## Receive http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
allow $1 http_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
dontaudit $1 http_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_server_packets'($*)) dnl
')
########################################
##
## Send and receive http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_server_packets'($*)) dnl
corenet_send_http_server_packets($1)
corenet_receive_http_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive http_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_server_packets'($*)) dnl
corenet_dontaudit_send_http_server_packets($1)
corenet_dontaudit_receive_http_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to http_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_server_packets'($*)) dnl
gen_require(`
type http_server_packet_t;
')
allow $1 http_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_server_packets'($*)) dnl
')
#8443 is mod_nss default port
########################################
##
## Send and receive TCP traffic on the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_http_cache_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_http_cache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the http_cache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
dontaudit $1 http_cache_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_http_cache_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_http_cache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the http_cache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
dontaudit $1 http_cache_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_http_cache_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_http_cache_port'($*)) dnl
corenet_udp_send_http_cache_port($1)
corenet_udp_receive_http_cache_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_http_cache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the http_cache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_http_cache_port'($*)) dnl
corenet_dontaudit_udp_send_http_cache_port($1)
corenet_dontaudit_udp_receive_http_cache_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_http_cache_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_http_cache_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the http_cache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_http_cache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to http_cache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
dontaudit $1 http_cache_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_http_cache_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the http_cache port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
allow $1 http_cache_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_http_cache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to http_cache port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_http_cache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_http_cache_port'($*)) dnl
gen_require(`
type http_cache_port_t;
')
dontaudit $1 http_cache_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_http_cache_port'($*)) dnl
')
########################################
##
## Send http_cache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_http_cache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
allow $1 http_cache_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_http_cache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send http_cache_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_http_cache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
dontaudit $1 http_cache_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_cache_client_packets'($*)) dnl
')
########################################
##
## Receive http_cache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_http_cache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
allow $1 http_cache_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_http_cache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive http_cache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_http_cache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
dontaudit $1 http_cache_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_cache_client_packets'($*)) dnl
')
########################################
##
## Send and receive http_cache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_http_cache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_cache_client_packets'($*)) dnl
corenet_send_http_cache_client_packets($1)
corenet_receive_http_cache_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_cache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive http_cache_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_http_cache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_cache_client_packets'($*)) dnl
corenet_dontaudit_send_http_cache_client_packets($1)
corenet_dontaudit_receive_http_cache_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_cache_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to http_cache_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_http_cache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_cache_client_packets'($*)) dnl
gen_require(`
type http_cache_client_packet_t;
')
allow $1 http_cache_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_cache_client_packets'($*)) dnl
')
########################################
##
## Send http_cache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_http_cache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
allow $1 http_cache_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_http_cache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send http_cache_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_http_cache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
dontaudit $1 http_cache_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_cache_server_packets'($*)) dnl
')
########################################
##
## Receive http_cache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_http_cache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
allow $1 http_cache_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_http_cache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive http_cache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_http_cache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
dontaudit $1 http_cache_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_cache_server_packets'($*)) dnl
')
########################################
##
## Send and receive http_cache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_http_cache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_cache_server_packets'($*)) dnl
corenet_send_http_cache_server_packets($1)
corenet_receive_http_cache_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_cache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive http_cache_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_http_cache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_cache_server_packets'($*)) dnl
corenet_dontaudit_send_http_cache_server_packets($1)
corenet_dontaudit_receive_http_cache_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_cache_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to http_cache_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_http_cache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_cache_server_packets'($*)) dnl
gen_require(`
type http_cache_server_packet_t;
')
allow $1 http_cache_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_cache_server_packets'($*)) dnl
')
# 8118 is for privoxy
########################################
##
## Send and receive TCP traffic on the ibm_dt_2 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
allow $1 ibm_dt_2_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ibm_dt_2 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
allow $1 ibm_dt_2_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ibm_dt_2 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
dontaudit $1 ibm_dt_2_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ibm_dt_2 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
allow $1 ibm_dt_2_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ibm_dt_2 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
dontaudit $1 ibm_dt_2_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ibm_dt_2 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ibm_dt_2_port'($*)) dnl
corenet_udp_send_ibm_dt_2_port($1)
corenet_udp_receive_ibm_dt_2_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ibm_dt_2 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ibm_dt_2_port'($*)) dnl
corenet_dontaudit_udp_send_ibm_dt_2_port($1)
corenet_dontaudit_udp_receive_ibm_dt_2_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ibm_dt_2 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
allow $1 ibm_dt_2_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ibm_dt_2 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
allow $1 ibm_dt_2_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ibm_dt_2 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
dontaudit $1 ibm_dt_2_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ibm_dt_2 port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
allow $1 ibm_dt_2_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ibm_dt_2 port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ibm_dt_2_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ibm_dt_2_port'($*)) dnl
gen_require(`
type ibm_dt_2_port_t;
')
dontaudit $1 ibm_dt_2_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ibm_dt_2_port'($*)) dnl
')
########################################
##
## Send ibm_dt_2_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ibm_dt_2_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ibm_dt_2_client_packets'($*)) dnl
gen_require(`
type ibm_dt_2_client_packet_t;
')
allow $1 ibm_dt_2_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ibm_dt_2_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ibm_dt_2_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ibm_dt_2_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ibm_dt_2_client_packets'($*)) dnl
gen_require(`
type ibm_dt_2_client_packet_t;
')
dontaudit $1 ibm_dt_2_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ibm_dt_2_client_packets'($*)) dnl
')
########################################
##
## Receive ibm_dt_2_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ibm_dt_2_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ibm_dt_2_client_packets'($*)) dnl
gen_require(`
type ibm_dt_2_client_packet_t;
')
allow $1 ibm_dt_2_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ibm_dt_2_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ibm_dt_2_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ibm_dt_2_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ibm_dt_2_client_packets'($*)) dnl
gen_require(`
type ibm_dt_2_client_packet_t;
')
dontaudit $1 ibm_dt_2_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ibm_dt_2_client_packets'($*)) dnl
')
########################################
##
## Send and receive ibm_dt_2_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ibm_dt_2_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ibm_dt_2_client_packets'($*)) dnl
corenet_send_ibm_dt_2_client_packets($1)
corenet_receive_ibm_dt_2_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ibm_dt_2_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ibm_dt_2_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ibm_dt_2_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ibm_dt_2_client_packets'($*)) dnl
corenet_dontaudit_send_ibm_dt_2_client_packets($1)
corenet_dontaudit_receive_ibm_dt_2_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ibm_dt_2_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ibm_dt_2_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ibm_dt_2_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ibm_dt_2_client_packets'($*)) dnl
gen_require(`
type ibm_dt_2_client_packet_t;
')
allow $1 ibm_dt_2_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ibm_dt_2_client_packets'($*)) dnl
')
########################################
##
## Send ibm_dt_2_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ibm_dt_2_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ibm_dt_2_server_packets'($*)) dnl
gen_require(`
type ibm_dt_2_server_packet_t;
')
allow $1 ibm_dt_2_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ibm_dt_2_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ibm_dt_2_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ibm_dt_2_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ibm_dt_2_server_packets'($*)) dnl
gen_require(`
type ibm_dt_2_server_packet_t;
')
dontaudit $1 ibm_dt_2_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ibm_dt_2_server_packets'($*)) dnl
')
########################################
##
## Receive ibm_dt_2_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ibm_dt_2_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ibm_dt_2_server_packets'($*)) dnl
gen_require(`
type ibm_dt_2_server_packet_t;
')
allow $1 ibm_dt_2_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ibm_dt_2_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ibm_dt_2_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ibm_dt_2_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ibm_dt_2_server_packets'($*)) dnl
gen_require(`
type ibm_dt_2_server_packet_t;
')
dontaudit $1 ibm_dt_2_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ibm_dt_2_server_packets'($*)) dnl
')
########################################
##
## Send and receive ibm_dt_2_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ibm_dt_2_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ibm_dt_2_server_packets'($*)) dnl
corenet_send_ibm_dt_2_server_packets($1)
corenet_receive_ibm_dt_2_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ibm_dt_2_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ibm_dt_2_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ibm_dt_2_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ibm_dt_2_server_packets'($*)) dnl
corenet_dontaudit_send_ibm_dt_2_server_packets($1)
corenet_dontaudit_receive_ibm_dt_2_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ibm_dt_2_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ibm_dt_2_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ibm_dt_2_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ibm_dt_2_server_packets'($*)) dnl
gen_require(`
type ibm_dt_2_server_packet_t;
')
allow $1 ibm_dt_2_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ibm_dt_2_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the intermapper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
allow $1 intermapper_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_intermapper_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the intermapper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
allow $1 intermapper_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_intermapper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the intermapper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
dontaudit $1 intermapper_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_intermapper_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the intermapper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
allow $1 intermapper_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_intermapper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the intermapper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
dontaudit $1 intermapper_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_intermapper_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the intermapper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_intermapper_port'($*)) dnl
corenet_udp_send_intermapper_port($1)
corenet_udp_receive_intermapper_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_intermapper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the intermapper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_intermapper_port'($*)) dnl
corenet_dontaudit_udp_send_intermapper_port($1)
corenet_dontaudit_udp_receive_intermapper_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_intermapper_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the intermapper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
allow $1 intermapper_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_intermapper_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the intermapper port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
allow $1 intermapper_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_intermapper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to intermapper port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
dontaudit $1 intermapper_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_intermapper_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the intermapper port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
allow $1 intermapper_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_intermapper_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to intermapper port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_intermapper_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_intermapper_port'($*)) dnl
gen_require(`
type intermapper_port_t;
')
dontaudit $1 intermapper_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_intermapper_port'($*)) dnl
')
########################################
##
## Send intermapper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_intermapper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_intermapper_client_packets'($*)) dnl
gen_require(`
type intermapper_client_packet_t;
')
allow $1 intermapper_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_intermapper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send intermapper_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_intermapper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_intermapper_client_packets'($*)) dnl
gen_require(`
type intermapper_client_packet_t;
')
dontaudit $1 intermapper_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_intermapper_client_packets'($*)) dnl
')
########################################
##
## Receive intermapper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_intermapper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_intermapper_client_packets'($*)) dnl
gen_require(`
type intermapper_client_packet_t;
')
allow $1 intermapper_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_intermapper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive intermapper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_intermapper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_intermapper_client_packets'($*)) dnl
gen_require(`
type intermapper_client_packet_t;
')
dontaudit $1 intermapper_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_intermapper_client_packets'($*)) dnl
')
########################################
##
## Send and receive intermapper_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_intermapper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_intermapper_client_packets'($*)) dnl
corenet_send_intermapper_client_packets($1)
corenet_receive_intermapper_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_intermapper_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive intermapper_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_intermapper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_intermapper_client_packets'($*)) dnl
corenet_dontaudit_send_intermapper_client_packets($1)
corenet_dontaudit_receive_intermapper_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_intermapper_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to intermapper_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_intermapper_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_intermapper_client_packets'($*)) dnl
gen_require(`
type intermapper_client_packet_t;
')
allow $1 intermapper_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_intermapper_client_packets'($*)) dnl
')
########################################
##
## Send intermapper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_intermapper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_intermapper_server_packets'($*)) dnl
gen_require(`
type intermapper_server_packet_t;
')
allow $1 intermapper_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_intermapper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send intermapper_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_intermapper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_intermapper_server_packets'($*)) dnl
gen_require(`
type intermapper_server_packet_t;
')
dontaudit $1 intermapper_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_intermapper_server_packets'($*)) dnl
')
########################################
##
## Receive intermapper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_intermapper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_intermapper_server_packets'($*)) dnl
gen_require(`
type intermapper_server_packet_t;
')
allow $1 intermapper_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_intermapper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive intermapper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_intermapper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_intermapper_server_packets'($*)) dnl
gen_require(`
type intermapper_server_packet_t;
')
dontaudit $1 intermapper_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_intermapper_server_packets'($*)) dnl
')
########################################
##
## Send and receive intermapper_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_intermapper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_intermapper_server_packets'($*)) dnl
corenet_send_intermapper_server_packets($1)
corenet_receive_intermapper_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_intermapper_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive intermapper_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_intermapper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_intermapper_server_packets'($*)) dnl
corenet_dontaudit_send_intermapper_server_packets($1)
corenet_dontaudit_receive_intermapper_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_intermapper_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to intermapper_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_intermapper_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_intermapper_server_packets'($*)) dnl
gen_require(`
type intermapper_server_packet_t;
')
allow $1 intermapper_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_intermapper_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_i18n_input_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_i18n_input_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the i18n_input port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
dontaudit $1 i18n_input_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_i18n_input_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_i18n_input_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the i18n_input port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
dontaudit $1 i18n_input_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_i18n_input_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_i18n_input_port'($*)) dnl
corenet_udp_send_i18n_input_port($1)
corenet_udp_receive_i18n_input_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_i18n_input_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the i18n_input port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_i18n_input_port'($*)) dnl
corenet_dontaudit_udp_send_i18n_input_port($1)
corenet_dontaudit_udp_receive_i18n_input_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_i18n_input_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_i18n_input_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the i18n_input port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_i18n_input_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to i18n_input port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
dontaudit $1 i18n_input_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_i18n_input_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the i18n_input port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
allow $1 i18n_input_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_i18n_input_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to i18n_input port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_i18n_input_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_i18n_input_port'($*)) dnl
gen_require(`
type i18n_input_port_t;
')
dontaudit $1 i18n_input_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_i18n_input_port'($*)) dnl
')
########################################
##
## Send i18n_input_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_i18n_input_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
allow $1 i18n_input_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send i18n_input_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_i18n_input_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
dontaudit $1 i18n_input_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Receive i18n_input_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_i18n_input_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
allow $1 i18n_input_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive i18n_input_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_i18n_input_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
dontaudit $1 i18n_input_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Send and receive i18n_input_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_i18n_input_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_i18n_input_client_packets'($*)) dnl
corenet_send_i18n_input_client_packets($1)
corenet_receive_i18n_input_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive i18n_input_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_i18n_input_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_i18n_input_client_packets'($*)) dnl
corenet_dontaudit_send_i18n_input_client_packets($1)
corenet_dontaudit_receive_i18n_input_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to i18n_input_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_i18n_input_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_i18n_input_client_packets'($*)) dnl
gen_require(`
type i18n_input_client_packet_t;
')
allow $1 i18n_input_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_i18n_input_client_packets'($*)) dnl
')
########################################
##
## Send i18n_input_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_i18n_input_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
allow $1 i18n_input_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send i18n_input_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_i18n_input_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
dontaudit $1 i18n_input_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Receive i18n_input_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_i18n_input_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
allow $1 i18n_input_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive i18n_input_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_i18n_input_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
dontaudit $1 i18n_input_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Send and receive i18n_input_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_i18n_input_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_i18n_input_server_packets'($*)) dnl
corenet_send_i18n_input_server_packets($1)
corenet_receive_i18n_input_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive i18n_input_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_i18n_input_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_i18n_input_server_packets'($*)) dnl
corenet_dontaudit_send_i18n_input_server_packets($1)
corenet_dontaudit_receive_i18n_input_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to i18n_input_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_i18n_input_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_i18n_input_server_packets'($*)) dnl
gen_require(`
type i18n_input_server_packet_t;
')
allow $1 i18n_input_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_i18n_input_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_imaze_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_imaze_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the imaze port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
dontaudit $1 imaze_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_imaze_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_imaze_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the imaze port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
dontaudit $1 imaze_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_imaze_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_imaze_port'($*)) dnl
corenet_udp_send_imaze_port($1)
corenet_udp_receive_imaze_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_imaze_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the imaze port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_imaze_port'($*)) dnl
corenet_dontaudit_udp_send_imaze_port($1)
corenet_dontaudit_udp_receive_imaze_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_imaze_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_imaze_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the imaze port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_imaze_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to imaze port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
dontaudit $1 imaze_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_imaze_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the imaze port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
allow $1 imaze_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_imaze_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to imaze port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_imaze_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_imaze_port'($*)) dnl
gen_require(`
type imaze_port_t;
')
dontaudit $1 imaze_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_imaze_port'($*)) dnl
')
########################################
##
## Send imaze_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_imaze_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
allow $1 imaze_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_imaze_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send imaze_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_imaze_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
dontaudit $1 imaze_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_imaze_client_packets'($*)) dnl
')
########################################
##
## Receive imaze_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_imaze_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
allow $1 imaze_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_imaze_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive imaze_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_imaze_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
dontaudit $1 imaze_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_imaze_client_packets'($*)) dnl
')
########################################
##
## Send and receive imaze_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_imaze_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_imaze_client_packets'($*)) dnl
corenet_send_imaze_client_packets($1)
corenet_receive_imaze_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_imaze_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive imaze_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_imaze_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_imaze_client_packets'($*)) dnl
corenet_dontaudit_send_imaze_client_packets($1)
corenet_dontaudit_receive_imaze_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_imaze_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to imaze_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_imaze_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_imaze_client_packets'($*)) dnl
gen_require(`
type imaze_client_packet_t;
')
allow $1 imaze_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_imaze_client_packets'($*)) dnl
')
########################################
##
## Send imaze_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_imaze_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
allow $1 imaze_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_imaze_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send imaze_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_imaze_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
dontaudit $1 imaze_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_imaze_server_packets'($*)) dnl
')
########################################
##
## Receive imaze_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_imaze_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
allow $1 imaze_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_imaze_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive imaze_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_imaze_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
dontaudit $1 imaze_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_imaze_server_packets'($*)) dnl
')
########################################
##
## Send and receive imaze_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_imaze_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_imaze_server_packets'($*)) dnl
corenet_send_imaze_server_packets($1)
corenet_receive_imaze_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_imaze_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive imaze_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_imaze_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_imaze_server_packets'($*)) dnl
corenet_dontaudit_send_imaze_server_packets($1)
corenet_dontaudit_receive_imaze_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_imaze_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to imaze_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_imaze_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_imaze_server_packets'($*)) dnl
gen_require(`
type imaze_server_packet_t;
')
allow $1 imaze_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_imaze_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_inetd_child_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_inetd_child_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the inetd_child port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
dontaudit $1 inetd_child_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_inetd_child_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_inetd_child_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the inetd_child port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
dontaudit $1 inetd_child_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_inetd_child_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_inetd_child_port'($*)) dnl
corenet_udp_send_inetd_child_port($1)
corenet_udp_receive_inetd_child_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_inetd_child_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the inetd_child port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_inetd_child_port'($*)) dnl
corenet_dontaudit_udp_send_inetd_child_port($1)
corenet_dontaudit_udp_receive_inetd_child_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_inetd_child_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_inetd_child_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the inetd_child port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_inetd_child_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to inetd_child port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
dontaudit $1 inetd_child_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_inetd_child_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the inetd_child port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
allow $1 inetd_child_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_inetd_child_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to inetd_child port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_inetd_child_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_inetd_child_port'($*)) dnl
gen_require(`
type inetd_child_port_t;
')
dontaudit $1 inetd_child_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_inetd_child_port'($*)) dnl
')
########################################
##
## Send inetd_child_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_inetd_child_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
allow $1 inetd_child_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send inetd_child_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_inetd_child_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
dontaudit $1 inetd_child_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Receive inetd_child_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_inetd_child_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
allow $1 inetd_child_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive inetd_child_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_inetd_child_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
dontaudit $1 inetd_child_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Send and receive inetd_child_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_inetd_child_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_inetd_child_client_packets'($*)) dnl
corenet_send_inetd_child_client_packets($1)
corenet_receive_inetd_child_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive inetd_child_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_inetd_child_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_inetd_child_client_packets'($*)) dnl
corenet_dontaudit_send_inetd_child_client_packets($1)
corenet_dontaudit_receive_inetd_child_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to inetd_child_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_inetd_child_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_inetd_child_client_packets'($*)) dnl
gen_require(`
type inetd_child_client_packet_t;
')
allow $1 inetd_child_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_inetd_child_client_packets'($*)) dnl
')
########################################
##
## Send inetd_child_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_inetd_child_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
allow $1 inetd_child_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send inetd_child_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_inetd_child_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
dontaudit $1 inetd_child_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Receive inetd_child_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_inetd_child_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
allow $1 inetd_child_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive inetd_child_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_inetd_child_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
dontaudit $1 inetd_child_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Send and receive inetd_child_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_inetd_child_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_inetd_child_server_packets'($*)) dnl
corenet_send_inetd_child_server_packets($1)
corenet_receive_inetd_child_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive inetd_child_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_inetd_child_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_inetd_child_server_packets'($*)) dnl
corenet_dontaudit_send_inetd_child_server_packets($1)
corenet_dontaudit_receive_inetd_child_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to inetd_child_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_inetd_child_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_inetd_child_server_packets'($*)) dnl
gen_require(`
type inetd_child_server_packet_t;
')
allow $1 inetd_child_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_inetd_child_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_innd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_innd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the innd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
dontaudit $1 innd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_innd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_innd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the innd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
dontaudit $1 innd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_innd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_innd_port'($*)) dnl
corenet_udp_send_innd_port($1)
corenet_udp_receive_innd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_innd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the innd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_innd_port'($*)) dnl
corenet_dontaudit_udp_send_innd_port($1)
corenet_dontaudit_udp_receive_innd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_innd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_innd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the innd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_innd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to innd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
dontaudit $1 innd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_innd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the innd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
allow $1 innd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_innd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to innd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_innd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_innd_port'($*)) dnl
gen_require(`
type innd_port_t;
')
dontaudit $1 innd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_innd_port'($*)) dnl
')
########################################
##
## Send innd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_innd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
allow $1 innd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_innd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send innd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_innd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
dontaudit $1 innd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_innd_client_packets'($*)) dnl
')
########################################
##
## Receive innd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_innd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
allow $1 innd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_innd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive innd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_innd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
dontaudit $1 innd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_innd_client_packets'($*)) dnl
')
########################################
##
## Send and receive innd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_innd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_innd_client_packets'($*)) dnl
corenet_send_innd_client_packets($1)
corenet_receive_innd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_innd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive innd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_innd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_innd_client_packets'($*)) dnl
corenet_dontaudit_send_innd_client_packets($1)
corenet_dontaudit_receive_innd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_innd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to innd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_innd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_innd_client_packets'($*)) dnl
gen_require(`
type innd_client_packet_t;
')
allow $1 innd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_innd_client_packets'($*)) dnl
')
########################################
##
## Send innd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_innd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
allow $1 innd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_innd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send innd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_innd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
dontaudit $1 innd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_innd_server_packets'($*)) dnl
')
########################################
##
## Receive innd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_innd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
allow $1 innd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_innd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive innd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_innd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
dontaudit $1 innd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_innd_server_packets'($*)) dnl
')
########################################
##
## Send and receive innd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_innd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_innd_server_packets'($*)) dnl
corenet_send_innd_server_packets($1)
corenet_receive_innd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_innd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive innd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_innd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_innd_server_packets'($*)) dnl
corenet_dontaudit_send_innd_server_packets($1)
corenet_dontaudit_receive_innd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_innd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to innd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_innd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_innd_server_packets'($*)) dnl
gen_require(`
type innd_server_packet_t;
')
allow $1 innd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_innd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the interwise port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
allow $1 interwise_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_interwise_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the interwise port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
allow $1 interwise_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_interwise_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the interwise port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
dontaudit $1 interwise_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_interwise_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the interwise port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
allow $1 interwise_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_interwise_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the interwise port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
dontaudit $1 interwise_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_interwise_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the interwise port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_interwise_port'($*)) dnl
corenet_udp_send_interwise_port($1)
corenet_udp_receive_interwise_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_interwise_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the interwise port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_interwise_port'($*)) dnl
corenet_dontaudit_udp_send_interwise_port($1)
corenet_dontaudit_udp_receive_interwise_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_interwise_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the interwise port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
allow $1 interwise_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_interwise_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the interwise port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
allow $1 interwise_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_interwise_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to interwise port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
dontaudit $1 interwise_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_interwise_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the interwise port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
allow $1 interwise_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_interwise_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to interwise port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_interwise_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_interwise_port'($*)) dnl
gen_require(`
type interwise_port_t;
')
dontaudit $1 interwise_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_interwise_port'($*)) dnl
')
########################################
##
## Send interwise_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_interwise_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_interwise_client_packets'($*)) dnl
gen_require(`
type interwise_client_packet_t;
')
allow $1 interwise_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_interwise_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send interwise_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_interwise_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_interwise_client_packets'($*)) dnl
gen_require(`
type interwise_client_packet_t;
')
dontaudit $1 interwise_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_interwise_client_packets'($*)) dnl
')
########################################
##
## Receive interwise_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_interwise_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_interwise_client_packets'($*)) dnl
gen_require(`
type interwise_client_packet_t;
')
allow $1 interwise_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_interwise_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive interwise_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_interwise_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_interwise_client_packets'($*)) dnl
gen_require(`
type interwise_client_packet_t;
')
dontaudit $1 interwise_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_interwise_client_packets'($*)) dnl
')
########################################
##
## Send and receive interwise_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_interwise_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_interwise_client_packets'($*)) dnl
corenet_send_interwise_client_packets($1)
corenet_receive_interwise_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_interwise_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive interwise_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_interwise_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_interwise_client_packets'($*)) dnl
corenet_dontaudit_send_interwise_client_packets($1)
corenet_dontaudit_receive_interwise_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_interwise_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to interwise_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_interwise_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_interwise_client_packets'($*)) dnl
gen_require(`
type interwise_client_packet_t;
')
allow $1 interwise_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_interwise_client_packets'($*)) dnl
')
########################################
##
## Send interwise_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_interwise_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_interwise_server_packets'($*)) dnl
gen_require(`
type interwise_server_packet_t;
')
allow $1 interwise_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_interwise_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send interwise_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_interwise_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_interwise_server_packets'($*)) dnl
gen_require(`
type interwise_server_packet_t;
')
dontaudit $1 interwise_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_interwise_server_packets'($*)) dnl
')
########################################
##
## Receive interwise_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_interwise_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_interwise_server_packets'($*)) dnl
gen_require(`
type interwise_server_packet_t;
')
allow $1 interwise_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_interwise_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive interwise_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_interwise_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_interwise_server_packets'($*)) dnl
gen_require(`
type interwise_server_packet_t;
')
dontaudit $1 interwise_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_interwise_server_packets'($*)) dnl
')
########################################
##
## Send and receive interwise_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_interwise_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_interwise_server_packets'($*)) dnl
corenet_send_interwise_server_packets($1)
corenet_receive_interwise_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_interwise_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive interwise_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_interwise_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_interwise_server_packets'($*)) dnl
corenet_dontaudit_send_interwise_server_packets($1)
corenet_dontaudit_receive_interwise_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_interwise_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to interwise_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_interwise_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_interwise_server_packets'($*)) dnl
gen_require(`
type interwise_server_packet_t;
')
allow $1 interwise_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_interwise_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ionixnetmon port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
allow $1 ionixnetmon_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ionixnetmon_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ionixnetmon port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
allow $1 ionixnetmon_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ionixnetmon_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ionixnetmon port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
dontaudit $1 ionixnetmon_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ionixnetmon_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ionixnetmon port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
allow $1 ionixnetmon_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ionixnetmon_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ionixnetmon port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
dontaudit $1 ionixnetmon_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ionixnetmon_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ionixnetmon port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ionixnetmon_port'($*)) dnl
corenet_udp_send_ionixnetmon_port($1)
corenet_udp_receive_ionixnetmon_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ionixnetmon_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ionixnetmon port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ionixnetmon_port'($*)) dnl
corenet_dontaudit_udp_send_ionixnetmon_port($1)
corenet_dontaudit_udp_receive_ionixnetmon_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ionixnetmon_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ionixnetmon port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
allow $1 ionixnetmon_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ionixnetmon_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ionixnetmon port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
allow $1 ionixnetmon_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ionixnetmon_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ionixnetmon port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
dontaudit $1 ionixnetmon_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ionixnetmon_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ionixnetmon port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
allow $1 ionixnetmon_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ionixnetmon_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ionixnetmon port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ionixnetmon_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ionixnetmon_port'($*)) dnl
gen_require(`
type ionixnetmon_port_t;
')
dontaudit $1 ionixnetmon_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ionixnetmon_port'($*)) dnl
')
########################################
##
## Send ionixnetmon_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ionixnetmon_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ionixnetmon_client_packets'($*)) dnl
gen_require(`
type ionixnetmon_client_packet_t;
')
allow $1 ionixnetmon_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ionixnetmon_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ionixnetmon_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ionixnetmon_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ionixnetmon_client_packets'($*)) dnl
gen_require(`
type ionixnetmon_client_packet_t;
')
dontaudit $1 ionixnetmon_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ionixnetmon_client_packets'($*)) dnl
')
########################################
##
## Receive ionixnetmon_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ionixnetmon_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ionixnetmon_client_packets'($*)) dnl
gen_require(`
type ionixnetmon_client_packet_t;
')
allow $1 ionixnetmon_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ionixnetmon_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ionixnetmon_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ionixnetmon_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ionixnetmon_client_packets'($*)) dnl
gen_require(`
type ionixnetmon_client_packet_t;
')
dontaudit $1 ionixnetmon_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ionixnetmon_client_packets'($*)) dnl
')
########################################
##
## Send and receive ionixnetmon_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ionixnetmon_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ionixnetmon_client_packets'($*)) dnl
corenet_send_ionixnetmon_client_packets($1)
corenet_receive_ionixnetmon_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ionixnetmon_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ionixnetmon_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ionixnetmon_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ionixnetmon_client_packets'($*)) dnl
corenet_dontaudit_send_ionixnetmon_client_packets($1)
corenet_dontaudit_receive_ionixnetmon_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ionixnetmon_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ionixnetmon_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ionixnetmon_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ionixnetmon_client_packets'($*)) dnl
gen_require(`
type ionixnetmon_client_packet_t;
')
allow $1 ionixnetmon_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ionixnetmon_client_packets'($*)) dnl
')
########################################
##
## Send ionixnetmon_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ionixnetmon_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ionixnetmon_server_packets'($*)) dnl
gen_require(`
type ionixnetmon_server_packet_t;
')
allow $1 ionixnetmon_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ionixnetmon_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ionixnetmon_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ionixnetmon_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ionixnetmon_server_packets'($*)) dnl
gen_require(`
type ionixnetmon_server_packet_t;
')
dontaudit $1 ionixnetmon_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ionixnetmon_server_packets'($*)) dnl
')
########################################
##
## Receive ionixnetmon_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ionixnetmon_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ionixnetmon_server_packets'($*)) dnl
gen_require(`
type ionixnetmon_server_packet_t;
')
allow $1 ionixnetmon_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ionixnetmon_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ionixnetmon_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ionixnetmon_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ionixnetmon_server_packets'($*)) dnl
gen_require(`
type ionixnetmon_server_packet_t;
')
dontaudit $1 ionixnetmon_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ionixnetmon_server_packets'($*)) dnl
')
########################################
##
## Send and receive ionixnetmon_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ionixnetmon_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ionixnetmon_server_packets'($*)) dnl
corenet_send_ionixnetmon_server_packets($1)
corenet_receive_ionixnetmon_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ionixnetmon_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ionixnetmon_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ionixnetmon_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ionixnetmon_server_packets'($*)) dnl
corenet_dontaudit_send_ionixnetmon_server_packets($1)
corenet_dontaudit_receive_ionixnetmon_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ionixnetmon_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ionixnetmon_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ionixnetmon_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ionixnetmon_server_packets'($*)) dnl
gen_require(`
type ionixnetmon_server_packet_t;
')
allow $1 ionixnetmon_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ionixnetmon_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
allow $1 ipmi_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipmi_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
allow $1 ipmi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ipmi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
dontaudit $1 ipmi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipmi_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
allow $1 ipmi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ipmi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
dontaudit $1 ipmi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipmi_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipmi_port'($*)) dnl
corenet_udp_send_ipmi_port($1)
corenet_udp_receive_ipmi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ipmi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipmi_port'($*)) dnl
corenet_dontaudit_udp_send_ipmi_port($1)
corenet_dontaudit_udp_receive_ipmi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipmi_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
allow $1 ipmi_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipmi_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ipmi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
allow $1 ipmi_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ipmi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
dontaudit $1 ipmi_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ipmi_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ipmi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
allow $1 ipmi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipmi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ipmi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ipmi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ipmi_port'($*)) dnl
gen_require(`
type ipmi_port_t;
')
dontaudit $1 ipmi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ipmi_port'($*)) dnl
')
########################################
##
## Send ipmi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipmi_client_packets'($*)) dnl
gen_require(`
type ipmi_client_packet_t;
')
allow $1 ipmi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipmi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipmi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipmi_client_packets'($*)) dnl
gen_require(`
type ipmi_client_packet_t;
')
dontaudit $1 ipmi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipmi_client_packets'($*)) dnl
')
########################################
##
## Receive ipmi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipmi_client_packets'($*)) dnl
gen_require(`
type ipmi_client_packet_t;
')
allow $1 ipmi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipmi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipmi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipmi_client_packets'($*)) dnl
gen_require(`
type ipmi_client_packet_t;
')
dontaudit $1 ipmi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipmi_client_packets'($*)) dnl
')
########################################
##
## Send and receive ipmi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipmi_client_packets'($*)) dnl
corenet_send_ipmi_client_packets($1)
corenet_receive_ipmi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipmi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipmi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipmi_client_packets'($*)) dnl
corenet_dontaudit_send_ipmi_client_packets($1)
corenet_dontaudit_receive_ipmi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipmi_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipmi_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipmi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipmi_client_packets'($*)) dnl
gen_require(`
type ipmi_client_packet_t;
')
allow $1 ipmi_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipmi_client_packets'($*)) dnl
')
########################################
##
## Send ipmi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipmi_server_packets'($*)) dnl
gen_require(`
type ipmi_server_packet_t;
')
allow $1 ipmi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipmi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipmi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipmi_server_packets'($*)) dnl
gen_require(`
type ipmi_server_packet_t;
')
dontaudit $1 ipmi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipmi_server_packets'($*)) dnl
')
########################################
##
## Receive ipmi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipmi_server_packets'($*)) dnl
gen_require(`
type ipmi_server_packet_t;
')
allow $1 ipmi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipmi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipmi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipmi_server_packets'($*)) dnl
gen_require(`
type ipmi_server_packet_t;
')
dontaudit $1 ipmi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipmi_server_packets'($*)) dnl
')
########################################
##
## Send and receive ipmi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipmi_server_packets'($*)) dnl
corenet_send_ipmi_server_packets($1)
corenet_receive_ipmi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipmi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipmi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipmi_server_packets'($*)) dnl
corenet_dontaudit_send_ipmi_server_packets($1)
corenet_dontaudit_receive_ipmi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipmi_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipmi_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipmi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipmi_server_packets'($*)) dnl
gen_require(`
type ipmi_server_packet_t;
')
allow $1 ipmi_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipmi_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ipp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
dontaudit $1 ipp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ipp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
dontaudit $1 ipp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipp_port'($*)) dnl
corenet_udp_send_ipp_port($1)
corenet_udp_receive_ipp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ipp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipp_port'($*)) dnl
corenet_dontaudit_udp_send_ipp_port($1)
corenet_dontaudit_udp_receive_ipp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ipp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ipp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
dontaudit $1 ipp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ipp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ipp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
allow $1 ipp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ipp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ipp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ipp_port'($*)) dnl
gen_require(`
type ipp_port_t;
')
dontaudit $1 ipp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ipp_port'($*)) dnl
')
########################################
##
## Send ipp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
allow $1 ipp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
dontaudit $1 ipp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipp_client_packets'($*)) dnl
')
########################################
##
## Receive ipp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
allow $1 ipp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
dontaudit $1 ipp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ipp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipp_client_packets'($*)) dnl
corenet_send_ipp_client_packets($1)
corenet_receive_ipp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipp_client_packets'($*)) dnl
corenet_dontaudit_send_ipp_client_packets($1)
corenet_dontaudit_receive_ipp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipp_client_packets'($*)) dnl
gen_require(`
type ipp_client_packet_t;
')
allow $1 ipp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipp_client_packets'($*)) dnl
')
########################################
##
## Send ipp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
allow $1 ipp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
dontaudit $1 ipp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipp_server_packets'($*)) dnl
')
########################################
##
## Receive ipp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
allow $1 ipp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
dontaudit $1 ipp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ipp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipp_server_packets'($*)) dnl
corenet_send_ipp_server_packets($1)
corenet_receive_ipp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipp_server_packets'($*)) dnl
corenet_dontaudit_send_ipp_server_packets($1)
corenet_dontaudit_receive_ipp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipp_server_packets'($*)) dnl
gen_require(`
type ipp_server_packet_t;
')
allow $1 ipp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipsecnat_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipsecnat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ipsecnat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
dontaudit $1 ipsecnat_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipsecnat_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipsecnat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ipsecnat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
dontaudit $1 ipsecnat_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipsecnat_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipsecnat_port'($*)) dnl
corenet_udp_send_ipsecnat_port($1)
corenet_udp_receive_ipsecnat_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipsecnat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ipsecnat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipsecnat_port'($*)) dnl
corenet_dontaudit_udp_send_ipsecnat_port($1)
corenet_dontaudit_udp_receive_ipsecnat_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipsecnat_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipsecnat_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipsecnat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ipsecnat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
dontaudit $1 ipsecnat_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ipsecnat_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ipsecnat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
allow $1 ipsecnat_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipsecnat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ipsecnat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ipsecnat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ipsecnat_port'($*)) dnl
gen_require(`
type ipsecnat_port_t;
')
dontaudit $1 ipsecnat_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ipsecnat_port'($*)) dnl
')
########################################
##
## Send ipsecnat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipsecnat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
allow $1 ipsecnat_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipsecnat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipsecnat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
dontaudit $1 ipsecnat_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Receive ipsecnat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipsecnat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
allow $1 ipsecnat_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipsecnat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipsecnat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
dontaudit $1 ipsecnat_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Send and receive ipsecnat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipsecnat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipsecnat_client_packets'($*)) dnl
corenet_send_ipsecnat_client_packets($1)
corenet_receive_ipsecnat_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipsecnat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipsecnat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipsecnat_client_packets'($*)) dnl
corenet_dontaudit_send_ipsecnat_client_packets($1)
corenet_dontaudit_receive_ipsecnat_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipsecnat_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipsecnat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipsecnat_client_packets'($*)) dnl
gen_require(`
type ipsecnat_client_packet_t;
')
allow $1 ipsecnat_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipsecnat_client_packets'($*)) dnl
')
########################################
##
## Send ipsecnat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ipsecnat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
allow $1 ipsecnat_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ipsecnat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ipsecnat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
dontaudit $1 ipsecnat_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Receive ipsecnat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ipsecnat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
allow $1 ipsecnat_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ipsecnat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ipsecnat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
dontaudit $1 ipsecnat_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Send and receive ipsecnat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ipsecnat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipsecnat_server_packets'($*)) dnl
corenet_send_ipsecnat_server_packets($1)
corenet_receive_ipsecnat_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ipsecnat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ipsecnat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipsecnat_server_packets'($*)) dnl
corenet_dontaudit_send_ipsecnat_server_packets($1)
corenet_dontaudit_receive_ipsecnat_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ipsecnat_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ipsecnat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipsecnat_server_packets'($*)) dnl
gen_require(`
type ipsecnat_server_packet_t;
')
allow $1 ipsecnat_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipsecnat_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ircd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ircd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ircd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
dontaudit $1 ircd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ircd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ircd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ircd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
dontaudit $1 ircd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ircd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ircd_port'($*)) dnl
corenet_udp_send_ircd_port($1)
corenet_udp_receive_ircd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ircd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ircd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ircd_port'($*)) dnl
corenet_dontaudit_udp_send_ircd_port($1)
corenet_dontaudit_udp_receive_ircd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ircd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ircd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ircd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ircd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ircd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
dontaudit $1 ircd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ircd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ircd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
allow $1 ircd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ircd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ircd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ircd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ircd_port'($*)) dnl
gen_require(`
type ircd_port_t;
')
dontaudit $1 ircd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ircd_port'($*)) dnl
')
########################################
##
## Send ircd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ircd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
allow $1 ircd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ircd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ircd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ircd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
dontaudit $1 ircd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ircd_client_packets'($*)) dnl
')
########################################
##
## Receive ircd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ircd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
allow $1 ircd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ircd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ircd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ircd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
dontaudit $1 ircd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ircd_client_packets'($*)) dnl
')
########################################
##
## Send and receive ircd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ircd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ircd_client_packets'($*)) dnl
corenet_send_ircd_client_packets($1)
corenet_receive_ircd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ircd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ircd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ircd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ircd_client_packets'($*)) dnl
corenet_dontaudit_send_ircd_client_packets($1)
corenet_dontaudit_receive_ircd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ircd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ircd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ircd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ircd_client_packets'($*)) dnl
gen_require(`
type ircd_client_packet_t;
')
allow $1 ircd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ircd_client_packets'($*)) dnl
')
########################################
##
## Send ircd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ircd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
allow $1 ircd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ircd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ircd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ircd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
dontaudit $1 ircd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ircd_server_packets'($*)) dnl
')
########################################
##
## Receive ircd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ircd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
allow $1 ircd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ircd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ircd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ircd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
dontaudit $1 ircd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ircd_server_packets'($*)) dnl
')
########################################
##
## Send and receive ircd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ircd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ircd_server_packets'($*)) dnl
corenet_send_ircd_server_packets($1)
corenet_receive_ircd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ircd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ircd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ircd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ircd_server_packets'($*)) dnl
corenet_dontaudit_send_ircd_server_packets($1)
corenet_dontaudit_receive_ircd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ircd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ircd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ircd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ircd_server_packets'($*)) dnl
gen_require(`
type ircd_server_packet_t;
')
allow $1 ircd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ircd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_isakmp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_isakmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the isakmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
dontaudit $1 isakmp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_isakmp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_isakmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the isakmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
dontaudit $1 isakmp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_isakmp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_isakmp_port'($*)) dnl
corenet_udp_send_isakmp_port($1)
corenet_udp_receive_isakmp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_isakmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the isakmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_isakmp_port'($*)) dnl
corenet_dontaudit_udp_send_isakmp_port($1)
corenet_dontaudit_udp_receive_isakmp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_isakmp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_isakmp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the isakmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_isakmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to isakmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
dontaudit $1 isakmp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_isakmp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the isakmp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
allow $1 isakmp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_isakmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to isakmp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_isakmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_isakmp_port'($*)) dnl
gen_require(`
type isakmp_port_t;
')
dontaudit $1 isakmp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_isakmp_port'($*)) dnl
')
########################################
##
## Send isakmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_isakmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
allow $1 isakmp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_isakmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send isakmp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_isakmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
dontaudit $1 isakmp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isakmp_client_packets'($*)) dnl
')
########################################
##
## Receive isakmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_isakmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
allow $1 isakmp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_isakmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive isakmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_isakmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
dontaudit $1 isakmp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isakmp_client_packets'($*)) dnl
')
########################################
##
## Send and receive isakmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_isakmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isakmp_client_packets'($*)) dnl
corenet_send_isakmp_client_packets($1)
corenet_receive_isakmp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isakmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive isakmp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_isakmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isakmp_client_packets'($*)) dnl
corenet_dontaudit_send_isakmp_client_packets($1)
corenet_dontaudit_receive_isakmp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isakmp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to isakmp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_isakmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isakmp_client_packets'($*)) dnl
gen_require(`
type isakmp_client_packet_t;
')
allow $1 isakmp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_isakmp_client_packets'($*)) dnl
')
########################################
##
## Send isakmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_isakmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
allow $1 isakmp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_isakmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send isakmp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_isakmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
dontaudit $1 isakmp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isakmp_server_packets'($*)) dnl
')
########################################
##
## Receive isakmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_isakmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
allow $1 isakmp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_isakmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive isakmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_isakmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
dontaudit $1 isakmp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isakmp_server_packets'($*)) dnl
')
########################################
##
## Send and receive isakmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_isakmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isakmp_server_packets'($*)) dnl
corenet_send_isakmp_server_packets($1)
corenet_receive_isakmp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isakmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive isakmp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_isakmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isakmp_server_packets'($*)) dnl
corenet_dontaudit_send_isakmp_server_packets($1)
corenet_dontaudit_receive_isakmp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isakmp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to isakmp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_isakmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isakmp_server_packets'($*)) dnl
gen_require(`
type isakmp_server_packet_t;
')
allow $1 isakmp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_isakmp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_iscsi_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_iscsi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the iscsi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
dontaudit $1 iscsi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_iscsi_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_iscsi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the iscsi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
dontaudit $1 iscsi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_iscsi_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_iscsi_port'($*)) dnl
corenet_udp_send_iscsi_port($1)
corenet_udp_receive_iscsi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_iscsi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the iscsi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_iscsi_port'($*)) dnl
corenet_dontaudit_udp_send_iscsi_port($1)
corenet_dontaudit_udp_receive_iscsi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_iscsi_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_iscsi_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the iscsi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_iscsi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to iscsi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
dontaudit $1 iscsi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_iscsi_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the iscsi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
allow $1 iscsi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_iscsi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to iscsi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_iscsi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_iscsi_port'($*)) dnl
gen_require(`
type iscsi_port_t;
')
dontaudit $1 iscsi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_iscsi_port'($*)) dnl
')
########################################
##
## Send iscsi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_iscsi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
allow $1 iscsi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_iscsi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send iscsi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_iscsi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
dontaudit $1 iscsi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_iscsi_client_packets'($*)) dnl
')
########################################
##
## Receive iscsi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_iscsi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
allow $1 iscsi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_iscsi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive iscsi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_iscsi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
dontaudit $1 iscsi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_iscsi_client_packets'($*)) dnl
')
########################################
##
## Send and receive iscsi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_iscsi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_iscsi_client_packets'($*)) dnl
corenet_send_iscsi_client_packets($1)
corenet_receive_iscsi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_iscsi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive iscsi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_iscsi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_iscsi_client_packets'($*)) dnl
corenet_dontaudit_send_iscsi_client_packets($1)
corenet_dontaudit_receive_iscsi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_iscsi_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to iscsi_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_iscsi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_iscsi_client_packets'($*)) dnl
gen_require(`
type iscsi_client_packet_t;
')
allow $1 iscsi_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_iscsi_client_packets'($*)) dnl
')
########################################
##
## Send iscsi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_iscsi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
allow $1 iscsi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_iscsi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send iscsi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_iscsi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
dontaudit $1 iscsi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_iscsi_server_packets'($*)) dnl
')
########################################
##
## Receive iscsi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_iscsi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
allow $1 iscsi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_iscsi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive iscsi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_iscsi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
dontaudit $1 iscsi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_iscsi_server_packets'($*)) dnl
')
########################################
##
## Send and receive iscsi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_iscsi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_iscsi_server_packets'($*)) dnl
corenet_send_iscsi_server_packets($1)
corenet_receive_iscsi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_iscsi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive iscsi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_iscsi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_iscsi_server_packets'($*)) dnl
corenet_dontaudit_send_iscsi_server_packets($1)
corenet_dontaudit_receive_iscsi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_iscsi_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to iscsi_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_iscsi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_iscsi_server_packets'($*)) dnl
gen_require(`
type iscsi_server_packet_t;
')
allow $1 iscsi_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_iscsi_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_isns_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_isns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the isns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
dontaudit $1 isns_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_isns_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_isns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the isns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
dontaudit $1 isns_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_isns_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_isns_port'($*)) dnl
corenet_udp_send_isns_port($1)
corenet_udp_receive_isns_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_isns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the isns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_isns_port'($*)) dnl
corenet_dontaudit_udp_send_isns_port($1)
corenet_dontaudit_udp_receive_isns_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_isns_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_isns_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the isns port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_isns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to isns port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
dontaudit $1 isns_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_isns_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the isns port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
allow $1 isns_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_isns_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to isns port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_isns_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_isns_port'($*)) dnl
gen_require(`
type isns_port_t;
')
dontaudit $1 isns_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_isns_port'($*)) dnl
')
########################################
##
## Send isns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_isns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
allow $1 isns_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_isns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send isns_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_isns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
dontaudit $1 isns_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isns_client_packets'($*)) dnl
')
########################################
##
## Receive isns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_isns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
allow $1 isns_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_isns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive isns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_isns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
dontaudit $1 isns_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isns_client_packets'($*)) dnl
')
########################################
##
## Send and receive isns_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_isns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isns_client_packets'($*)) dnl
corenet_send_isns_client_packets($1)
corenet_receive_isns_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isns_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive isns_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_isns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isns_client_packets'($*)) dnl
corenet_dontaudit_send_isns_client_packets($1)
corenet_dontaudit_receive_isns_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isns_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to isns_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_isns_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isns_client_packets'($*)) dnl
gen_require(`
type isns_client_packet_t;
')
allow $1 isns_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_isns_client_packets'($*)) dnl
')
########################################
##
## Send isns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_isns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
allow $1 isns_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_isns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send isns_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_isns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
dontaudit $1 isns_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isns_server_packets'($*)) dnl
')
########################################
##
## Receive isns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_isns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
allow $1 isns_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_isns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive isns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_isns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
dontaudit $1 isns_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isns_server_packets'($*)) dnl
')
########################################
##
## Send and receive isns_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_isns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isns_server_packets'($*)) dnl
corenet_send_isns_server_packets($1)
corenet_receive_isns_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isns_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive isns_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_isns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isns_server_packets'($*)) dnl
corenet_dontaudit_send_isns_server_packets($1)
corenet_dontaudit_receive_isns_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isns_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to isns_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_isns_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isns_server_packets'($*)) dnl
gen_require(`
type isns_server_packet_t;
')
allow $1 isns_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_isns_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_client_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jabber_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
dontaudit $1 jabber_client_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_client_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jabber_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
dontaudit $1 jabber_client_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_client_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_client_port'($*)) dnl
corenet_udp_send_jabber_client_port($1)
corenet_udp_receive_jabber_client_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jabber_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_client_port'($*)) dnl
corenet_dontaudit_udp_send_jabber_client_port($1)
corenet_dontaudit_udp_receive_jabber_client_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_client_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_client_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jabber_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to jabber_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
dontaudit $1 jabber_client_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jabber_client_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jabber_client port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
allow $1 jabber_client_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to jabber_client port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_jabber_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jabber_client_port'($*)) dnl
gen_require(`
type jabber_client_port_t;
')
dontaudit $1 jabber_client_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jabber_client_port'($*)) dnl
')
########################################
##
## Send jabber_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
allow $1 jabber_client_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_client_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
dontaudit $1 jabber_client_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Receive jabber_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
allow $1 jabber_client_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
dontaudit $1 jabber_client_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_client_client_packets'($*)) dnl
corenet_send_jabber_client_client_packets($1)
corenet_receive_jabber_client_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_client_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_client_client_packets'($*)) dnl
corenet_dontaudit_send_jabber_client_client_packets($1)
corenet_dontaudit_receive_jabber_client_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_client_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_client_client_packets'($*)) dnl
gen_require(`
type jabber_client_client_packet_t;
')
allow $1 jabber_client_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_client_client_packets'($*)) dnl
')
########################################
##
## Send jabber_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
allow $1 jabber_client_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_client_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
dontaudit $1 jabber_client_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Receive jabber_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
allow $1 jabber_client_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
dontaudit $1 jabber_client_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_client_server_packets'($*)) dnl
corenet_send_jabber_client_server_packets($1)
corenet_receive_jabber_client_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_client_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_client_server_packets'($*)) dnl
corenet_dontaudit_send_jabber_client_server_packets($1)
corenet_dontaudit_receive_jabber_client_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_client_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_client_server_packets'($*)) dnl
gen_require(`
type jabber_client_server_packet_t;
')
allow $1 jabber_client_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_client_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_interserver_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_interserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jabber_interserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
dontaudit $1 jabber_interserver_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_interserver_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_interserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jabber_interserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
dontaudit $1 jabber_interserver_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_interserver_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_interserver_port'($*)) dnl
corenet_udp_send_jabber_interserver_port($1)
corenet_udp_receive_jabber_interserver_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_interserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jabber_interserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_interserver_port'($*)) dnl
corenet_dontaudit_udp_send_jabber_interserver_port($1)
corenet_dontaudit_udp_receive_jabber_interserver_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_interserver_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_interserver_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_interserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to jabber_interserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
dontaudit $1 jabber_interserver_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jabber_interserver_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
allow $1 jabber_interserver_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_interserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to jabber_interserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_jabber_interserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jabber_interserver_port'($*)) dnl
gen_require(`
type jabber_interserver_port_t;
')
dontaudit $1 jabber_interserver_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jabber_interserver_port'($*)) dnl
')
########################################
##
## Send jabber_interserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_interserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
allow $1 jabber_interserver_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_interserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_interserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
dontaudit $1 jabber_interserver_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Receive jabber_interserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_interserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
allow $1 jabber_interserver_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_interserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_interserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
dontaudit $1 jabber_interserver_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_interserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_interserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_interserver_client_packets'($*)) dnl
corenet_send_jabber_interserver_client_packets($1)
corenet_receive_jabber_interserver_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_interserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_interserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_interserver_client_packets'($*)) dnl
corenet_dontaudit_send_jabber_interserver_client_packets($1)
corenet_dontaudit_receive_jabber_interserver_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_interserver_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_interserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_interserver_client_packets'($*)) dnl
gen_require(`
type jabber_interserver_client_packet_t;
')
allow $1 jabber_interserver_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_interserver_client_packets'($*)) dnl
')
########################################
##
## Send jabber_interserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_interserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
allow $1 jabber_interserver_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_interserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_interserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
dontaudit $1 jabber_interserver_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Receive jabber_interserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_interserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
allow $1 jabber_interserver_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_interserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_interserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
dontaudit $1 jabber_interserver_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_interserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_interserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_interserver_server_packets'($*)) dnl
corenet_send_jabber_interserver_server_packets($1)
corenet_receive_jabber_interserver_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_interserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_interserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_interserver_server_packets'($*)) dnl
corenet_dontaudit_send_jabber_interserver_server_packets($1)
corenet_dontaudit_receive_jabber_interserver_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_interserver_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_interserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_interserver_server_packets'($*)) dnl
gen_require(`
type jabber_interserver_server_packet_t;
')
allow $1 jabber_interserver_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_interserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jabber_router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
allow $1 jabber_router_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_router_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jabber_router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
allow $1 jabber_router_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jabber_router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
dontaudit $1 jabber_router_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_router_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jabber_router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
allow $1 jabber_router_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jabber_router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
dontaudit $1 jabber_router_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_router_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jabber_router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_router_port'($*)) dnl
corenet_udp_send_jabber_router_port($1)
corenet_udp_receive_jabber_router_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jabber_router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_router_port'($*)) dnl
corenet_dontaudit_udp_send_jabber_router_port($1)
corenet_dontaudit_udp_receive_jabber_router_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_router_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jabber_router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
allow $1 jabber_router_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_router_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jabber_router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
allow $1 jabber_router_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to jabber_router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
dontaudit $1 jabber_router_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jabber_router_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jabber_router port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
allow $1 jabber_router_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to jabber_router port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_jabber_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jabber_router_port'($*)) dnl
gen_require(`
type jabber_router_port_t;
')
dontaudit $1 jabber_router_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jabber_router_port'($*)) dnl
')
########################################
##
## Send jabber_router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_router_client_packets'($*)) dnl
gen_require(`
type jabber_router_client_packet_t;
')
allow $1 jabber_router_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_router_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_router_client_packets'($*)) dnl
gen_require(`
type jabber_router_client_packet_t;
')
dontaudit $1 jabber_router_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_router_client_packets'($*)) dnl
')
########################################
##
## Receive jabber_router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_router_client_packets'($*)) dnl
gen_require(`
type jabber_router_client_packet_t;
')
allow $1 jabber_router_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_router_client_packets'($*)) dnl
gen_require(`
type jabber_router_client_packet_t;
')
dontaudit $1 jabber_router_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_router_client_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_router_client_packets'($*)) dnl
corenet_send_jabber_router_client_packets($1)
corenet_receive_jabber_router_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_router_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_router_client_packets'($*)) dnl
corenet_dontaudit_send_jabber_router_client_packets($1)
corenet_dontaudit_receive_jabber_router_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_router_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_router_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_router_client_packets'($*)) dnl
gen_require(`
type jabber_router_client_packet_t;
')
allow $1 jabber_router_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_router_client_packets'($*)) dnl
')
########################################
##
## Send jabber_router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jabber_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_router_server_packets'($*)) dnl
gen_require(`
type jabber_router_server_packet_t;
')
allow $1 jabber_router_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jabber_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jabber_router_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jabber_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_router_server_packets'($*)) dnl
gen_require(`
type jabber_router_server_packet_t;
')
dontaudit $1 jabber_router_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_router_server_packets'($*)) dnl
')
########################################
##
## Receive jabber_router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jabber_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_router_server_packets'($*)) dnl
gen_require(`
type jabber_router_server_packet_t;
')
allow $1 jabber_router_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jabber_router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jabber_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_router_server_packets'($*)) dnl
gen_require(`
type jabber_router_server_packet_t;
')
dontaudit $1 jabber_router_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_router_server_packets'($*)) dnl
')
########################################
##
## Send and receive jabber_router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jabber_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_router_server_packets'($*)) dnl
corenet_send_jabber_router_server_packets($1)
corenet_receive_jabber_router_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jabber_router_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jabber_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_router_server_packets'($*)) dnl
corenet_dontaudit_send_jabber_router_server_packets($1)
corenet_dontaudit_receive_jabber_router_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_router_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jabber_router_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jabber_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_router_server_packets'($*)) dnl
gen_require(`
type jabber_router_server_packet_t;
')
allow $1 jabber_router_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_router_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jacorb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
allow $1 jacorb_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jacorb_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jacorb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
allow $1 jacorb_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jacorb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jacorb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
dontaudit $1 jacorb_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jacorb_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jacorb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
allow $1 jacorb_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jacorb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jacorb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
dontaudit $1 jacorb_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jacorb_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jacorb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jacorb_port'($*)) dnl
corenet_udp_send_jacorb_port($1)
corenet_udp_receive_jacorb_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jacorb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jacorb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jacorb_port'($*)) dnl
corenet_dontaudit_udp_send_jacorb_port($1)
corenet_dontaudit_udp_receive_jacorb_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jacorb_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jacorb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
allow $1 jacorb_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jacorb_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jacorb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
allow $1 jacorb_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jacorb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to jacorb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
dontaudit $1 jacorb_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jacorb_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jacorb port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
allow $1 jacorb_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jacorb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to jacorb port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_jacorb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jacorb_port'($*)) dnl
gen_require(`
type jacorb_port_t;
')
dontaudit $1 jacorb_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jacorb_port'($*)) dnl
')
########################################
##
## Send jacorb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jacorb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jacorb_client_packets'($*)) dnl
gen_require(`
type jacorb_client_packet_t;
')
allow $1 jacorb_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jacorb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jacorb_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jacorb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jacorb_client_packets'($*)) dnl
gen_require(`
type jacorb_client_packet_t;
')
dontaudit $1 jacorb_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jacorb_client_packets'($*)) dnl
')
########################################
##
## Receive jacorb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jacorb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jacorb_client_packets'($*)) dnl
gen_require(`
type jacorb_client_packet_t;
')
allow $1 jacorb_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jacorb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jacorb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jacorb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jacorb_client_packets'($*)) dnl
gen_require(`
type jacorb_client_packet_t;
')
dontaudit $1 jacorb_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jacorb_client_packets'($*)) dnl
')
########################################
##
## Send and receive jacorb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jacorb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jacorb_client_packets'($*)) dnl
corenet_send_jacorb_client_packets($1)
corenet_receive_jacorb_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jacorb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jacorb_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jacorb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jacorb_client_packets'($*)) dnl
corenet_dontaudit_send_jacorb_client_packets($1)
corenet_dontaudit_receive_jacorb_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jacorb_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jacorb_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jacorb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jacorb_client_packets'($*)) dnl
gen_require(`
type jacorb_client_packet_t;
')
allow $1 jacorb_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jacorb_client_packets'($*)) dnl
')
########################################
##
## Send jacorb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jacorb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jacorb_server_packets'($*)) dnl
gen_require(`
type jacorb_server_packet_t;
')
allow $1 jacorb_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jacorb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jacorb_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jacorb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jacorb_server_packets'($*)) dnl
gen_require(`
type jacorb_server_packet_t;
')
dontaudit $1 jacorb_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jacorb_server_packets'($*)) dnl
')
########################################
##
## Receive jacorb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jacorb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jacorb_server_packets'($*)) dnl
gen_require(`
type jacorb_server_packet_t;
')
allow $1 jacorb_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jacorb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jacorb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jacorb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jacorb_server_packets'($*)) dnl
gen_require(`
type jacorb_server_packet_t;
')
dontaudit $1 jacorb_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jacorb_server_packets'($*)) dnl
')
########################################
##
## Send and receive jacorb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jacorb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jacorb_server_packets'($*)) dnl
corenet_send_jacorb_server_packets($1)
corenet_receive_jacorb_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jacorb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jacorb_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jacorb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jacorb_server_packets'($*)) dnl
corenet_dontaudit_send_jacorb_server_packets($1)
corenet_dontaudit_receive_jacorb_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jacorb_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jacorb_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jacorb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jacorb_server_packets'($*)) dnl
gen_require(`
type jacorb_server_packet_t;
')
allow $1 jacorb_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jacorb_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jboss_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
allow $1 jboss_debug_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jboss_debug_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jboss_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
allow $1 jboss_debug_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jboss_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jboss_debug port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
dontaudit $1 jboss_debug_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jboss_debug_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jboss_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
allow $1 jboss_debug_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jboss_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jboss_debug port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
dontaudit $1 jboss_debug_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jboss_debug_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jboss_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jboss_debug_port'($*)) dnl
corenet_udp_send_jboss_debug_port($1)
corenet_udp_receive_jboss_debug_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jboss_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jboss_debug port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jboss_debug_port'($*)) dnl
corenet_dontaudit_udp_send_jboss_debug_port($1)
corenet_dontaudit_udp_receive_jboss_debug_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jboss_debug_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jboss_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
allow $1 jboss_debug_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jboss_debug_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jboss_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
allow $1 jboss_debug_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jboss_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to jboss_debug port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
dontaudit $1 jboss_debug_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jboss_debug_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jboss_debug port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
allow $1 jboss_debug_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jboss_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to jboss_debug port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_jboss_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jboss_debug_port'($*)) dnl
gen_require(`
type jboss_debug_port_t;
')
dontaudit $1 jboss_debug_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jboss_debug_port'($*)) dnl
')
########################################
##
## Send jboss_debug_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jboss_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_debug_client_packets'($*)) dnl
gen_require(`
type jboss_debug_client_packet_t;
')
allow $1 jboss_debug_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jboss_debug_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jboss_debug_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jboss_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_debug_client_packets'($*)) dnl
gen_require(`
type jboss_debug_client_packet_t;
')
dontaudit $1 jboss_debug_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_debug_client_packets'($*)) dnl
')
########################################
##
## Receive jboss_debug_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jboss_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_debug_client_packets'($*)) dnl
gen_require(`
type jboss_debug_client_packet_t;
')
allow $1 jboss_debug_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_debug_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jboss_debug_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jboss_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_debug_client_packets'($*)) dnl
gen_require(`
type jboss_debug_client_packet_t;
')
dontaudit $1 jboss_debug_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_debug_client_packets'($*)) dnl
')
########################################
##
## Send and receive jboss_debug_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jboss_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_debug_client_packets'($*)) dnl
corenet_send_jboss_debug_client_packets($1)
corenet_receive_jboss_debug_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_debug_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jboss_debug_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jboss_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_debug_client_packets'($*)) dnl
corenet_dontaudit_send_jboss_debug_client_packets($1)
corenet_dontaudit_receive_jboss_debug_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_debug_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jboss_debug_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jboss_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_debug_client_packets'($*)) dnl
gen_require(`
type jboss_debug_client_packet_t;
')
allow $1 jboss_debug_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_debug_client_packets'($*)) dnl
')
########################################
##
## Send jboss_debug_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jboss_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_debug_server_packets'($*)) dnl
gen_require(`
type jboss_debug_server_packet_t;
')
allow $1 jboss_debug_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jboss_debug_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jboss_debug_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jboss_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_debug_server_packets'($*)) dnl
gen_require(`
type jboss_debug_server_packet_t;
')
dontaudit $1 jboss_debug_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_debug_server_packets'($*)) dnl
')
########################################
##
## Receive jboss_debug_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jboss_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_debug_server_packets'($*)) dnl
gen_require(`
type jboss_debug_server_packet_t;
')
allow $1 jboss_debug_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_debug_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jboss_debug_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jboss_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_debug_server_packets'($*)) dnl
gen_require(`
type jboss_debug_server_packet_t;
')
dontaudit $1 jboss_debug_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_debug_server_packets'($*)) dnl
')
########################################
##
## Send and receive jboss_debug_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jboss_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_debug_server_packets'($*)) dnl
corenet_send_jboss_debug_server_packets($1)
corenet_receive_jboss_debug_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_debug_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jboss_debug_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jboss_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_debug_server_packets'($*)) dnl
corenet_dontaudit_send_jboss_debug_server_packets($1)
corenet_dontaudit_receive_jboss_debug_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_debug_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jboss_debug_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jboss_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_debug_server_packets'($*)) dnl
gen_require(`
type jboss_debug_server_packet_t;
')
allow $1 jboss_debug_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_debug_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jboss_messaging port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
allow $1 jboss_messaging_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jboss_messaging_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jboss_messaging port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
allow $1 jboss_messaging_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jboss_messaging_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jboss_messaging port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
dontaudit $1 jboss_messaging_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jboss_messaging_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jboss_messaging port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
allow $1 jboss_messaging_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jboss_messaging_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jboss_messaging port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
dontaudit $1 jboss_messaging_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jboss_messaging_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jboss_messaging port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jboss_messaging_port'($*)) dnl
corenet_udp_send_jboss_messaging_port($1)
corenet_udp_receive_jboss_messaging_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jboss_messaging_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jboss_messaging port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jboss_messaging_port'($*)) dnl
corenet_dontaudit_udp_send_jboss_messaging_port($1)
corenet_dontaudit_udp_receive_jboss_messaging_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jboss_messaging_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jboss_messaging port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
allow $1 jboss_messaging_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jboss_messaging_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jboss_messaging port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
allow $1 jboss_messaging_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jboss_messaging_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to jboss_messaging port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
dontaudit $1 jboss_messaging_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jboss_messaging_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jboss_messaging port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
allow $1 jboss_messaging_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jboss_messaging_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to jboss_messaging port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_jboss_messaging_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jboss_messaging_port'($*)) dnl
gen_require(`
type jboss_messaging_port_t;
')
dontaudit $1 jboss_messaging_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jboss_messaging_port'($*)) dnl
')
########################################
##
## Send jboss_messaging_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jboss_messaging_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_messaging_client_packets'($*)) dnl
gen_require(`
type jboss_messaging_client_packet_t;
')
allow $1 jboss_messaging_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jboss_messaging_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jboss_messaging_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jboss_messaging_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_messaging_client_packets'($*)) dnl
gen_require(`
type jboss_messaging_client_packet_t;
')
dontaudit $1 jboss_messaging_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_messaging_client_packets'($*)) dnl
')
########################################
##
## Receive jboss_messaging_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jboss_messaging_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_messaging_client_packets'($*)) dnl
gen_require(`
type jboss_messaging_client_packet_t;
')
allow $1 jboss_messaging_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_messaging_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jboss_messaging_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jboss_messaging_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_messaging_client_packets'($*)) dnl
gen_require(`
type jboss_messaging_client_packet_t;
')
dontaudit $1 jboss_messaging_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_messaging_client_packets'($*)) dnl
')
########################################
##
## Send and receive jboss_messaging_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jboss_messaging_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_messaging_client_packets'($*)) dnl
corenet_send_jboss_messaging_client_packets($1)
corenet_receive_jboss_messaging_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_messaging_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jboss_messaging_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jboss_messaging_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_messaging_client_packets'($*)) dnl
corenet_dontaudit_send_jboss_messaging_client_packets($1)
corenet_dontaudit_receive_jboss_messaging_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_messaging_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jboss_messaging_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jboss_messaging_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_messaging_client_packets'($*)) dnl
gen_require(`
type jboss_messaging_client_packet_t;
')
allow $1 jboss_messaging_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_messaging_client_packets'($*)) dnl
')
########################################
##
## Send jboss_messaging_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jboss_messaging_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_messaging_server_packets'($*)) dnl
gen_require(`
type jboss_messaging_server_packet_t;
')
allow $1 jboss_messaging_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jboss_messaging_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jboss_messaging_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jboss_messaging_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_messaging_server_packets'($*)) dnl
gen_require(`
type jboss_messaging_server_packet_t;
')
dontaudit $1 jboss_messaging_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_messaging_server_packets'($*)) dnl
')
########################################
##
## Receive jboss_messaging_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jboss_messaging_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_messaging_server_packets'($*)) dnl
gen_require(`
type jboss_messaging_server_packet_t;
')
allow $1 jboss_messaging_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_messaging_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jboss_messaging_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jboss_messaging_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_messaging_server_packets'($*)) dnl
gen_require(`
type jboss_messaging_server_packet_t;
')
dontaudit $1 jboss_messaging_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_messaging_server_packets'($*)) dnl
')
########################################
##
## Send and receive jboss_messaging_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jboss_messaging_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_messaging_server_packets'($*)) dnl
corenet_send_jboss_messaging_server_packets($1)
corenet_receive_jboss_messaging_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_messaging_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jboss_messaging_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jboss_messaging_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_messaging_server_packets'($*)) dnl
corenet_dontaudit_send_jboss_messaging_server_packets($1)
corenet_dontaudit_receive_jboss_messaging_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_messaging_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jboss_messaging_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jboss_messaging_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_messaging_server_packets'($*)) dnl
gen_require(`
type jboss_messaging_server_packet_t;
')
allow $1 jboss_messaging_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_messaging_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the jboss_management port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
allow $1 jboss_management_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jboss_management_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the jboss_management port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
allow $1 jboss_management_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_jboss_management_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the jboss_management port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
dontaudit $1 jboss_management_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jboss_management_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the jboss_management port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
allow $1 jboss_management_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jboss_management_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the jboss_management port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
dontaudit $1 jboss_management_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jboss_management_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the jboss_management port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jboss_management_port'($*)) dnl
corenet_udp_send_jboss_management_port($1)
corenet_udp_receive_jboss_management_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jboss_management_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the jboss_management port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jboss_management_port'($*)) dnl
corenet_dontaudit_udp_send_jboss_management_port($1)
corenet_dontaudit_udp_receive_jboss_management_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jboss_management_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the jboss_management port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
allow $1 jboss_management_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jboss_management_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the jboss_management port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
allow $1 jboss_management_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jboss_management_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to jboss_management port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
dontaudit $1 jboss_management_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jboss_management_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the jboss_management port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
allow $1 jboss_management_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jboss_management_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to jboss_management port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_jboss_management_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jboss_management_port'($*)) dnl
gen_require(`
type jboss_management_port_t;
')
dontaudit $1 jboss_management_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jboss_management_port'($*)) dnl
')
########################################
##
## Send jboss_management_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jboss_management_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_management_client_packets'($*)) dnl
gen_require(`
type jboss_management_client_packet_t;
')
allow $1 jboss_management_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jboss_management_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jboss_management_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jboss_management_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_management_client_packets'($*)) dnl
gen_require(`
type jboss_management_client_packet_t;
')
dontaudit $1 jboss_management_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_management_client_packets'($*)) dnl
')
########################################
##
## Receive jboss_management_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jboss_management_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_management_client_packets'($*)) dnl
gen_require(`
type jboss_management_client_packet_t;
')
allow $1 jboss_management_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_management_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jboss_management_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jboss_management_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_management_client_packets'($*)) dnl
gen_require(`
type jboss_management_client_packet_t;
')
dontaudit $1 jboss_management_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_management_client_packets'($*)) dnl
')
########################################
##
## Send and receive jboss_management_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jboss_management_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_management_client_packets'($*)) dnl
corenet_send_jboss_management_client_packets($1)
corenet_receive_jboss_management_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_management_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jboss_management_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jboss_management_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_management_client_packets'($*)) dnl
corenet_dontaudit_send_jboss_management_client_packets($1)
corenet_dontaudit_receive_jboss_management_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_management_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to jboss_management_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jboss_management_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_management_client_packets'($*)) dnl
gen_require(`
type jboss_management_client_packet_t;
')
allow $1 jboss_management_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_management_client_packets'($*)) dnl
')
########################################
##
## Send jboss_management_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_jboss_management_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_management_server_packets'($*)) dnl
gen_require(`
type jboss_management_server_packet_t;
')
allow $1 jboss_management_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_jboss_management_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send jboss_management_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_jboss_management_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_management_server_packets'($*)) dnl
gen_require(`
type jboss_management_server_packet_t;
')
dontaudit $1 jboss_management_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_management_server_packets'($*)) dnl
')
########################################
##
## Receive jboss_management_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_jboss_management_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_management_server_packets'($*)) dnl
gen_require(`
type jboss_management_server_packet_t;
')
allow $1 jboss_management_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_management_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive jboss_management_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_jboss_management_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_management_server_packets'($*)) dnl
gen_require(`
type jboss_management_server_packet_t;
')
dontaudit $1 jboss_management_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_management_server_packets'($*)) dnl
')
########################################
##
## Send and receive jboss_management_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_jboss_management_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_management_server_packets'($*)) dnl
corenet_send_jboss_management_server_packets($1)
corenet_receive_jboss_management_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_management_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive jboss_management_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_jboss_management_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_management_server_packets'($*)) dnl
corenet_dontaudit_send_jboss_management_server_packets($1)
corenet_dontaudit_receive_jboss_management_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_management_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to jboss_management_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_jboss_management_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_management_server_packets'($*)) dnl
gen_require(`
type jboss_management_server_packet_t;
')
allow $1 jboss_management_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_management_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the journal_remote port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
allow $1 journal_remote_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_journal_remote_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the journal_remote port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
allow $1 journal_remote_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_journal_remote_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the journal_remote port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
dontaudit $1 journal_remote_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_journal_remote_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the journal_remote port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
allow $1 journal_remote_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_journal_remote_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the journal_remote port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
dontaudit $1 journal_remote_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_journal_remote_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the journal_remote port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_journal_remote_port'($*)) dnl
corenet_udp_send_journal_remote_port($1)
corenet_udp_receive_journal_remote_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_journal_remote_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the journal_remote port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_journal_remote_port'($*)) dnl
corenet_dontaudit_udp_send_journal_remote_port($1)
corenet_dontaudit_udp_receive_journal_remote_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_journal_remote_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the journal_remote port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
allow $1 journal_remote_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_journal_remote_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the journal_remote port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
allow $1 journal_remote_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_journal_remote_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to journal_remote port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
dontaudit $1 journal_remote_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_journal_remote_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the journal_remote port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
allow $1 journal_remote_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_journal_remote_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to journal_remote port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_journal_remote_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_journal_remote_port'($*)) dnl
gen_require(`
type journal_remote_port_t;
')
dontaudit $1 journal_remote_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_journal_remote_port'($*)) dnl
')
########################################
##
## Send journal_remote_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_journal_remote_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_journal_remote_client_packets'($*)) dnl
gen_require(`
type journal_remote_client_packet_t;
')
allow $1 journal_remote_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_journal_remote_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send journal_remote_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_journal_remote_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_journal_remote_client_packets'($*)) dnl
gen_require(`
type journal_remote_client_packet_t;
')
dontaudit $1 journal_remote_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_journal_remote_client_packets'($*)) dnl
')
########################################
##
## Receive journal_remote_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_journal_remote_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_journal_remote_client_packets'($*)) dnl
gen_require(`
type journal_remote_client_packet_t;
')
allow $1 journal_remote_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_journal_remote_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive journal_remote_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_journal_remote_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_journal_remote_client_packets'($*)) dnl
gen_require(`
type journal_remote_client_packet_t;
')
dontaudit $1 journal_remote_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_journal_remote_client_packets'($*)) dnl
')
########################################
##
## Send and receive journal_remote_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_journal_remote_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_journal_remote_client_packets'($*)) dnl
corenet_send_journal_remote_client_packets($1)
corenet_receive_journal_remote_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_journal_remote_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive journal_remote_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_journal_remote_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_journal_remote_client_packets'($*)) dnl
corenet_dontaudit_send_journal_remote_client_packets($1)
corenet_dontaudit_receive_journal_remote_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_journal_remote_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to journal_remote_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_journal_remote_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_journal_remote_client_packets'($*)) dnl
gen_require(`
type journal_remote_client_packet_t;
')
allow $1 journal_remote_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_journal_remote_client_packets'($*)) dnl
')
########################################
##
## Send journal_remote_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_journal_remote_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_journal_remote_server_packets'($*)) dnl
gen_require(`
type journal_remote_server_packet_t;
')
allow $1 journal_remote_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_journal_remote_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send journal_remote_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_journal_remote_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_journal_remote_server_packets'($*)) dnl
gen_require(`
type journal_remote_server_packet_t;
')
dontaudit $1 journal_remote_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_journal_remote_server_packets'($*)) dnl
')
########################################
##
## Receive journal_remote_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_journal_remote_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_journal_remote_server_packets'($*)) dnl
gen_require(`
type journal_remote_server_packet_t;
')
allow $1 journal_remote_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_journal_remote_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive journal_remote_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_journal_remote_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_journal_remote_server_packets'($*)) dnl
gen_require(`
type journal_remote_server_packet_t;
')
dontaudit $1 journal_remote_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_journal_remote_server_packets'($*)) dnl
')
########################################
##
## Send and receive journal_remote_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_journal_remote_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_journal_remote_server_packets'($*)) dnl
corenet_send_journal_remote_server_packets($1)
corenet_receive_journal_remote_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_journal_remote_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive journal_remote_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_journal_remote_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_journal_remote_server_packets'($*)) dnl
corenet_dontaudit_send_journal_remote_server_packets($1)
corenet_dontaudit_receive_journal_remote_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_journal_remote_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to journal_remote_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_journal_remote_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_journal_remote_server_packets'($*)) dnl
gen_require(`
type journal_remote_server_packet_t;
')
allow $1 journal_remote_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_journal_remote_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kerberos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
dontaudit $1 kerberos_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kerberos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
dontaudit $1 kerberos_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_port'($*)) dnl
corenet_udp_send_kerberos_port($1)
corenet_udp_receive_kerberos_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kerberos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_port'($*)) dnl
corenet_dontaudit_udp_send_kerberos_port($1)
corenet_dontaudit_udp_receive_kerberos_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kerberos port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to kerberos port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
dontaudit $1 kerberos_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kerberos_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kerberos port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
allow $1 kerberos_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to kerberos port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_kerberos_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kerberos_port'($*)) dnl
gen_require(`
type kerberos_port_t;
')
dontaudit $1 kerberos_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kerberos_port'($*)) dnl
')
########################################
##
## Send kerberos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
allow $1 kerberos_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
dontaudit $1 kerberos_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_client_packets'($*)) dnl
')
########################################
##
## Receive kerberos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
allow $1 kerberos_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
dontaudit $1 kerberos_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_client_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_client_packets'($*)) dnl
corenet_send_kerberos_client_packets($1)
corenet_receive_kerberos_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_client_packets'($*)) dnl
corenet_dontaudit_send_kerberos_client_packets($1)
corenet_dontaudit_receive_kerberos_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_client_packets'($*)) dnl
gen_require(`
type kerberos_client_packet_t;
')
allow $1 kerberos_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_client_packets'($*)) dnl
')
########################################
##
## Send kerberos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
allow $1 kerberos_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
dontaudit $1 kerberos_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_server_packets'($*)) dnl
')
########################################
##
## Receive kerberos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
allow $1 kerberos_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
dontaudit $1 kerberos_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_server_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_server_packets'($*)) dnl
corenet_send_kerberos_server_packets($1)
corenet_receive_kerberos_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_server_packets'($*)) dnl
corenet_dontaudit_send_kerberos_server_packets($1)
corenet_dontaudit_receive_kerberos_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_server_packets'($*)) dnl
gen_require(`
type kerberos_server_packet_t;
')
allow $1 kerberos_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_admin_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_admin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kerberos_admin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
dontaudit $1 kerberos_admin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_admin_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_admin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kerberos_admin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
dontaudit $1 kerberos_admin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_admin_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_admin_port'($*)) dnl
corenet_udp_send_kerberos_admin_port($1)
corenet_udp_receive_kerberos_admin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_admin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kerberos_admin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_admin_port'($*)) dnl
corenet_dontaudit_udp_send_kerberos_admin_port($1)
corenet_dontaudit_udp_receive_kerberos_admin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_admin_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_admin_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_admin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to kerberos_admin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
dontaudit $1 kerberos_admin_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kerberos_admin_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
allow $1 kerberos_admin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_admin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to kerberos_admin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_kerberos_admin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kerberos_admin_port'($*)) dnl
gen_require(`
type kerberos_admin_port_t;
')
dontaudit $1 kerberos_admin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kerberos_admin_port'($*)) dnl
')
########################################
##
## Send kerberos_admin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_admin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
allow $1 kerberos_admin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_admin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_admin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
dontaudit $1 kerberos_admin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Receive kerberos_admin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_admin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
allow $1 kerberos_admin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_admin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_admin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
dontaudit $1 kerberos_admin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_admin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_admin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_admin_client_packets'($*)) dnl
corenet_send_kerberos_admin_client_packets($1)
corenet_receive_kerberos_admin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_admin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_admin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_admin_client_packets'($*)) dnl
corenet_dontaudit_send_kerberos_admin_client_packets($1)
corenet_dontaudit_receive_kerberos_admin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_admin_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_admin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_admin_client_packets'($*)) dnl
gen_require(`
type kerberos_admin_client_packet_t;
')
allow $1 kerberos_admin_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_admin_client_packets'($*)) dnl
')
########################################
##
## Send kerberos_admin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_admin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
allow $1 kerberos_admin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_admin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_admin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
dontaudit $1 kerberos_admin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Receive kerberos_admin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_admin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
allow $1 kerberos_admin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_admin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_admin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
dontaudit $1 kerberos_admin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_admin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_admin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_admin_server_packets'($*)) dnl
corenet_send_kerberos_admin_server_packets($1)
corenet_receive_kerberos_admin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_admin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_admin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_admin_server_packets'($*)) dnl
corenet_dontaudit_send_kerberos_admin_server_packets($1)
corenet_dontaudit_receive_kerberos_admin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_admin_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_admin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_admin_server_packets'($*)) dnl
gen_require(`
type kerberos_admin_server_packet_t;
')
allow $1 kerberos_admin_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_admin_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kerberos_password port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
allow $1 kerberos_password_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_password_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kerberos_password port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
allow $1 kerberos_password_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_password_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kerberos_password port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
dontaudit $1 kerberos_password_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_password_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kerberos_password port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
allow $1 kerberos_password_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_password_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kerberos_password port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
dontaudit $1 kerberos_password_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_password_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kerberos_password port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_password_port'($*)) dnl
corenet_udp_send_kerberos_password_port($1)
corenet_udp_receive_kerberos_password_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_password_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kerberos_password port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_password_port'($*)) dnl
corenet_dontaudit_udp_send_kerberos_password_port($1)
corenet_dontaudit_udp_receive_kerberos_password_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_password_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kerberos_password port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
allow $1 kerberos_password_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_password_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kerberos_password port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
allow $1 kerberos_password_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_password_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to kerberos_password port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
dontaudit $1 kerberos_password_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kerberos_password_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kerberos_password port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
allow $1 kerberos_password_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_password_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to kerberos_password port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_kerberos_password_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kerberos_password_port'($*)) dnl
gen_require(`
type kerberos_password_port_t;
')
dontaudit $1 kerberos_password_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kerberos_password_port'($*)) dnl
')
########################################
##
## Send kerberos_password_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_password_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_password_client_packets'($*)) dnl
gen_require(`
type kerberos_password_client_packet_t;
')
allow $1 kerberos_password_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_password_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_password_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_password_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_password_client_packets'($*)) dnl
gen_require(`
type kerberos_password_client_packet_t;
')
dontaudit $1 kerberos_password_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_password_client_packets'($*)) dnl
')
########################################
##
## Receive kerberos_password_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_password_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_password_client_packets'($*)) dnl
gen_require(`
type kerberos_password_client_packet_t;
')
allow $1 kerberos_password_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_password_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_password_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_password_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_password_client_packets'($*)) dnl
gen_require(`
type kerberos_password_client_packet_t;
')
dontaudit $1 kerberos_password_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_password_client_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_password_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_password_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_password_client_packets'($*)) dnl
corenet_send_kerberos_password_client_packets($1)
corenet_receive_kerberos_password_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_password_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_password_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_password_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_password_client_packets'($*)) dnl
corenet_dontaudit_send_kerberos_password_client_packets($1)
corenet_dontaudit_receive_kerberos_password_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_password_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_password_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_password_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_password_client_packets'($*)) dnl
gen_require(`
type kerberos_password_client_packet_t;
')
allow $1 kerberos_password_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_password_client_packets'($*)) dnl
')
########################################
##
## Send kerberos_password_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kerberos_password_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_password_server_packets'($*)) dnl
gen_require(`
type kerberos_password_server_packet_t;
')
allow $1 kerberos_password_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_password_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kerberos_password_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kerberos_password_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_password_server_packets'($*)) dnl
gen_require(`
type kerberos_password_server_packet_t;
')
dontaudit $1 kerberos_password_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_password_server_packets'($*)) dnl
')
########################################
##
## Receive kerberos_password_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kerberos_password_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_password_server_packets'($*)) dnl
gen_require(`
type kerberos_password_server_packet_t;
')
allow $1 kerberos_password_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_password_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kerberos_password_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kerberos_password_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_password_server_packets'($*)) dnl
gen_require(`
type kerberos_password_server_packet_t;
')
dontaudit $1 kerberos_password_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_password_server_packets'($*)) dnl
')
########################################
##
## Send and receive kerberos_password_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kerberos_password_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_password_server_packets'($*)) dnl
corenet_send_kerberos_password_server_packets($1)
corenet_receive_kerberos_password_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_password_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kerberos_password_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kerberos_password_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_password_server_packets'($*)) dnl
corenet_dontaudit_send_kerberos_password_server_packets($1)
corenet_dontaudit_receive_kerberos_password_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_password_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kerberos_password_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kerberos_password_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_password_server_packets'($*)) dnl
gen_require(`
type kerberos_password_server_packet_t;
')
allow $1 kerberos_password_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_password_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the keystone port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
allow $1 keystone_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_keystone_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the keystone port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
allow $1 keystone_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_keystone_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the keystone port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
dontaudit $1 keystone_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_keystone_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the keystone port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
allow $1 keystone_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_keystone_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the keystone port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
dontaudit $1 keystone_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_keystone_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the keystone port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_keystone_port'($*)) dnl
corenet_udp_send_keystone_port($1)
corenet_udp_receive_keystone_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_keystone_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the keystone port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_keystone_port'($*)) dnl
corenet_dontaudit_udp_send_keystone_port($1)
corenet_dontaudit_udp_receive_keystone_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_keystone_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the keystone port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
allow $1 keystone_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_keystone_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the keystone port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
allow $1 keystone_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_keystone_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to keystone port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
dontaudit $1 keystone_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_keystone_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the keystone port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
allow $1 keystone_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_keystone_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to keystone port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_keystone_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_keystone_port'($*)) dnl
gen_require(`
type keystone_port_t;
')
dontaudit $1 keystone_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_keystone_port'($*)) dnl
')
########################################
##
## Send keystone_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_keystone_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_keystone_client_packets'($*)) dnl
gen_require(`
type keystone_client_packet_t;
')
allow $1 keystone_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_keystone_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send keystone_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_keystone_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_keystone_client_packets'($*)) dnl
gen_require(`
type keystone_client_packet_t;
')
dontaudit $1 keystone_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_keystone_client_packets'($*)) dnl
')
########################################
##
## Receive keystone_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_keystone_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_keystone_client_packets'($*)) dnl
gen_require(`
type keystone_client_packet_t;
')
allow $1 keystone_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_keystone_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive keystone_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_keystone_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_keystone_client_packets'($*)) dnl
gen_require(`
type keystone_client_packet_t;
')
dontaudit $1 keystone_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_keystone_client_packets'($*)) dnl
')
########################################
##
## Send and receive keystone_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_keystone_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_keystone_client_packets'($*)) dnl
corenet_send_keystone_client_packets($1)
corenet_receive_keystone_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_keystone_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive keystone_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_keystone_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_keystone_client_packets'($*)) dnl
corenet_dontaudit_send_keystone_client_packets($1)
corenet_dontaudit_receive_keystone_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_keystone_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to keystone_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_keystone_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_keystone_client_packets'($*)) dnl
gen_require(`
type keystone_client_packet_t;
')
allow $1 keystone_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_keystone_client_packets'($*)) dnl
')
########################################
##
## Send keystone_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_keystone_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_keystone_server_packets'($*)) dnl
gen_require(`
type keystone_server_packet_t;
')
allow $1 keystone_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_keystone_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send keystone_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_keystone_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_keystone_server_packets'($*)) dnl
gen_require(`
type keystone_server_packet_t;
')
dontaudit $1 keystone_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_keystone_server_packets'($*)) dnl
')
########################################
##
## Receive keystone_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_keystone_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_keystone_server_packets'($*)) dnl
gen_require(`
type keystone_server_packet_t;
')
allow $1 keystone_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_keystone_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive keystone_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_keystone_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_keystone_server_packets'($*)) dnl
gen_require(`
type keystone_server_packet_t;
')
dontaudit $1 keystone_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_keystone_server_packets'($*)) dnl
')
########################################
##
## Send and receive keystone_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_keystone_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_keystone_server_packets'($*)) dnl
corenet_send_keystone_server_packets($1)
corenet_receive_keystone_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_keystone_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive keystone_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_keystone_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_keystone_server_packets'($*)) dnl
corenet_dontaudit_send_keystone_server_packets($1)
corenet_dontaudit_receive_keystone_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_keystone_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to keystone_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_keystone_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_keystone_server_packets'($*)) dnl
gen_require(`
type keystone_server_packet_t;
')
allow $1 keystone_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_keystone_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kubernetes port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
allow $1 kubernetes_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kubernetes_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kubernetes port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
allow $1 kubernetes_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kubernetes_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kubernetes port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
dontaudit $1 kubernetes_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kubernetes_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kubernetes port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
allow $1 kubernetes_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kubernetes_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kubernetes port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
dontaudit $1 kubernetes_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kubernetes_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kubernetes port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kubernetes_port'($*)) dnl
corenet_udp_send_kubernetes_port($1)
corenet_udp_receive_kubernetes_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kubernetes_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kubernetes port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kubernetes_port'($*)) dnl
corenet_dontaudit_udp_send_kubernetes_port($1)
corenet_dontaudit_udp_receive_kubernetes_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kubernetes_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kubernetes port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
allow $1 kubernetes_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kubernetes_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kubernetes port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
allow $1 kubernetes_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kubernetes_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to kubernetes port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
dontaudit $1 kubernetes_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kubernetes_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kubernetes port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
allow $1 kubernetes_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kubernetes_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to kubernetes port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_kubernetes_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kubernetes_port'($*)) dnl
gen_require(`
type kubernetes_port_t;
')
dontaudit $1 kubernetes_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kubernetes_port'($*)) dnl
')
########################################
##
## Send kubernetes_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kubernetes_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kubernetes_client_packets'($*)) dnl
gen_require(`
type kubernetes_client_packet_t;
')
allow $1 kubernetes_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kubernetes_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kubernetes_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kubernetes_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kubernetes_client_packets'($*)) dnl
gen_require(`
type kubernetes_client_packet_t;
')
dontaudit $1 kubernetes_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kubernetes_client_packets'($*)) dnl
')
########################################
##
## Receive kubernetes_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kubernetes_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kubernetes_client_packets'($*)) dnl
gen_require(`
type kubernetes_client_packet_t;
')
allow $1 kubernetes_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kubernetes_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kubernetes_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kubernetes_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kubernetes_client_packets'($*)) dnl
gen_require(`
type kubernetes_client_packet_t;
')
dontaudit $1 kubernetes_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kubernetes_client_packets'($*)) dnl
')
########################################
##
## Send and receive kubernetes_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kubernetes_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kubernetes_client_packets'($*)) dnl
corenet_send_kubernetes_client_packets($1)
corenet_receive_kubernetes_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kubernetes_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kubernetes_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kubernetes_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kubernetes_client_packets'($*)) dnl
corenet_dontaudit_send_kubernetes_client_packets($1)
corenet_dontaudit_receive_kubernetes_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kubernetes_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kubernetes_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kubernetes_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kubernetes_client_packets'($*)) dnl
gen_require(`
type kubernetes_client_packet_t;
')
allow $1 kubernetes_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kubernetes_client_packets'($*)) dnl
')
########################################
##
## Send kubernetes_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kubernetes_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kubernetes_server_packets'($*)) dnl
gen_require(`
type kubernetes_server_packet_t;
')
allow $1 kubernetes_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kubernetes_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kubernetes_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kubernetes_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kubernetes_server_packets'($*)) dnl
gen_require(`
type kubernetes_server_packet_t;
')
dontaudit $1 kubernetes_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kubernetes_server_packets'($*)) dnl
')
########################################
##
## Receive kubernetes_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kubernetes_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kubernetes_server_packets'($*)) dnl
gen_require(`
type kubernetes_server_packet_t;
')
allow $1 kubernetes_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kubernetes_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kubernetes_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kubernetes_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kubernetes_server_packets'($*)) dnl
gen_require(`
type kubernetes_server_packet_t;
')
dontaudit $1 kubernetes_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kubernetes_server_packets'($*)) dnl
')
########################################
##
## Send and receive kubernetes_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kubernetes_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kubernetes_server_packets'($*)) dnl
corenet_send_kubernetes_server_packets($1)
corenet_receive_kubernetes_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kubernetes_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kubernetes_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kubernetes_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kubernetes_server_packets'($*)) dnl
corenet_dontaudit_send_kubernetes_server_packets($1)
corenet_dontaudit_receive_kubernetes_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kubernetes_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kubernetes_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kubernetes_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kubernetes_server_packets'($*)) dnl
gen_require(`
type kubernetes_server_packet_t;
')
allow $1 kubernetes_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kubernetes_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the lltng port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
allow $1 lltng_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lltng_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the lltng port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
allow $1 lltng_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lltng_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the lltng port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
dontaudit $1 lltng_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lltng_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the lltng port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
allow $1 lltng_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lltng_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the lltng port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
dontaudit $1 lltng_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lltng_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the lltng port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lltng_port'($*)) dnl
corenet_udp_send_lltng_port($1)
corenet_udp_receive_lltng_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lltng_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the lltng port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lltng_port'($*)) dnl
corenet_dontaudit_udp_send_lltng_port($1)
corenet_dontaudit_udp_receive_lltng_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lltng_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the lltng port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
allow $1 lltng_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lltng_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the lltng port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
allow $1 lltng_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lltng_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to lltng port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
dontaudit $1 lltng_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lltng_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the lltng port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
allow $1 lltng_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lltng_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to lltng port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_lltng_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lltng_port'($*)) dnl
gen_require(`
type lltng_port_t;
')
dontaudit $1 lltng_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lltng_port'($*)) dnl
')
########################################
##
## Send lltng_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lltng_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lltng_client_packets'($*)) dnl
gen_require(`
type lltng_client_packet_t;
')
allow $1 lltng_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lltng_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lltng_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lltng_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lltng_client_packets'($*)) dnl
gen_require(`
type lltng_client_packet_t;
')
dontaudit $1 lltng_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lltng_client_packets'($*)) dnl
')
########################################
##
## Receive lltng_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lltng_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lltng_client_packets'($*)) dnl
gen_require(`
type lltng_client_packet_t;
')
allow $1 lltng_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lltng_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lltng_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lltng_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lltng_client_packets'($*)) dnl
gen_require(`
type lltng_client_packet_t;
')
dontaudit $1 lltng_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lltng_client_packets'($*)) dnl
')
########################################
##
## Send and receive lltng_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lltng_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lltng_client_packets'($*)) dnl
corenet_send_lltng_client_packets($1)
corenet_receive_lltng_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lltng_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lltng_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lltng_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lltng_client_packets'($*)) dnl
corenet_dontaudit_send_lltng_client_packets($1)
corenet_dontaudit_receive_lltng_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lltng_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to lltng_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lltng_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lltng_client_packets'($*)) dnl
gen_require(`
type lltng_client_packet_t;
')
allow $1 lltng_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lltng_client_packets'($*)) dnl
')
########################################
##
## Send lltng_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lltng_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lltng_server_packets'($*)) dnl
gen_require(`
type lltng_server_packet_t;
')
allow $1 lltng_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lltng_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lltng_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lltng_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lltng_server_packets'($*)) dnl
gen_require(`
type lltng_server_packet_t;
')
dontaudit $1 lltng_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lltng_server_packets'($*)) dnl
')
########################################
##
## Receive lltng_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lltng_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lltng_server_packets'($*)) dnl
gen_require(`
type lltng_server_packet_t;
')
allow $1 lltng_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lltng_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lltng_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lltng_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lltng_server_packets'($*)) dnl
gen_require(`
type lltng_server_packet_t;
')
dontaudit $1 lltng_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lltng_server_packets'($*)) dnl
')
########################################
##
## Send and receive lltng_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lltng_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lltng_server_packets'($*)) dnl
corenet_send_lltng_server_packets($1)
corenet_receive_lltng_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lltng_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lltng_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lltng_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lltng_server_packets'($*)) dnl
corenet_dontaudit_send_lltng_server_packets($1)
corenet_dontaudit_receive_lltng_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lltng_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to lltng_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lltng_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lltng_server_packets'($*)) dnl
gen_require(`
type lltng_server_packet_t;
')
allow $1 lltng_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lltng_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the llmnr port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
allow $1 llmnr_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_llmnr_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the llmnr port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
allow $1 llmnr_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_llmnr_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the llmnr port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
dontaudit $1 llmnr_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_llmnr_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the llmnr port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
allow $1 llmnr_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_llmnr_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the llmnr port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
dontaudit $1 llmnr_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_llmnr_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the llmnr port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_llmnr_port'($*)) dnl
corenet_udp_send_llmnr_port($1)
corenet_udp_receive_llmnr_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_llmnr_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the llmnr port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_llmnr_port'($*)) dnl
corenet_dontaudit_udp_send_llmnr_port($1)
corenet_dontaudit_udp_receive_llmnr_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_llmnr_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the llmnr port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
allow $1 llmnr_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_llmnr_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the llmnr port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
allow $1 llmnr_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_llmnr_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to llmnr port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
dontaudit $1 llmnr_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_llmnr_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the llmnr port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
allow $1 llmnr_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_llmnr_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to llmnr port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_llmnr_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_llmnr_port'($*)) dnl
gen_require(`
type llmnr_port_t;
')
dontaudit $1 llmnr_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_llmnr_port'($*)) dnl
')
########################################
##
## Send llmnr_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_llmnr_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_llmnr_client_packets'($*)) dnl
gen_require(`
type llmnr_client_packet_t;
')
allow $1 llmnr_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_llmnr_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send llmnr_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_llmnr_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_llmnr_client_packets'($*)) dnl
gen_require(`
type llmnr_client_packet_t;
')
dontaudit $1 llmnr_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_llmnr_client_packets'($*)) dnl
')
########################################
##
## Receive llmnr_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_llmnr_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_llmnr_client_packets'($*)) dnl
gen_require(`
type llmnr_client_packet_t;
')
allow $1 llmnr_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_llmnr_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive llmnr_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_llmnr_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_llmnr_client_packets'($*)) dnl
gen_require(`
type llmnr_client_packet_t;
')
dontaudit $1 llmnr_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_llmnr_client_packets'($*)) dnl
')
########################################
##
## Send and receive llmnr_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_llmnr_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_llmnr_client_packets'($*)) dnl
corenet_send_llmnr_client_packets($1)
corenet_receive_llmnr_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_llmnr_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive llmnr_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_llmnr_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_llmnr_client_packets'($*)) dnl
corenet_dontaudit_send_llmnr_client_packets($1)
corenet_dontaudit_receive_llmnr_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_llmnr_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to llmnr_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_llmnr_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_llmnr_client_packets'($*)) dnl
gen_require(`
type llmnr_client_packet_t;
')
allow $1 llmnr_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_llmnr_client_packets'($*)) dnl
')
########################################
##
## Send llmnr_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_llmnr_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_llmnr_server_packets'($*)) dnl
gen_require(`
type llmnr_server_packet_t;
')
allow $1 llmnr_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_llmnr_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send llmnr_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_llmnr_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_llmnr_server_packets'($*)) dnl
gen_require(`
type llmnr_server_packet_t;
')
dontaudit $1 llmnr_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_llmnr_server_packets'($*)) dnl
')
########################################
##
## Receive llmnr_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_llmnr_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_llmnr_server_packets'($*)) dnl
gen_require(`
type llmnr_server_packet_t;
')
allow $1 llmnr_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_llmnr_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive llmnr_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_llmnr_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_llmnr_server_packets'($*)) dnl
gen_require(`
type llmnr_server_packet_t;
')
dontaudit $1 llmnr_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_llmnr_server_packets'($*)) dnl
')
########################################
##
## Send and receive llmnr_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_llmnr_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_llmnr_server_packets'($*)) dnl
corenet_send_llmnr_server_packets($1)
corenet_receive_llmnr_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_llmnr_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive llmnr_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_llmnr_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_llmnr_server_packets'($*)) dnl
corenet_dontaudit_send_llmnr_server_packets($1)
corenet_dontaudit_receive_llmnr_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_llmnr_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to llmnr_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_llmnr_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_llmnr_server_packets'($*)) dnl
gen_require(`
type llmnr_server_packet_t;
')
allow $1 llmnr_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_llmnr_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rabbitmq port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
allow $1 rabbitmq_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rabbitmq_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rabbitmq port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
allow $1 rabbitmq_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rabbitmq_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rabbitmq port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
dontaudit $1 rabbitmq_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rabbitmq_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rabbitmq port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
allow $1 rabbitmq_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rabbitmq_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rabbitmq port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
dontaudit $1 rabbitmq_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rabbitmq_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rabbitmq port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rabbitmq_port'($*)) dnl
corenet_udp_send_rabbitmq_port($1)
corenet_udp_receive_rabbitmq_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rabbitmq_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rabbitmq port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rabbitmq_port'($*)) dnl
corenet_dontaudit_udp_send_rabbitmq_port($1)
corenet_dontaudit_udp_receive_rabbitmq_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rabbitmq_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rabbitmq port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
allow $1 rabbitmq_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rabbitmq_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rabbitmq port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
allow $1 rabbitmq_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rabbitmq_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rabbitmq port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
dontaudit $1 rabbitmq_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rabbitmq_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rabbitmq port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
allow $1 rabbitmq_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rabbitmq_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rabbitmq port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rabbitmq_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rabbitmq_port'($*)) dnl
gen_require(`
type rabbitmq_port_t;
')
dontaudit $1 rabbitmq_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rabbitmq_port'($*)) dnl
')
########################################
##
## Send rabbitmq_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rabbitmq_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rabbitmq_client_packets'($*)) dnl
gen_require(`
type rabbitmq_client_packet_t;
')
allow $1 rabbitmq_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rabbitmq_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rabbitmq_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rabbitmq_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rabbitmq_client_packets'($*)) dnl
gen_require(`
type rabbitmq_client_packet_t;
')
dontaudit $1 rabbitmq_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rabbitmq_client_packets'($*)) dnl
')
########################################
##
## Receive rabbitmq_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rabbitmq_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rabbitmq_client_packets'($*)) dnl
gen_require(`
type rabbitmq_client_packet_t;
')
allow $1 rabbitmq_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rabbitmq_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rabbitmq_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rabbitmq_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rabbitmq_client_packets'($*)) dnl
gen_require(`
type rabbitmq_client_packet_t;
')
dontaudit $1 rabbitmq_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rabbitmq_client_packets'($*)) dnl
')
########################################
##
## Send and receive rabbitmq_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rabbitmq_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rabbitmq_client_packets'($*)) dnl
corenet_send_rabbitmq_client_packets($1)
corenet_receive_rabbitmq_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rabbitmq_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rabbitmq_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rabbitmq_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rabbitmq_client_packets'($*)) dnl
corenet_dontaudit_send_rabbitmq_client_packets($1)
corenet_dontaudit_receive_rabbitmq_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rabbitmq_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rabbitmq_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rabbitmq_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rabbitmq_client_packets'($*)) dnl
gen_require(`
type rabbitmq_client_packet_t;
')
allow $1 rabbitmq_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rabbitmq_client_packets'($*)) dnl
')
########################################
##
## Send rabbitmq_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rabbitmq_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rabbitmq_server_packets'($*)) dnl
gen_require(`
type rabbitmq_server_packet_t;
')
allow $1 rabbitmq_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rabbitmq_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rabbitmq_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rabbitmq_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rabbitmq_server_packets'($*)) dnl
gen_require(`
type rabbitmq_server_packet_t;
')
dontaudit $1 rabbitmq_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rabbitmq_server_packets'($*)) dnl
')
########################################
##
## Receive rabbitmq_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rabbitmq_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rabbitmq_server_packets'($*)) dnl
gen_require(`
type rabbitmq_server_packet_t;
')
allow $1 rabbitmq_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rabbitmq_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rabbitmq_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rabbitmq_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rabbitmq_server_packets'($*)) dnl
gen_require(`
type rabbitmq_server_packet_t;
')
dontaudit $1 rabbitmq_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rabbitmq_server_packets'($*)) dnl
')
########################################
##
## Send and receive rabbitmq_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rabbitmq_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rabbitmq_server_packets'($*)) dnl
corenet_send_rabbitmq_server_packets($1)
corenet_receive_rabbitmq_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rabbitmq_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rabbitmq_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rabbitmq_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rabbitmq_server_packets'($*)) dnl
corenet_dontaudit_send_rabbitmq_server_packets($1)
corenet_dontaudit_receive_rabbitmq_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rabbitmq_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rabbitmq_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rabbitmq_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rabbitmq_server_packets'($*)) dnl
gen_require(`
type rabbitmq_server_packet_t;
')
allow $1 rabbitmq_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rabbitmq_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rkt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
allow $1 rkt_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rkt_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rkt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
allow $1 rkt_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rkt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rkt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
dontaudit $1 rkt_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rkt_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rkt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
allow $1 rkt_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rkt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rkt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
dontaudit $1 rkt_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rkt_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rkt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rkt_port'($*)) dnl
corenet_udp_send_rkt_port($1)
corenet_udp_receive_rkt_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rkt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rkt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rkt_port'($*)) dnl
corenet_dontaudit_udp_send_rkt_port($1)
corenet_dontaudit_udp_receive_rkt_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rkt_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rkt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
allow $1 rkt_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rkt_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rkt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
allow $1 rkt_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rkt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rkt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
dontaudit $1 rkt_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rkt_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rkt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
allow $1 rkt_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rkt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rkt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rkt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rkt_port'($*)) dnl
gen_require(`
type rkt_port_t;
')
dontaudit $1 rkt_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rkt_port'($*)) dnl
')
########################################
##
## Send rkt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rkt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rkt_client_packets'($*)) dnl
gen_require(`
type rkt_client_packet_t;
')
allow $1 rkt_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rkt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rkt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rkt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rkt_client_packets'($*)) dnl
gen_require(`
type rkt_client_packet_t;
')
dontaudit $1 rkt_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rkt_client_packets'($*)) dnl
')
########################################
##
## Receive rkt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rkt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rkt_client_packets'($*)) dnl
gen_require(`
type rkt_client_packet_t;
')
allow $1 rkt_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rkt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rkt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rkt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rkt_client_packets'($*)) dnl
gen_require(`
type rkt_client_packet_t;
')
dontaudit $1 rkt_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rkt_client_packets'($*)) dnl
')
########################################
##
## Send and receive rkt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rkt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rkt_client_packets'($*)) dnl
corenet_send_rkt_client_packets($1)
corenet_receive_rkt_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rkt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rkt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rkt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rkt_client_packets'($*)) dnl
corenet_dontaudit_send_rkt_client_packets($1)
corenet_dontaudit_receive_rkt_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rkt_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rkt_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rkt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rkt_client_packets'($*)) dnl
gen_require(`
type rkt_client_packet_t;
')
allow $1 rkt_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rkt_client_packets'($*)) dnl
')
########################################
##
## Send rkt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rkt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rkt_server_packets'($*)) dnl
gen_require(`
type rkt_server_packet_t;
')
allow $1 rkt_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rkt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rkt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rkt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rkt_server_packets'($*)) dnl
gen_require(`
type rkt_server_packet_t;
')
dontaudit $1 rkt_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rkt_server_packets'($*)) dnl
')
########################################
##
## Receive rkt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rkt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rkt_server_packets'($*)) dnl
gen_require(`
type rkt_server_packet_t;
')
allow $1 rkt_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rkt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rkt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rkt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rkt_server_packets'($*)) dnl
gen_require(`
type rkt_server_packet_t;
')
dontaudit $1 rkt_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rkt_server_packets'($*)) dnl
')
########################################
##
## Send and receive rkt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rkt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rkt_server_packets'($*)) dnl
corenet_send_rkt_server_packets($1)
corenet_receive_rkt_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rkt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rkt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rkt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rkt_server_packets'($*)) dnl
corenet_dontaudit_send_rkt_server_packets($1)
corenet_dontaudit_receive_rkt_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rkt_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rkt_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rkt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rkt_server_packets'($*)) dnl
gen_require(`
type rkt_server_packet_t;
')
allow $1 rkt_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rkt_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rlogin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
allow $1 rlogin_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rlogin_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rlogin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
allow $1 rlogin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rlogin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rlogin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
dontaudit $1 rlogin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rlogin_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rlogin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
allow $1 rlogin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rlogin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rlogin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
dontaudit $1 rlogin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rlogin_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rlogin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rlogin_port'($*)) dnl
corenet_udp_send_rlogin_port($1)
corenet_udp_receive_rlogin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rlogin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rlogin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rlogin_port'($*)) dnl
corenet_dontaudit_udp_send_rlogin_port($1)
corenet_dontaudit_udp_receive_rlogin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rlogin_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rlogin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
allow $1 rlogin_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rlogin_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rlogin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
allow $1 rlogin_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rlogin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rlogin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
dontaudit $1 rlogin_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rlogin_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rlogin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
allow $1 rlogin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rlogin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rlogin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rlogin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rlogin_port'($*)) dnl
gen_require(`
type rlogin_port_t;
')
dontaudit $1 rlogin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rlogin_port'($*)) dnl
')
########################################
##
## Send rlogin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rlogin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rlogin_client_packets'($*)) dnl
gen_require(`
type rlogin_client_packet_t;
')
allow $1 rlogin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rlogin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rlogin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rlogin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogin_client_packets'($*)) dnl
gen_require(`
type rlogin_client_packet_t;
')
dontaudit $1 rlogin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogin_client_packets'($*)) dnl
')
########################################
##
## Receive rlogin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rlogin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogin_client_packets'($*)) dnl
gen_require(`
type rlogin_client_packet_t;
')
allow $1 rlogin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rlogin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rlogin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rlogin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogin_client_packets'($*)) dnl
gen_require(`
type rlogin_client_packet_t;
')
dontaudit $1 rlogin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogin_client_packets'($*)) dnl
')
########################################
##
## Send and receive rlogin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rlogin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogin_client_packets'($*)) dnl
corenet_send_rlogin_client_packets($1)
corenet_receive_rlogin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rlogin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rlogin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogin_client_packets'($*)) dnl
corenet_dontaudit_send_rlogin_client_packets($1)
corenet_dontaudit_receive_rlogin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogin_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rlogin_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rlogin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogin_client_packets'($*)) dnl
gen_require(`
type rlogin_client_packet_t;
')
allow $1 rlogin_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogin_client_packets'($*)) dnl
')
########################################
##
## Send rlogin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rlogin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rlogin_server_packets'($*)) dnl
gen_require(`
type rlogin_server_packet_t;
')
allow $1 rlogin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rlogin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rlogin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rlogin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogin_server_packets'($*)) dnl
gen_require(`
type rlogin_server_packet_t;
')
dontaudit $1 rlogin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogin_server_packets'($*)) dnl
')
########################################
##
## Receive rlogin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rlogin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogin_server_packets'($*)) dnl
gen_require(`
type rlogin_server_packet_t;
')
allow $1 rlogin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rlogin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rlogin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rlogin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogin_server_packets'($*)) dnl
gen_require(`
type rlogin_server_packet_t;
')
dontaudit $1 rlogin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogin_server_packets'($*)) dnl
')
########################################
##
## Send and receive rlogin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rlogin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogin_server_packets'($*)) dnl
corenet_send_rlogin_server_packets($1)
corenet_receive_rlogin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rlogin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rlogin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogin_server_packets'($*)) dnl
corenet_dontaudit_send_rlogin_server_packets($1)
corenet_dontaudit_receive_rlogin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogin_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rlogin_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rlogin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogin_server_packets'($*)) dnl
gen_require(`
type rlogin_server_packet_t;
')
allow $1 rlogin_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogin_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rtsclient port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
allow $1 rtsclient_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rtsclient_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rtsclient port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
allow $1 rtsclient_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rtsclient_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rtsclient port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
dontaudit $1 rtsclient_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rtsclient_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rtsclient port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
allow $1 rtsclient_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rtsclient_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rtsclient port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
dontaudit $1 rtsclient_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rtsclient_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rtsclient port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rtsclient_port'($*)) dnl
corenet_udp_send_rtsclient_port($1)
corenet_udp_receive_rtsclient_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rtsclient_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rtsclient port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rtsclient_port'($*)) dnl
corenet_dontaudit_udp_send_rtsclient_port($1)
corenet_dontaudit_udp_receive_rtsclient_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rtsclient_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rtsclient port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
allow $1 rtsclient_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rtsclient_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rtsclient port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
allow $1 rtsclient_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rtsclient_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rtsclient port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
dontaudit $1 rtsclient_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rtsclient_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rtsclient port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
allow $1 rtsclient_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rtsclient_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rtsclient port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rtsclient_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rtsclient_port'($*)) dnl
gen_require(`
type rtsclient_port_t;
')
dontaudit $1 rtsclient_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rtsclient_port'($*)) dnl
')
########################################
##
## Send rtsclient_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rtsclient_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rtsclient_client_packets'($*)) dnl
gen_require(`
type rtsclient_client_packet_t;
')
allow $1 rtsclient_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rtsclient_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rtsclient_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rtsclient_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsclient_client_packets'($*)) dnl
gen_require(`
type rtsclient_client_packet_t;
')
dontaudit $1 rtsclient_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsclient_client_packets'($*)) dnl
')
########################################
##
## Receive rtsclient_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rtsclient_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsclient_client_packets'($*)) dnl
gen_require(`
type rtsclient_client_packet_t;
')
allow $1 rtsclient_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rtsclient_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rtsclient_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rtsclient_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsclient_client_packets'($*)) dnl
gen_require(`
type rtsclient_client_packet_t;
')
dontaudit $1 rtsclient_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsclient_client_packets'($*)) dnl
')
########################################
##
## Send and receive rtsclient_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rtsclient_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsclient_client_packets'($*)) dnl
corenet_send_rtsclient_client_packets($1)
corenet_receive_rtsclient_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsclient_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rtsclient_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rtsclient_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsclient_client_packets'($*)) dnl
corenet_dontaudit_send_rtsclient_client_packets($1)
corenet_dontaudit_receive_rtsclient_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsclient_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rtsclient_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rtsclient_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsclient_client_packets'($*)) dnl
gen_require(`
type rtsclient_client_packet_t;
')
allow $1 rtsclient_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsclient_client_packets'($*)) dnl
')
########################################
##
## Send rtsclient_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rtsclient_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rtsclient_server_packets'($*)) dnl
gen_require(`
type rtsclient_server_packet_t;
')
allow $1 rtsclient_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rtsclient_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rtsclient_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rtsclient_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsclient_server_packets'($*)) dnl
gen_require(`
type rtsclient_server_packet_t;
')
dontaudit $1 rtsclient_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsclient_server_packets'($*)) dnl
')
########################################
##
## Receive rtsclient_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rtsclient_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsclient_server_packets'($*)) dnl
gen_require(`
type rtsclient_server_packet_t;
')
allow $1 rtsclient_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rtsclient_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rtsclient_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rtsclient_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsclient_server_packets'($*)) dnl
gen_require(`
type rtsclient_server_packet_t;
')
dontaudit $1 rtsclient_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsclient_server_packets'($*)) dnl
')
########################################
##
## Send and receive rtsclient_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rtsclient_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsclient_server_packets'($*)) dnl
corenet_send_rtsclient_server_packets($1)
corenet_receive_rtsclient_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsclient_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rtsclient_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rtsclient_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsclient_server_packets'($*)) dnl
corenet_dontaudit_send_rtsclient_server_packets($1)
corenet_dontaudit_receive_rtsclient_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsclient_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rtsclient_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rtsclient_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsclient_server_packets'($*)) dnl
gen_require(`
type rtsclient_server_packet_t;
')
allow $1 rtsclient_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsclient_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kprop_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_kprop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the kprop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
dontaudit $1 kprop_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kprop_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kprop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the kprop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
dontaudit $1 kprop_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kprop_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kprop_port'($*)) dnl
corenet_udp_send_kprop_port($1)
corenet_udp_receive_kprop_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kprop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the kprop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kprop_port'($*)) dnl
corenet_dontaudit_udp_send_kprop_port($1)
corenet_dontaudit_udp_receive_kprop_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kprop_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kprop_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the kprop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kprop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to kprop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
dontaudit $1 kprop_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kprop_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the kprop port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
allow $1 kprop_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kprop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to kprop port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_kprop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kprop_port'($*)) dnl
gen_require(`
type kprop_port_t;
')
dontaudit $1 kprop_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kprop_port'($*)) dnl
')
########################################
##
## Send kprop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kprop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
allow $1 kprop_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kprop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kprop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kprop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
dontaudit $1 kprop_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kprop_client_packets'($*)) dnl
')
########################################
##
## Receive kprop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kprop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
allow $1 kprop_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kprop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kprop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kprop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
dontaudit $1 kprop_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kprop_client_packets'($*)) dnl
')
########################################
##
## Send and receive kprop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kprop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kprop_client_packets'($*)) dnl
corenet_send_kprop_client_packets($1)
corenet_receive_kprop_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kprop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kprop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kprop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kprop_client_packets'($*)) dnl
corenet_dontaudit_send_kprop_client_packets($1)
corenet_dontaudit_receive_kprop_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kprop_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to kprop_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kprop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kprop_client_packets'($*)) dnl
gen_require(`
type kprop_client_packet_t;
')
allow $1 kprop_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kprop_client_packets'($*)) dnl
')
########################################
##
## Send kprop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_kprop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
allow $1 kprop_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_kprop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send kprop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_kprop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
dontaudit $1 kprop_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kprop_server_packets'($*)) dnl
')
########################################
##
## Receive kprop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_kprop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
allow $1 kprop_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_kprop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive kprop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_kprop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
dontaudit $1 kprop_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kprop_server_packets'($*)) dnl
')
########################################
##
## Send and receive kprop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_kprop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kprop_server_packets'($*)) dnl
corenet_send_kprop_server_packets($1)
corenet_receive_kprop_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kprop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive kprop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_kprop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kprop_server_packets'($*)) dnl
corenet_dontaudit_send_kprop_server_packets($1)
corenet_dontaudit_receive_kprop_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kprop_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to kprop_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_kprop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kprop_server_packets'($*)) dnl
gen_require(`
type kprop_server_packet_t;
')
allow $1 kprop_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_kprop_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ktalkd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ktalkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ktalkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
dontaudit $1 ktalkd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ktalkd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ktalkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ktalkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
dontaudit $1 ktalkd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ktalkd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ktalkd_port'($*)) dnl
corenet_udp_send_ktalkd_port($1)
corenet_udp_receive_ktalkd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ktalkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ktalkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ktalkd_port'($*)) dnl
corenet_dontaudit_udp_send_ktalkd_port($1)
corenet_dontaudit_udp_receive_ktalkd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ktalkd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ktalkd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ktalkd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ktalkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ktalkd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
dontaudit $1 ktalkd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ktalkd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ktalkd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
allow $1 ktalkd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ktalkd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ktalkd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ktalkd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ktalkd_port'($*)) dnl
gen_require(`
type ktalkd_port_t;
')
dontaudit $1 ktalkd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ktalkd_port'($*)) dnl
')
########################################
##
## Send ktalkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ktalkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
allow $1 ktalkd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ktalkd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ktalkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
dontaudit $1 ktalkd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Receive ktalkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ktalkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
allow $1 ktalkd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ktalkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ktalkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
dontaudit $1 ktalkd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Send and receive ktalkd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ktalkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ktalkd_client_packets'($*)) dnl
corenet_send_ktalkd_client_packets($1)
corenet_receive_ktalkd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ktalkd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ktalkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ktalkd_client_packets'($*)) dnl
corenet_dontaudit_send_ktalkd_client_packets($1)
corenet_dontaudit_receive_ktalkd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ktalkd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ktalkd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ktalkd_client_packets'($*)) dnl
gen_require(`
type ktalkd_client_packet_t;
')
allow $1 ktalkd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ktalkd_client_packets'($*)) dnl
')
########################################
##
## Send ktalkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ktalkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
allow $1 ktalkd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ktalkd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ktalkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
dontaudit $1 ktalkd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Receive ktalkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ktalkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
allow $1 ktalkd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ktalkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ktalkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
dontaudit $1 ktalkd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Send and receive ktalkd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ktalkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ktalkd_server_packets'($*)) dnl
corenet_send_ktalkd_server_packets($1)
corenet_receive_ktalkd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ktalkd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ktalkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ktalkd_server_packets'($*)) dnl
corenet_dontaudit_send_ktalkd_server_packets($1)
corenet_dontaudit_receive_ktalkd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ktalkd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ktalkd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ktalkd_server_packets'($*)) dnl
gen_require(`
type ktalkd_server_packet_t;
')
allow $1 ktalkd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ktalkd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ldap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ldap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ldap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
dontaudit $1 ldap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ldap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ldap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ldap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
dontaudit $1 ldap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ldap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ldap_port'($*)) dnl
corenet_udp_send_ldap_port($1)
corenet_udp_receive_ldap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ldap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ldap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ldap_port'($*)) dnl
corenet_dontaudit_udp_send_ldap_port($1)
corenet_dontaudit_udp_receive_ldap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ldap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ldap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ldap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ldap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ldap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
dontaudit $1 ldap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ldap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ldap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
allow $1 ldap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ldap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ldap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ldap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ldap_port'($*)) dnl
gen_require(`
type ldap_port_t;
')
dontaudit $1 ldap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ldap_port'($*)) dnl
')
########################################
##
## Send ldap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ldap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
allow $1 ldap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ldap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ldap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ldap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
dontaudit $1 ldap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ldap_client_packets'($*)) dnl
')
########################################
##
## Receive ldap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ldap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
allow $1 ldap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ldap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ldap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ldap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
dontaudit $1 ldap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ldap_client_packets'($*)) dnl
')
########################################
##
## Send and receive ldap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ldap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ldap_client_packets'($*)) dnl
corenet_send_ldap_client_packets($1)
corenet_receive_ldap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ldap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ldap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ldap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ldap_client_packets'($*)) dnl
corenet_dontaudit_send_ldap_client_packets($1)
corenet_dontaudit_receive_ldap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ldap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ldap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ldap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ldap_client_packets'($*)) dnl
gen_require(`
type ldap_client_packet_t;
')
allow $1 ldap_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ldap_client_packets'($*)) dnl
')
########################################
##
## Send ldap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ldap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
allow $1 ldap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ldap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ldap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ldap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
dontaudit $1 ldap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ldap_server_packets'($*)) dnl
')
########################################
##
## Receive ldap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ldap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
allow $1 ldap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ldap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ldap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ldap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
dontaudit $1 ldap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ldap_server_packets'($*)) dnl
')
########################################
##
## Send and receive ldap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ldap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ldap_server_packets'($*)) dnl
corenet_send_ldap_server_packets($1)
corenet_receive_ldap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ldap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ldap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ldap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ldap_server_packets'($*)) dnl
corenet_dontaudit_send_ldap_server_packets($1)
corenet_dontaudit_receive_ldap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ldap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ldap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ldap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ldap_server_packets'($*)) dnl
gen_require(`
type ldap_server_packet_t;
')
allow $1 ldap_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ldap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the lirc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
allow $1 lirc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lirc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the lirc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
allow $1 lirc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lirc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the lirc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
dontaudit $1 lirc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lirc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the lirc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
allow $1 lirc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lirc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the lirc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
dontaudit $1 lirc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lirc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the lirc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lirc_port'($*)) dnl
corenet_udp_send_lirc_port($1)
corenet_udp_receive_lirc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lirc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the lirc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lirc_port'($*)) dnl
corenet_dontaudit_udp_send_lirc_port($1)
corenet_dontaudit_udp_receive_lirc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lirc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the lirc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
allow $1 lirc_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lirc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the lirc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
allow $1 lirc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lirc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to lirc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
dontaudit $1 lirc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lirc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the lirc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
allow $1 lirc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lirc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to lirc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_lirc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lirc_port'($*)) dnl
gen_require(`
type lirc_port_t;
')
dontaudit $1 lirc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lirc_port'($*)) dnl
')
########################################
##
## Send lirc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lirc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lirc_client_packets'($*)) dnl
gen_require(`
type lirc_client_packet_t;
')
allow $1 lirc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lirc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lirc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lirc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lirc_client_packets'($*)) dnl
gen_require(`
type lirc_client_packet_t;
')
dontaudit $1 lirc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lirc_client_packets'($*)) dnl
')
########################################
##
## Receive lirc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lirc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lirc_client_packets'($*)) dnl
gen_require(`
type lirc_client_packet_t;
')
allow $1 lirc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lirc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lirc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lirc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lirc_client_packets'($*)) dnl
gen_require(`
type lirc_client_packet_t;
')
dontaudit $1 lirc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lirc_client_packets'($*)) dnl
')
########################################
##
## Send and receive lirc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lirc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lirc_client_packets'($*)) dnl
corenet_send_lirc_client_packets($1)
corenet_receive_lirc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lirc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lirc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lirc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lirc_client_packets'($*)) dnl
corenet_dontaudit_send_lirc_client_packets($1)
corenet_dontaudit_receive_lirc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lirc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to lirc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lirc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lirc_client_packets'($*)) dnl
gen_require(`
type lirc_client_packet_t;
')
allow $1 lirc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lirc_client_packets'($*)) dnl
')
########################################
##
## Send lirc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lirc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lirc_server_packets'($*)) dnl
gen_require(`
type lirc_server_packet_t;
')
allow $1 lirc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lirc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lirc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lirc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lirc_server_packets'($*)) dnl
gen_require(`
type lirc_server_packet_t;
')
dontaudit $1 lirc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lirc_server_packets'($*)) dnl
')
########################################
##
## Receive lirc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lirc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lirc_server_packets'($*)) dnl
gen_require(`
type lirc_server_packet_t;
')
allow $1 lirc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lirc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lirc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lirc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lirc_server_packets'($*)) dnl
gen_require(`
type lirc_server_packet_t;
')
dontaudit $1 lirc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lirc_server_packets'($*)) dnl
')
########################################
##
## Send and receive lirc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lirc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lirc_server_packets'($*)) dnl
corenet_send_lirc_server_packets($1)
corenet_receive_lirc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lirc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lirc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lirc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lirc_server_packets'($*)) dnl
corenet_dontaudit_send_lirc_server_packets($1)
corenet_dontaudit_receive_lirc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lirc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to lirc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lirc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lirc_server_packets'($*)) dnl
gen_require(`
type lirc_server_packet_t;
')
allow $1 lirc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lirc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the luci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
allow $1 luci_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_luci_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the luci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
allow $1 luci_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_luci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the luci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
dontaudit $1 luci_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_luci_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the luci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
allow $1 luci_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_luci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the luci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
dontaudit $1 luci_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_luci_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the luci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_luci_port'($*)) dnl
corenet_udp_send_luci_port($1)
corenet_udp_receive_luci_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_luci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the luci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_luci_port'($*)) dnl
corenet_dontaudit_udp_send_luci_port($1)
corenet_dontaudit_udp_receive_luci_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_luci_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the luci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
allow $1 luci_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_luci_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the luci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
allow $1 luci_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_luci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to luci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
dontaudit $1 luci_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_luci_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the luci port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
allow $1 luci_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_luci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to luci port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_luci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_luci_port'($*)) dnl
gen_require(`
type luci_port_t;
')
dontaudit $1 luci_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_luci_port'($*)) dnl
')
########################################
##
## Send luci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_luci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_luci_client_packets'($*)) dnl
gen_require(`
type luci_client_packet_t;
')
allow $1 luci_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_luci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send luci_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_luci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_luci_client_packets'($*)) dnl
gen_require(`
type luci_client_packet_t;
')
dontaudit $1 luci_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_luci_client_packets'($*)) dnl
')
########################################
##
## Receive luci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_luci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_luci_client_packets'($*)) dnl
gen_require(`
type luci_client_packet_t;
')
allow $1 luci_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_luci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive luci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_luci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_luci_client_packets'($*)) dnl
gen_require(`
type luci_client_packet_t;
')
dontaudit $1 luci_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_luci_client_packets'($*)) dnl
')
########################################
##
## Send and receive luci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_luci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_luci_client_packets'($*)) dnl
corenet_send_luci_client_packets($1)
corenet_receive_luci_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_luci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive luci_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_luci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_luci_client_packets'($*)) dnl
corenet_dontaudit_send_luci_client_packets($1)
corenet_dontaudit_receive_luci_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_luci_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to luci_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_luci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_luci_client_packets'($*)) dnl
gen_require(`
type luci_client_packet_t;
')
allow $1 luci_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_luci_client_packets'($*)) dnl
')
########################################
##
## Send luci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_luci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_luci_server_packets'($*)) dnl
gen_require(`
type luci_server_packet_t;
')
allow $1 luci_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_luci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send luci_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_luci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_luci_server_packets'($*)) dnl
gen_require(`
type luci_server_packet_t;
')
dontaudit $1 luci_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_luci_server_packets'($*)) dnl
')
########################################
##
## Receive luci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_luci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_luci_server_packets'($*)) dnl
gen_require(`
type luci_server_packet_t;
')
allow $1 luci_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_luci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive luci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_luci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_luci_server_packets'($*)) dnl
gen_require(`
type luci_server_packet_t;
')
dontaudit $1 luci_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_luci_server_packets'($*)) dnl
')
########################################
##
## Send and receive luci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_luci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_luci_server_packets'($*)) dnl
corenet_send_luci_server_packets($1)
corenet_receive_luci_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_luci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive luci_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_luci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_luci_server_packets'($*)) dnl
corenet_dontaudit_send_luci_server_packets($1)
corenet_dontaudit_receive_luci_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_luci_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to luci_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_luci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_luci_server_packets'($*)) dnl
gen_require(`
type luci_server_packet_t;
')
allow $1 luci_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_luci_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lmtp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lmtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the lmtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
dontaudit $1 lmtp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lmtp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lmtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the lmtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
dontaudit $1 lmtp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lmtp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lmtp_port'($*)) dnl
corenet_udp_send_lmtp_port($1)
corenet_udp_receive_lmtp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lmtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the lmtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lmtp_port'($*)) dnl
corenet_dontaudit_udp_send_lmtp_port($1)
corenet_dontaudit_udp_receive_lmtp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lmtp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lmtp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the lmtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lmtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to lmtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
dontaudit $1 lmtp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lmtp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the lmtp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
allow $1 lmtp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lmtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to lmtp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_lmtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lmtp_port'($*)) dnl
gen_require(`
type lmtp_port_t;
')
dontaudit $1 lmtp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lmtp_port'($*)) dnl
')
########################################
##
## Send lmtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lmtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
allow $1 lmtp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lmtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lmtp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lmtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
dontaudit $1 lmtp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lmtp_client_packets'($*)) dnl
')
########################################
##
## Receive lmtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lmtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
allow $1 lmtp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lmtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lmtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lmtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
dontaudit $1 lmtp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lmtp_client_packets'($*)) dnl
')
########################################
##
## Send and receive lmtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lmtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lmtp_client_packets'($*)) dnl
corenet_send_lmtp_client_packets($1)
corenet_receive_lmtp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lmtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lmtp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lmtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lmtp_client_packets'($*)) dnl
corenet_dontaudit_send_lmtp_client_packets($1)
corenet_dontaudit_receive_lmtp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lmtp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to lmtp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lmtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lmtp_client_packets'($*)) dnl
gen_require(`
type lmtp_client_packet_t;
')
allow $1 lmtp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lmtp_client_packets'($*)) dnl
')
########################################
##
## Send lmtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lmtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
allow $1 lmtp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lmtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lmtp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lmtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
dontaudit $1 lmtp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lmtp_server_packets'($*)) dnl
')
########################################
##
## Receive lmtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lmtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
allow $1 lmtp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lmtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lmtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lmtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
dontaudit $1 lmtp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lmtp_server_packets'($*)) dnl
')
########################################
##
## Send and receive lmtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lmtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lmtp_server_packets'($*)) dnl
corenet_send_lmtp_server_packets($1)
corenet_receive_lmtp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lmtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lmtp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lmtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lmtp_server_packets'($*)) dnl
corenet_dontaudit_send_lmtp_server_packets($1)
corenet_dontaudit_receive_lmtp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lmtp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to lmtp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lmtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lmtp_server_packets'($*)) dnl
gen_require(`
type lmtp_server_packet_t;
')
allow $1 lmtp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lmtp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the lrrd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
allow $1 lrrd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lrrd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the lrrd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
allow $1 lrrd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lrrd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the lrrd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
dontaudit $1 lrrd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lrrd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the lrrd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
allow $1 lrrd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lrrd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the lrrd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
dontaudit $1 lrrd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lrrd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the lrrd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lrrd_port'($*)) dnl
corenet_udp_send_lrrd_port($1)
corenet_udp_receive_lrrd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lrrd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the lrrd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lrrd_port'($*)) dnl
corenet_dontaudit_udp_send_lrrd_port($1)
corenet_dontaudit_udp_receive_lrrd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lrrd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the lrrd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
allow $1 lrrd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lrrd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the lrrd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
allow $1 lrrd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lrrd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to lrrd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
dontaudit $1 lrrd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lrrd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the lrrd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
allow $1 lrrd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lrrd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to lrrd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_lrrd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lrrd_port'($*)) dnl
gen_require(`
type lrrd_port_t;
')
dontaudit $1 lrrd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lrrd_port'($*)) dnl
')
########################################
##
## Send lrrd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lrrd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lrrd_client_packets'($*)) dnl
gen_require(`
type lrrd_client_packet_t;
')
allow $1 lrrd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lrrd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lrrd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lrrd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lrrd_client_packets'($*)) dnl
gen_require(`
type lrrd_client_packet_t;
')
dontaudit $1 lrrd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lrrd_client_packets'($*)) dnl
')
########################################
##
## Receive lrrd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lrrd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lrrd_client_packets'($*)) dnl
gen_require(`
type lrrd_client_packet_t;
')
allow $1 lrrd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lrrd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lrrd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lrrd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lrrd_client_packets'($*)) dnl
gen_require(`
type lrrd_client_packet_t;
')
dontaudit $1 lrrd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lrrd_client_packets'($*)) dnl
')
########################################
##
## Send and receive lrrd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lrrd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lrrd_client_packets'($*)) dnl
corenet_send_lrrd_client_packets($1)
corenet_receive_lrrd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lrrd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lrrd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lrrd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lrrd_client_packets'($*)) dnl
corenet_dontaudit_send_lrrd_client_packets($1)
corenet_dontaudit_receive_lrrd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lrrd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to lrrd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lrrd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lrrd_client_packets'($*)) dnl
gen_require(`
type lrrd_client_packet_t;
')
allow $1 lrrd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lrrd_client_packets'($*)) dnl
')
########################################
##
## Send lrrd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lrrd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lrrd_server_packets'($*)) dnl
gen_require(`
type lrrd_server_packet_t;
')
allow $1 lrrd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lrrd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lrrd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lrrd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lrrd_server_packets'($*)) dnl
gen_require(`
type lrrd_server_packet_t;
')
dontaudit $1 lrrd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lrrd_server_packets'($*)) dnl
')
########################################
##
## Receive lrrd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lrrd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lrrd_server_packets'($*)) dnl
gen_require(`
type lrrd_server_packet_t;
')
allow $1 lrrd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lrrd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lrrd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lrrd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lrrd_server_packets'($*)) dnl
gen_require(`
type lrrd_server_packet_t;
')
dontaudit $1 lrrd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lrrd_server_packets'($*)) dnl
')
########################################
##
## Send and receive lrrd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lrrd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lrrd_server_packets'($*)) dnl
corenet_send_lrrd_server_packets($1)
corenet_receive_lrrd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lrrd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lrrd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lrrd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lrrd_server_packets'($*)) dnl
corenet_dontaudit_send_lrrd_server_packets($1)
corenet_dontaudit_receive_lrrd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lrrd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to lrrd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lrrd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lrrd_server_packets'($*)) dnl
gen_require(`
type lrrd_server_packet_t;
')
allow $1 lrrd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lrrd_server_packets'($*)) dnl
')
# no defined portcon
########################################
##
## Send and receive TCP traffic on the lsm_plugin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
allow $1 lsm_plugin_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lsm_plugin_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the lsm_plugin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
allow $1 lsm_plugin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lsm_plugin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the lsm_plugin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
dontaudit $1 lsm_plugin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lsm_plugin_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the lsm_plugin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
allow $1 lsm_plugin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lsm_plugin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the lsm_plugin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
dontaudit $1 lsm_plugin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lsm_plugin_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the lsm_plugin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lsm_plugin_port'($*)) dnl
corenet_udp_send_lsm_plugin_port($1)
corenet_udp_receive_lsm_plugin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lsm_plugin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the lsm_plugin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lsm_plugin_port'($*)) dnl
corenet_dontaudit_udp_send_lsm_plugin_port($1)
corenet_dontaudit_udp_receive_lsm_plugin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lsm_plugin_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the lsm_plugin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
allow $1 lsm_plugin_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lsm_plugin_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the lsm_plugin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
allow $1 lsm_plugin_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lsm_plugin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to lsm_plugin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
dontaudit $1 lsm_plugin_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lsm_plugin_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the lsm_plugin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
allow $1 lsm_plugin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lsm_plugin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to lsm_plugin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_lsm_plugin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lsm_plugin_port'($*)) dnl
gen_require(`
type lsm_plugin_port_t;
')
dontaudit $1 lsm_plugin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lsm_plugin_port'($*)) dnl
')
########################################
##
## Send lsm_plugin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lsm_plugin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lsm_plugin_client_packets'($*)) dnl
gen_require(`
type lsm_plugin_client_packet_t;
')
allow $1 lsm_plugin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lsm_plugin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lsm_plugin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lsm_plugin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lsm_plugin_client_packets'($*)) dnl
gen_require(`
type lsm_plugin_client_packet_t;
')
dontaudit $1 lsm_plugin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lsm_plugin_client_packets'($*)) dnl
')
########################################
##
## Receive lsm_plugin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lsm_plugin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lsm_plugin_client_packets'($*)) dnl
gen_require(`
type lsm_plugin_client_packet_t;
')
allow $1 lsm_plugin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lsm_plugin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lsm_plugin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lsm_plugin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lsm_plugin_client_packets'($*)) dnl
gen_require(`
type lsm_plugin_client_packet_t;
')
dontaudit $1 lsm_plugin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lsm_plugin_client_packets'($*)) dnl
')
########################################
##
## Send and receive lsm_plugin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lsm_plugin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lsm_plugin_client_packets'($*)) dnl
corenet_send_lsm_plugin_client_packets($1)
corenet_receive_lsm_plugin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lsm_plugin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lsm_plugin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lsm_plugin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lsm_plugin_client_packets'($*)) dnl
corenet_dontaudit_send_lsm_plugin_client_packets($1)
corenet_dontaudit_receive_lsm_plugin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lsm_plugin_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to lsm_plugin_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lsm_plugin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lsm_plugin_client_packets'($*)) dnl
gen_require(`
type lsm_plugin_client_packet_t;
')
allow $1 lsm_plugin_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lsm_plugin_client_packets'($*)) dnl
')
########################################
##
## Send lsm_plugin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_lsm_plugin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_lsm_plugin_server_packets'($*)) dnl
gen_require(`
type lsm_plugin_server_packet_t;
')
allow $1 lsm_plugin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_lsm_plugin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send lsm_plugin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_lsm_plugin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lsm_plugin_server_packets'($*)) dnl
gen_require(`
type lsm_plugin_server_packet_t;
')
dontaudit $1 lsm_plugin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lsm_plugin_server_packets'($*)) dnl
')
########################################
##
## Receive lsm_plugin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_lsm_plugin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_lsm_plugin_server_packets'($*)) dnl
gen_require(`
type lsm_plugin_server_packet_t;
')
allow $1 lsm_plugin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_lsm_plugin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive lsm_plugin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_lsm_plugin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lsm_plugin_server_packets'($*)) dnl
gen_require(`
type lsm_plugin_server_packet_t;
')
dontaudit $1 lsm_plugin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lsm_plugin_server_packets'($*)) dnl
')
########################################
##
## Send and receive lsm_plugin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_lsm_plugin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lsm_plugin_server_packets'($*)) dnl
corenet_send_lsm_plugin_server_packets($1)
corenet_receive_lsm_plugin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lsm_plugin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive lsm_plugin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_lsm_plugin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lsm_plugin_server_packets'($*)) dnl
corenet_dontaudit_send_lsm_plugin_server_packets($1)
corenet_dontaudit_receive_lsm_plugin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lsm_plugin_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to lsm_plugin_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_lsm_plugin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lsm_plugin_server_packets'($*)) dnl
gen_require(`
type lsm_plugin_server_packet_t;
')
allow $1 lsm_plugin_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_lsm_plugin_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the l2tp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
allow $1 l2tp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_l2tp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the l2tp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
allow $1 l2tp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_l2tp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the l2tp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
dontaudit $1 l2tp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_l2tp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the l2tp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
allow $1 l2tp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_l2tp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the l2tp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
dontaudit $1 l2tp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_l2tp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the l2tp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_l2tp_port'($*)) dnl
corenet_udp_send_l2tp_port($1)
corenet_udp_receive_l2tp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_l2tp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the l2tp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_l2tp_port'($*)) dnl
corenet_dontaudit_udp_send_l2tp_port($1)
corenet_dontaudit_udp_receive_l2tp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_l2tp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the l2tp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
allow $1 l2tp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_l2tp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the l2tp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
allow $1 l2tp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_l2tp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to l2tp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
dontaudit $1 l2tp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_l2tp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the l2tp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
allow $1 l2tp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_l2tp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to l2tp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_l2tp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_l2tp_port'($*)) dnl
gen_require(`
type l2tp_port_t;
')
dontaudit $1 l2tp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_l2tp_port'($*)) dnl
')
########################################
##
## Send l2tp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_l2tp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_l2tp_client_packets'($*)) dnl
gen_require(`
type l2tp_client_packet_t;
')
allow $1 l2tp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_l2tp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send l2tp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_l2tp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_l2tp_client_packets'($*)) dnl
gen_require(`
type l2tp_client_packet_t;
')
dontaudit $1 l2tp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_l2tp_client_packets'($*)) dnl
')
########################################
##
## Receive l2tp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_l2tp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_l2tp_client_packets'($*)) dnl
gen_require(`
type l2tp_client_packet_t;
')
allow $1 l2tp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_l2tp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive l2tp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_l2tp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_l2tp_client_packets'($*)) dnl
gen_require(`
type l2tp_client_packet_t;
')
dontaudit $1 l2tp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_l2tp_client_packets'($*)) dnl
')
########################################
##
## Send and receive l2tp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_l2tp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_l2tp_client_packets'($*)) dnl
corenet_send_l2tp_client_packets($1)
corenet_receive_l2tp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_l2tp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive l2tp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_l2tp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_l2tp_client_packets'($*)) dnl
corenet_dontaudit_send_l2tp_client_packets($1)
corenet_dontaudit_receive_l2tp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_l2tp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to l2tp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_l2tp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_l2tp_client_packets'($*)) dnl
gen_require(`
type l2tp_client_packet_t;
')
allow $1 l2tp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_l2tp_client_packets'($*)) dnl
')
########################################
##
## Send l2tp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_l2tp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_l2tp_server_packets'($*)) dnl
gen_require(`
type l2tp_server_packet_t;
')
allow $1 l2tp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_l2tp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send l2tp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_l2tp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_l2tp_server_packets'($*)) dnl
gen_require(`
type l2tp_server_packet_t;
')
dontaudit $1 l2tp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_l2tp_server_packets'($*)) dnl
')
########################################
##
## Receive l2tp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_l2tp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_l2tp_server_packets'($*)) dnl
gen_require(`
type l2tp_server_packet_t;
')
allow $1 l2tp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_l2tp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive l2tp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_l2tp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_l2tp_server_packets'($*)) dnl
gen_require(`
type l2tp_server_packet_t;
')
dontaudit $1 l2tp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_l2tp_server_packets'($*)) dnl
')
########################################
##
## Send and receive l2tp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_l2tp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_l2tp_server_packets'($*)) dnl
corenet_send_l2tp_server_packets($1)
corenet_receive_l2tp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_l2tp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive l2tp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_l2tp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_l2tp_server_packets'($*)) dnl
corenet_dontaudit_send_l2tp_server_packets($1)
corenet_dontaudit_receive_l2tp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_l2tp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to l2tp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_l2tp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_l2tp_server_packets'($*)) dnl
gen_require(`
type l2tp_server_packet_t;
')
allow $1 l2tp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_l2tp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mail_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mail_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mail port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
dontaudit $1 mail_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mail_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mail_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mail port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
dontaudit $1 mail_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mail_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mail_port'($*)) dnl
corenet_udp_send_mail_port($1)
corenet_udp_receive_mail_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mail_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mail port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mail_port'($*)) dnl
corenet_dontaudit_udp_send_mail_port($1)
corenet_dontaudit_udp_receive_mail_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mail_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mail_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mail port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mail_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mail port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
dontaudit $1 mail_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mail_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mail port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
allow $1 mail_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mail_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mail port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mail_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mail_port'($*)) dnl
gen_require(`
type mail_port_t;
')
dontaudit $1 mail_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mail_port'($*)) dnl
')
########################################
##
## Send mail_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mail_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
allow $1 mail_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mail_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mail_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mail_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
dontaudit $1 mail_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mail_client_packets'($*)) dnl
')
########################################
##
## Receive mail_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mail_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
allow $1 mail_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mail_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mail_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mail_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
dontaudit $1 mail_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mail_client_packets'($*)) dnl
')
########################################
##
## Send and receive mail_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mail_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mail_client_packets'($*)) dnl
corenet_send_mail_client_packets($1)
corenet_receive_mail_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mail_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mail_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mail_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mail_client_packets'($*)) dnl
corenet_dontaudit_send_mail_client_packets($1)
corenet_dontaudit_receive_mail_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mail_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mail_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mail_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mail_client_packets'($*)) dnl
gen_require(`
type mail_client_packet_t;
')
allow $1 mail_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mail_client_packets'($*)) dnl
')
########################################
##
## Send mail_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mail_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
allow $1 mail_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mail_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mail_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mail_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
dontaudit $1 mail_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mail_server_packets'($*)) dnl
')
########################################
##
## Receive mail_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mail_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
allow $1 mail_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mail_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mail_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mail_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
dontaudit $1 mail_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mail_server_packets'($*)) dnl
')
########################################
##
## Send and receive mail_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mail_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mail_server_packets'($*)) dnl
corenet_send_mail_server_packets($1)
corenet_receive_mail_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mail_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mail_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mail_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mail_server_packets'($*)) dnl
corenet_dontaudit_send_mail_server_packets($1)
corenet_dontaudit_receive_mail_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mail_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mail_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mail_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mail_server_packets'($*)) dnl
gen_require(`
type mail_server_packet_t;
')
allow $1 mail_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mail_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mailbox port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
allow $1 mailbox_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mailbox_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mailbox port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
allow $1 mailbox_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mailbox_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mailbox port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
dontaudit $1 mailbox_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mailbox_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mailbox port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
allow $1 mailbox_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mailbox_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mailbox port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
dontaudit $1 mailbox_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mailbox_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mailbox port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mailbox_port'($*)) dnl
corenet_udp_send_mailbox_port($1)
corenet_udp_receive_mailbox_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mailbox_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mailbox port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mailbox_port'($*)) dnl
corenet_dontaudit_udp_send_mailbox_port($1)
corenet_dontaudit_udp_receive_mailbox_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mailbox_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mailbox port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
allow $1 mailbox_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mailbox_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mailbox port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
allow $1 mailbox_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mailbox_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mailbox port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
dontaudit $1 mailbox_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mailbox_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mailbox port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
allow $1 mailbox_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mailbox_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mailbox port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mailbox_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mailbox_port'($*)) dnl
gen_require(`
type mailbox_port_t;
')
dontaudit $1 mailbox_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mailbox_port'($*)) dnl
')
########################################
##
## Send mailbox_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mailbox_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mailbox_client_packets'($*)) dnl
gen_require(`
type mailbox_client_packet_t;
')
allow $1 mailbox_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mailbox_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mailbox_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mailbox_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mailbox_client_packets'($*)) dnl
gen_require(`
type mailbox_client_packet_t;
')
dontaudit $1 mailbox_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mailbox_client_packets'($*)) dnl
')
########################################
##
## Receive mailbox_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mailbox_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mailbox_client_packets'($*)) dnl
gen_require(`
type mailbox_client_packet_t;
')
allow $1 mailbox_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mailbox_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mailbox_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mailbox_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mailbox_client_packets'($*)) dnl
gen_require(`
type mailbox_client_packet_t;
')
dontaudit $1 mailbox_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mailbox_client_packets'($*)) dnl
')
########################################
##
## Send and receive mailbox_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mailbox_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mailbox_client_packets'($*)) dnl
corenet_send_mailbox_client_packets($1)
corenet_receive_mailbox_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mailbox_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mailbox_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mailbox_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mailbox_client_packets'($*)) dnl
corenet_dontaudit_send_mailbox_client_packets($1)
corenet_dontaudit_receive_mailbox_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mailbox_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mailbox_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mailbox_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mailbox_client_packets'($*)) dnl
gen_require(`
type mailbox_client_packet_t;
')
allow $1 mailbox_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mailbox_client_packets'($*)) dnl
')
########################################
##
## Send mailbox_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mailbox_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mailbox_server_packets'($*)) dnl
gen_require(`
type mailbox_server_packet_t;
')
allow $1 mailbox_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mailbox_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mailbox_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mailbox_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mailbox_server_packets'($*)) dnl
gen_require(`
type mailbox_server_packet_t;
')
dontaudit $1 mailbox_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mailbox_server_packets'($*)) dnl
')
########################################
##
## Receive mailbox_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mailbox_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mailbox_server_packets'($*)) dnl
gen_require(`
type mailbox_server_packet_t;
')
allow $1 mailbox_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mailbox_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mailbox_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mailbox_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mailbox_server_packets'($*)) dnl
gen_require(`
type mailbox_server_packet_t;
')
dontaudit $1 mailbox_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mailbox_server_packets'($*)) dnl
')
########################################
##
## Send and receive mailbox_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mailbox_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mailbox_server_packets'($*)) dnl
corenet_send_mailbox_server_packets($1)
corenet_receive_mailbox_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mailbox_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mailbox_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mailbox_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mailbox_server_packets'($*)) dnl
corenet_dontaudit_send_mailbox_server_packets($1)
corenet_dontaudit_receive_mailbox_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mailbox_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mailbox_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mailbox_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mailbox_server_packets'($*)) dnl
gen_require(`
type mailbox_server_packet_t;
')
allow $1 mailbox_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mailbox_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the matahari port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
allow $1 matahari_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_matahari_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the matahari port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
allow $1 matahari_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_matahari_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the matahari port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
dontaudit $1 matahari_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_matahari_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the matahari port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
allow $1 matahari_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_matahari_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the matahari port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
dontaudit $1 matahari_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_matahari_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the matahari port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_matahari_port'($*)) dnl
corenet_udp_send_matahari_port($1)
corenet_udp_receive_matahari_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_matahari_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the matahari port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_matahari_port'($*)) dnl
corenet_dontaudit_udp_send_matahari_port($1)
corenet_dontaudit_udp_receive_matahari_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_matahari_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the matahari port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
allow $1 matahari_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_matahari_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the matahari port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
allow $1 matahari_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_matahari_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to matahari port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
dontaudit $1 matahari_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_matahari_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the matahari port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
allow $1 matahari_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_matahari_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to matahari port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_matahari_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_matahari_port'($*)) dnl
gen_require(`
type matahari_port_t;
')
dontaudit $1 matahari_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_matahari_port'($*)) dnl
')
########################################
##
## Send matahari_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_matahari_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_matahari_client_packets'($*)) dnl
gen_require(`
type matahari_client_packet_t;
')
allow $1 matahari_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_matahari_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send matahari_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_matahari_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_matahari_client_packets'($*)) dnl
gen_require(`
type matahari_client_packet_t;
')
dontaudit $1 matahari_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_matahari_client_packets'($*)) dnl
')
########################################
##
## Receive matahari_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_matahari_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_matahari_client_packets'($*)) dnl
gen_require(`
type matahari_client_packet_t;
')
allow $1 matahari_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_matahari_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive matahari_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_matahari_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_matahari_client_packets'($*)) dnl
gen_require(`
type matahari_client_packet_t;
')
dontaudit $1 matahari_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_matahari_client_packets'($*)) dnl
')
########################################
##
## Send and receive matahari_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_matahari_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_matahari_client_packets'($*)) dnl
corenet_send_matahari_client_packets($1)
corenet_receive_matahari_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_matahari_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive matahari_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_matahari_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_matahari_client_packets'($*)) dnl
corenet_dontaudit_send_matahari_client_packets($1)
corenet_dontaudit_receive_matahari_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_matahari_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to matahari_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_matahari_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_matahari_client_packets'($*)) dnl
gen_require(`
type matahari_client_packet_t;
')
allow $1 matahari_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_matahari_client_packets'($*)) dnl
')
########################################
##
## Send matahari_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_matahari_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_matahari_server_packets'($*)) dnl
gen_require(`
type matahari_server_packet_t;
')
allow $1 matahari_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_matahari_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send matahari_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_matahari_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_matahari_server_packets'($*)) dnl
gen_require(`
type matahari_server_packet_t;
')
dontaudit $1 matahari_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_matahari_server_packets'($*)) dnl
')
########################################
##
## Receive matahari_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_matahari_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_matahari_server_packets'($*)) dnl
gen_require(`
type matahari_server_packet_t;
')
allow $1 matahari_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_matahari_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive matahari_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_matahari_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_matahari_server_packets'($*)) dnl
gen_require(`
type matahari_server_packet_t;
')
dontaudit $1 matahari_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_matahari_server_packets'($*)) dnl
')
########################################
##
## Send and receive matahari_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_matahari_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_matahari_server_packets'($*)) dnl
corenet_send_matahari_server_packets($1)
corenet_receive_matahari_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_matahari_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive matahari_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_matahari_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_matahari_server_packets'($*)) dnl
corenet_dontaudit_send_matahari_server_packets($1)
corenet_dontaudit_receive_matahari_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_matahari_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to matahari_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_matahari_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_matahari_server_packets'($*)) dnl
gen_require(`
type matahari_server_packet_t;
')
allow $1 matahari_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_matahari_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the memcache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
allow $1 memcache_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_memcache_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the memcache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
allow $1 memcache_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_memcache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the memcache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
dontaudit $1 memcache_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_memcache_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the memcache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
allow $1 memcache_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_memcache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the memcache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
dontaudit $1 memcache_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_memcache_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the memcache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_memcache_port'($*)) dnl
corenet_udp_send_memcache_port($1)
corenet_udp_receive_memcache_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_memcache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the memcache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_memcache_port'($*)) dnl
corenet_dontaudit_udp_send_memcache_port($1)
corenet_dontaudit_udp_receive_memcache_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_memcache_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the memcache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
allow $1 memcache_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_memcache_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the memcache port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
allow $1 memcache_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_memcache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to memcache port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
dontaudit $1 memcache_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_memcache_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the memcache port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
allow $1 memcache_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_memcache_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to memcache port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_memcache_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_memcache_port'($*)) dnl
gen_require(`
type memcache_port_t;
')
dontaudit $1 memcache_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_memcache_port'($*)) dnl
')
########################################
##
## Send memcache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_memcache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_memcache_client_packets'($*)) dnl
gen_require(`
type memcache_client_packet_t;
')
allow $1 memcache_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_memcache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send memcache_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_memcache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_memcache_client_packets'($*)) dnl
gen_require(`
type memcache_client_packet_t;
')
dontaudit $1 memcache_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_memcache_client_packets'($*)) dnl
')
########################################
##
## Receive memcache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_memcache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_memcache_client_packets'($*)) dnl
gen_require(`
type memcache_client_packet_t;
')
allow $1 memcache_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_memcache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive memcache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_memcache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_memcache_client_packets'($*)) dnl
gen_require(`
type memcache_client_packet_t;
')
dontaudit $1 memcache_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_memcache_client_packets'($*)) dnl
')
########################################
##
## Send and receive memcache_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_memcache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_memcache_client_packets'($*)) dnl
corenet_send_memcache_client_packets($1)
corenet_receive_memcache_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_memcache_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive memcache_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_memcache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_memcache_client_packets'($*)) dnl
corenet_dontaudit_send_memcache_client_packets($1)
corenet_dontaudit_receive_memcache_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_memcache_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to memcache_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_memcache_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_memcache_client_packets'($*)) dnl
gen_require(`
type memcache_client_packet_t;
')
allow $1 memcache_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_memcache_client_packets'($*)) dnl
')
########################################
##
## Send memcache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_memcache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_memcache_server_packets'($*)) dnl
gen_require(`
type memcache_server_packet_t;
')
allow $1 memcache_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_memcache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send memcache_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_memcache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_memcache_server_packets'($*)) dnl
gen_require(`
type memcache_server_packet_t;
')
dontaudit $1 memcache_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_memcache_server_packets'($*)) dnl
')
########################################
##
## Receive memcache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_memcache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_memcache_server_packets'($*)) dnl
gen_require(`
type memcache_server_packet_t;
')
allow $1 memcache_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_memcache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive memcache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_memcache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_memcache_server_packets'($*)) dnl
gen_require(`
type memcache_server_packet_t;
')
dontaudit $1 memcache_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_memcache_server_packets'($*)) dnl
')
########################################
##
## Send and receive memcache_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_memcache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_memcache_server_packets'($*)) dnl
corenet_send_memcache_server_packets($1)
corenet_receive_memcache_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_memcache_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive memcache_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_memcache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_memcache_server_packets'($*)) dnl
corenet_dontaudit_send_memcache_server_packets($1)
corenet_dontaudit_receive_memcache_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_memcache_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to memcache_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_memcache_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_memcache_server_packets'($*)) dnl
gen_require(`
type memcache_server_packet_t;
')
allow $1 memcache_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_memcache_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the milter port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
allow $1 milter_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_milter_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the milter port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
allow $1 milter_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_milter_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the milter port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
dontaudit $1 milter_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_milter_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the milter port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
allow $1 milter_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_milter_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the milter port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
dontaudit $1 milter_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_milter_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the milter port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_milter_port'($*)) dnl
corenet_udp_send_milter_port($1)
corenet_udp_receive_milter_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_milter_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the milter port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_milter_port'($*)) dnl
corenet_dontaudit_udp_send_milter_port($1)
corenet_dontaudit_udp_receive_milter_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_milter_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the milter port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
allow $1 milter_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_milter_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the milter port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
allow $1 milter_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_milter_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to milter port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
dontaudit $1 milter_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_milter_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the milter port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
allow $1 milter_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_milter_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to milter port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_milter_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_milter_port'($*)) dnl
gen_require(`
type milter_port_t;
')
dontaudit $1 milter_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_milter_port'($*)) dnl
')
########################################
##
## Send milter_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_milter_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_milter_client_packets'($*)) dnl
gen_require(`
type milter_client_packet_t;
')
allow $1 milter_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_milter_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send milter_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_milter_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_milter_client_packets'($*)) dnl
gen_require(`
type milter_client_packet_t;
')
dontaudit $1 milter_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_milter_client_packets'($*)) dnl
')
########################################
##
## Receive milter_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_milter_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_milter_client_packets'($*)) dnl
gen_require(`
type milter_client_packet_t;
')
allow $1 milter_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_milter_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive milter_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_milter_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_milter_client_packets'($*)) dnl
gen_require(`
type milter_client_packet_t;
')
dontaudit $1 milter_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_milter_client_packets'($*)) dnl
')
########################################
##
## Send and receive milter_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_milter_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_milter_client_packets'($*)) dnl
corenet_send_milter_client_packets($1)
corenet_receive_milter_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_milter_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive milter_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_milter_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_milter_client_packets'($*)) dnl
corenet_dontaudit_send_milter_client_packets($1)
corenet_dontaudit_receive_milter_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_milter_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to milter_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_milter_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_milter_client_packets'($*)) dnl
gen_require(`
type milter_client_packet_t;
')
allow $1 milter_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_milter_client_packets'($*)) dnl
')
########################################
##
## Send milter_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_milter_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_milter_server_packets'($*)) dnl
gen_require(`
type milter_server_packet_t;
')
allow $1 milter_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_milter_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send milter_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_milter_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_milter_server_packets'($*)) dnl
gen_require(`
type milter_server_packet_t;
')
dontaudit $1 milter_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_milter_server_packets'($*)) dnl
')
########################################
##
## Receive milter_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_milter_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_milter_server_packets'($*)) dnl
gen_require(`
type milter_server_packet_t;
')
allow $1 milter_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_milter_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive milter_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_milter_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_milter_server_packets'($*)) dnl
gen_require(`
type milter_server_packet_t;
')
dontaudit $1 milter_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_milter_server_packets'($*)) dnl
')
########################################
##
## Send and receive milter_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_milter_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_milter_server_packets'($*)) dnl
corenet_send_milter_server_packets($1)
corenet_receive_milter_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_milter_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive milter_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_milter_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_milter_server_packets'($*)) dnl
corenet_dontaudit_send_milter_server_packets($1)
corenet_dontaudit_receive_milter_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_milter_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to milter_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_milter_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_milter_server_packets'($*)) dnl
gen_require(`
type milter_server_packet_t;
')
allow $1 milter_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_milter_server_packets'($*)) dnl
')
# no defined portcon
########################################
##
## Send and receive TCP traffic on the mmcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
allow $1 mmcc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mmcc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mmcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
allow $1 mmcc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mmcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mmcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
dontaudit $1 mmcc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mmcc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mmcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
allow $1 mmcc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mmcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mmcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
dontaudit $1 mmcc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mmcc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mmcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mmcc_port'($*)) dnl
corenet_udp_send_mmcc_port($1)
corenet_udp_receive_mmcc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mmcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mmcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mmcc_port'($*)) dnl
corenet_dontaudit_udp_send_mmcc_port($1)
corenet_dontaudit_udp_receive_mmcc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mmcc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mmcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
allow $1 mmcc_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mmcc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mmcc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
allow $1 mmcc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mmcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mmcc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
dontaudit $1 mmcc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mmcc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mmcc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
allow $1 mmcc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mmcc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mmcc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mmcc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mmcc_port'($*)) dnl
gen_require(`
type mmcc_port_t;
')
dontaudit $1 mmcc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mmcc_port'($*)) dnl
')
########################################
##
## Send mmcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mmcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mmcc_client_packets'($*)) dnl
gen_require(`
type mmcc_client_packet_t;
')
allow $1 mmcc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mmcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mmcc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mmcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mmcc_client_packets'($*)) dnl
gen_require(`
type mmcc_client_packet_t;
')
dontaudit $1 mmcc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mmcc_client_packets'($*)) dnl
')
########################################
##
## Receive mmcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mmcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mmcc_client_packets'($*)) dnl
gen_require(`
type mmcc_client_packet_t;
')
allow $1 mmcc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mmcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mmcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mmcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mmcc_client_packets'($*)) dnl
gen_require(`
type mmcc_client_packet_t;
')
dontaudit $1 mmcc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mmcc_client_packets'($*)) dnl
')
########################################
##
## Send and receive mmcc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mmcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mmcc_client_packets'($*)) dnl
corenet_send_mmcc_client_packets($1)
corenet_receive_mmcc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mmcc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mmcc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mmcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mmcc_client_packets'($*)) dnl
corenet_dontaudit_send_mmcc_client_packets($1)
corenet_dontaudit_receive_mmcc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mmcc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mmcc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mmcc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mmcc_client_packets'($*)) dnl
gen_require(`
type mmcc_client_packet_t;
')
allow $1 mmcc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mmcc_client_packets'($*)) dnl
')
########################################
##
## Send mmcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mmcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mmcc_server_packets'($*)) dnl
gen_require(`
type mmcc_server_packet_t;
')
allow $1 mmcc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mmcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mmcc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mmcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mmcc_server_packets'($*)) dnl
gen_require(`
type mmcc_server_packet_t;
')
dontaudit $1 mmcc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mmcc_server_packets'($*)) dnl
')
########################################
##
## Receive mmcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mmcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mmcc_server_packets'($*)) dnl
gen_require(`
type mmcc_server_packet_t;
')
allow $1 mmcc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mmcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mmcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mmcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mmcc_server_packets'($*)) dnl
gen_require(`
type mmcc_server_packet_t;
')
dontaudit $1 mmcc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mmcc_server_packets'($*)) dnl
')
########################################
##
## Send and receive mmcc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mmcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mmcc_server_packets'($*)) dnl
corenet_send_mmcc_server_packets($1)
corenet_receive_mmcc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mmcc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mmcc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mmcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mmcc_server_packets'($*)) dnl
corenet_dontaudit_send_mmcc_server_packets($1)
corenet_dontaudit_receive_mmcc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mmcc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mmcc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mmcc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mmcc_server_packets'($*)) dnl
gen_require(`
type mmcc_server_packet_t;
')
allow $1 mmcc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mmcc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mongod port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
allow $1 mongod_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mongod_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mongod port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
allow $1 mongod_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mongod_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mongod port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
dontaudit $1 mongod_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mongod_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mongod port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
allow $1 mongod_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mongod_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mongod port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
dontaudit $1 mongod_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mongod_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mongod port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mongod_port'($*)) dnl
corenet_udp_send_mongod_port($1)
corenet_udp_receive_mongod_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mongod_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mongod port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mongod_port'($*)) dnl
corenet_dontaudit_udp_send_mongod_port($1)
corenet_dontaudit_udp_receive_mongod_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mongod_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mongod port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
allow $1 mongod_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mongod_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mongod port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
allow $1 mongod_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mongod_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mongod port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
dontaudit $1 mongod_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mongod_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mongod port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
allow $1 mongod_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mongod_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mongod port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mongod_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mongod_port'($*)) dnl
gen_require(`
type mongod_port_t;
')
dontaudit $1 mongod_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mongod_port'($*)) dnl
')
########################################
##
## Send mongod_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mongod_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mongod_client_packets'($*)) dnl
gen_require(`
type mongod_client_packet_t;
')
allow $1 mongod_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mongod_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mongod_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mongod_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mongod_client_packets'($*)) dnl
gen_require(`
type mongod_client_packet_t;
')
dontaudit $1 mongod_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mongod_client_packets'($*)) dnl
')
########################################
##
## Receive mongod_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mongod_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mongod_client_packets'($*)) dnl
gen_require(`
type mongod_client_packet_t;
')
allow $1 mongod_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mongod_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mongod_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mongod_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mongod_client_packets'($*)) dnl
gen_require(`
type mongod_client_packet_t;
')
dontaudit $1 mongod_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mongod_client_packets'($*)) dnl
')
########################################
##
## Send and receive mongod_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mongod_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mongod_client_packets'($*)) dnl
corenet_send_mongod_client_packets($1)
corenet_receive_mongod_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mongod_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mongod_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mongod_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mongod_client_packets'($*)) dnl
corenet_dontaudit_send_mongod_client_packets($1)
corenet_dontaudit_receive_mongod_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mongod_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mongod_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mongod_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mongod_client_packets'($*)) dnl
gen_require(`
type mongod_client_packet_t;
')
allow $1 mongod_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mongod_client_packets'($*)) dnl
')
########################################
##
## Send mongod_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mongod_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mongod_server_packets'($*)) dnl
gen_require(`
type mongod_server_packet_t;
')
allow $1 mongod_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mongod_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mongod_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mongod_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mongod_server_packets'($*)) dnl
gen_require(`
type mongod_server_packet_t;
')
dontaudit $1 mongod_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mongod_server_packets'($*)) dnl
')
########################################
##
## Receive mongod_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mongod_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mongod_server_packets'($*)) dnl
gen_require(`
type mongod_server_packet_t;
')
allow $1 mongod_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mongod_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mongod_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mongod_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mongod_server_packets'($*)) dnl
gen_require(`
type mongod_server_packet_t;
')
dontaudit $1 mongod_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mongod_server_packets'($*)) dnl
')
########################################
##
## Send and receive mongod_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mongod_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mongod_server_packets'($*)) dnl
corenet_send_mongod_server_packets($1)
corenet_receive_mongod_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mongod_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mongod_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mongod_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mongod_server_packets'($*)) dnl
corenet_dontaudit_send_mongod_server_packets($1)
corenet_dontaudit_receive_mongod_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mongod_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mongod_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mongod_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mongod_server_packets'($*)) dnl
gen_require(`
type mongod_server_packet_t;
')
allow $1 mongod_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mongod_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_monopd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_monopd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the monopd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
dontaudit $1 monopd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_monopd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_monopd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the monopd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
dontaudit $1 monopd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_monopd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_monopd_port'($*)) dnl
corenet_udp_send_monopd_port($1)
corenet_udp_receive_monopd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_monopd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the monopd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_monopd_port'($*)) dnl
corenet_dontaudit_udp_send_monopd_port($1)
corenet_dontaudit_udp_receive_monopd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_monopd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_monopd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the monopd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_monopd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to monopd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
dontaudit $1 monopd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_monopd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the monopd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
allow $1 monopd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_monopd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to monopd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_monopd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_monopd_port'($*)) dnl
gen_require(`
type monopd_port_t;
')
dontaudit $1 monopd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_monopd_port'($*)) dnl
')
########################################
##
## Send monopd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_monopd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
allow $1 monopd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_monopd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send monopd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_monopd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
dontaudit $1 monopd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monopd_client_packets'($*)) dnl
')
########################################
##
## Receive monopd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_monopd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
allow $1 monopd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_monopd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive monopd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_monopd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
dontaudit $1 monopd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monopd_client_packets'($*)) dnl
')
########################################
##
## Send and receive monopd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_monopd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monopd_client_packets'($*)) dnl
corenet_send_monopd_client_packets($1)
corenet_receive_monopd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monopd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive monopd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_monopd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monopd_client_packets'($*)) dnl
corenet_dontaudit_send_monopd_client_packets($1)
corenet_dontaudit_receive_monopd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monopd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to monopd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_monopd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monopd_client_packets'($*)) dnl
gen_require(`
type monopd_client_packet_t;
')
allow $1 monopd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_monopd_client_packets'($*)) dnl
')
########################################
##
## Send monopd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_monopd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
allow $1 monopd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_monopd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send monopd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_monopd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
dontaudit $1 monopd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monopd_server_packets'($*)) dnl
')
########################################
##
## Receive monopd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_monopd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
allow $1 monopd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_monopd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive monopd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_monopd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
dontaudit $1 monopd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monopd_server_packets'($*)) dnl
')
########################################
##
## Send and receive monopd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_monopd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monopd_server_packets'($*)) dnl
corenet_send_monopd_server_packets($1)
corenet_receive_monopd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monopd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive monopd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_monopd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monopd_server_packets'($*)) dnl
corenet_dontaudit_send_monopd_server_packets($1)
corenet_dontaudit_receive_monopd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monopd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to monopd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_monopd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monopd_server_packets'($*)) dnl
gen_require(`
type monopd_server_packet_t;
')
allow $1 monopd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_monopd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mountd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
allow $1 mountd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mountd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mountd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
allow $1 mountd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mountd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mountd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
dontaudit $1 mountd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mountd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mountd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
allow $1 mountd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mountd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mountd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
dontaudit $1 mountd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mountd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mountd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mountd_port'($*)) dnl
corenet_udp_send_mountd_port($1)
corenet_udp_receive_mountd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mountd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mountd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mountd_port'($*)) dnl
corenet_dontaudit_udp_send_mountd_port($1)
corenet_dontaudit_udp_receive_mountd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mountd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mountd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
allow $1 mountd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mountd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mountd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
allow $1 mountd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mountd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mountd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
dontaudit $1 mountd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mountd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mountd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
allow $1 mountd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mountd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mountd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mountd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mountd_port'($*)) dnl
gen_require(`
type mountd_port_t;
')
dontaudit $1 mountd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mountd_port'($*)) dnl
')
########################################
##
## Send mountd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mountd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mountd_client_packets'($*)) dnl
gen_require(`
type mountd_client_packet_t;
')
allow $1 mountd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mountd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mountd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mountd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mountd_client_packets'($*)) dnl
gen_require(`
type mountd_client_packet_t;
')
dontaudit $1 mountd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mountd_client_packets'($*)) dnl
')
########################################
##
## Receive mountd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mountd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mountd_client_packets'($*)) dnl
gen_require(`
type mountd_client_packet_t;
')
allow $1 mountd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mountd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mountd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mountd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mountd_client_packets'($*)) dnl
gen_require(`
type mountd_client_packet_t;
')
dontaudit $1 mountd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mountd_client_packets'($*)) dnl
')
########################################
##
## Send and receive mountd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mountd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mountd_client_packets'($*)) dnl
corenet_send_mountd_client_packets($1)
corenet_receive_mountd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mountd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mountd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mountd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mountd_client_packets'($*)) dnl
corenet_dontaudit_send_mountd_client_packets($1)
corenet_dontaudit_receive_mountd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mountd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mountd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mountd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mountd_client_packets'($*)) dnl
gen_require(`
type mountd_client_packet_t;
')
allow $1 mountd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mountd_client_packets'($*)) dnl
')
########################################
##
## Send mountd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mountd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mountd_server_packets'($*)) dnl
gen_require(`
type mountd_server_packet_t;
')
allow $1 mountd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mountd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mountd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mountd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mountd_server_packets'($*)) dnl
gen_require(`
type mountd_server_packet_t;
')
dontaudit $1 mountd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mountd_server_packets'($*)) dnl
')
########################################
##
## Receive mountd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mountd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mountd_server_packets'($*)) dnl
gen_require(`
type mountd_server_packet_t;
')
allow $1 mountd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mountd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mountd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mountd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mountd_server_packets'($*)) dnl
gen_require(`
type mountd_server_packet_t;
')
dontaudit $1 mountd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mountd_server_packets'($*)) dnl
')
########################################
##
## Send and receive mountd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mountd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mountd_server_packets'($*)) dnl
corenet_send_mountd_server_packets($1)
corenet_receive_mountd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mountd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mountd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mountd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mountd_server_packets'($*)) dnl
corenet_dontaudit_send_mountd_server_packets($1)
corenet_dontaudit_receive_mountd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mountd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mountd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mountd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mountd_server_packets'($*)) dnl
gen_require(`
type mountd_server_packet_t;
')
allow $1 mountd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mountd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the movaz_ssc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
allow $1 movaz_ssc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_movaz_ssc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the movaz_ssc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
allow $1 movaz_ssc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_movaz_ssc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the movaz_ssc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
dontaudit $1 movaz_ssc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_movaz_ssc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the movaz_ssc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
allow $1 movaz_ssc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_movaz_ssc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the movaz_ssc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
dontaudit $1 movaz_ssc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_movaz_ssc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the movaz_ssc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_movaz_ssc_port'($*)) dnl
corenet_udp_send_movaz_ssc_port($1)
corenet_udp_receive_movaz_ssc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_movaz_ssc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the movaz_ssc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_movaz_ssc_port'($*)) dnl
corenet_dontaudit_udp_send_movaz_ssc_port($1)
corenet_dontaudit_udp_receive_movaz_ssc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_movaz_ssc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the movaz_ssc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
allow $1 movaz_ssc_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_movaz_ssc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the movaz_ssc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
allow $1 movaz_ssc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_movaz_ssc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to movaz_ssc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
dontaudit $1 movaz_ssc_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_movaz_ssc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the movaz_ssc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
allow $1 movaz_ssc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_movaz_ssc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to movaz_ssc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_movaz_ssc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_movaz_ssc_port'($*)) dnl
gen_require(`
type movaz_ssc_port_t;
')
dontaudit $1 movaz_ssc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_movaz_ssc_port'($*)) dnl
')
########################################
##
## Send movaz_ssc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_movaz_ssc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_movaz_ssc_client_packets'($*)) dnl
gen_require(`
type movaz_ssc_client_packet_t;
')
allow $1 movaz_ssc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_movaz_ssc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send movaz_ssc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_movaz_ssc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_movaz_ssc_client_packets'($*)) dnl
gen_require(`
type movaz_ssc_client_packet_t;
')
dontaudit $1 movaz_ssc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_movaz_ssc_client_packets'($*)) dnl
')
########################################
##
## Receive movaz_ssc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_movaz_ssc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_movaz_ssc_client_packets'($*)) dnl
gen_require(`
type movaz_ssc_client_packet_t;
')
allow $1 movaz_ssc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_movaz_ssc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive movaz_ssc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_movaz_ssc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_movaz_ssc_client_packets'($*)) dnl
gen_require(`
type movaz_ssc_client_packet_t;
')
dontaudit $1 movaz_ssc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_movaz_ssc_client_packets'($*)) dnl
')
########################################
##
## Send and receive movaz_ssc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_movaz_ssc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_movaz_ssc_client_packets'($*)) dnl
corenet_send_movaz_ssc_client_packets($1)
corenet_receive_movaz_ssc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_movaz_ssc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive movaz_ssc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_movaz_ssc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_movaz_ssc_client_packets'($*)) dnl
corenet_dontaudit_send_movaz_ssc_client_packets($1)
corenet_dontaudit_receive_movaz_ssc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_movaz_ssc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to movaz_ssc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_movaz_ssc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_movaz_ssc_client_packets'($*)) dnl
gen_require(`
type movaz_ssc_client_packet_t;
')
allow $1 movaz_ssc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_movaz_ssc_client_packets'($*)) dnl
')
########################################
##
## Send movaz_ssc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_movaz_ssc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_movaz_ssc_server_packets'($*)) dnl
gen_require(`
type movaz_ssc_server_packet_t;
')
allow $1 movaz_ssc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_movaz_ssc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send movaz_ssc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_movaz_ssc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_movaz_ssc_server_packets'($*)) dnl
gen_require(`
type movaz_ssc_server_packet_t;
')
dontaudit $1 movaz_ssc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_movaz_ssc_server_packets'($*)) dnl
')
########################################
##
## Receive movaz_ssc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_movaz_ssc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_movaz_ssc_server_packets'($*)) dnl
gen_require(`
type movaz_ssc_server_packet_t;
')
allow $1 movaz_ssc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_movaz_ssc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive movaz_ssc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_movaz_ssc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_movaz_ssc_server_packets'($*)) dnl
gen_require(`
type movaz_ssc_server_packet_t;
')
dontaudit $1 movaz_ssc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_movaz_ssc_server_packets'($*)) dnl
')
########################################
##
## Send and receive movaz_ssc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_movaz_ssc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_movaz_ssc_server_packets'($*)) dnl
corenet_send_movaz_ssc_server_packets($1)
corenet_receive_movaz_ssc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_movaz_ssc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive movaz_ssc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_movaz_ssc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_movaz_ssc_server_packets'($*)) dnl
corenet_dontaudit_send_movaz_ssc_server_packets($1)
corenet_dontaudit_receive_movaz_ssc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_movaz_ssc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to movaz_ssc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_movaz_ssc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_movaz_ssc_server_packets'($*)) dnl
gen_require(`
type movaz_ssc_server_packet_t;
')
allow $1 movaz_ssc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_movaz_ssc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
allow $1 mpd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mpd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
allow $1 mpd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
dontaudit $1 mpd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mpd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
allow $1 mpd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
dontaudit $1 mpd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mpd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mpd_port'($*)) dnl
corenet_udp_send_mpd_port($1)
corenet_udp_receive_mpd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mpd_port'($*)) dnl
corenet_dontaudit_udp_send_mpd_port($1)
corenet_dontaudit_udp_receive_mpd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mpd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
allow $1 mpd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mpd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
allow $1 mpd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
dontaudit $1 mpd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mpd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mpd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
allow $1 mpd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mpd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mpd_port'($*)) dnl
gen_require(`
type mpd_port_t;
')
dontaudit $1 mpd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mpd_port'($*)) dnl
')
########################################
##
## Send mpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mpd_client_packets'($*)) dnl
gen_require(`
type mpd_client_packet_t;
')
allow $1 mpd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mpd_client_packets'($*)) dnl
gen_require(`
type mpd_client_packet_t;
')
dontaudit $1 mpd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mpd_client_packets'($*)) dnl
')
########################################
##
## Receive mpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mpd_client_packets'($*)) dnl
gen_require(`
type mpd_client_packet_t;
')
allow $1 mpd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mpd_client_packets'($*)) dnl
gen_require(`
type mpd_client_packet_t;
')
dontaudit $1 mpd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mpd_client_packets'($*)) dnl
')
########################################
##
## Send and receive mpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mpd_client_packets'($*)) dnl
corenet_send_mpd_client_packets($1)
corenet_receive_mpd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mpd_client_packets'($*)) dnl
corenet_dontaudit_send_mpd_client_packets($1)
corenet_dontaudit_receive_mpd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mpd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mpd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mpd_client_packets'($*)) dnl
gen_require(`
type mpd_client_packet_t;
')
allow $1 mpd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mpd_client_packets'($*)) dnl
')
########################################
##
## Send mpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mpd_server_packets'($*)) dnl
gen_require(`
type mpd_server_packet_t;
')
allow $1 mpd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mpd_server_packets'($*)) dnl
gen_require(`
type mpd_server_packet_t;
')
dontaudit $1 mpd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mpd_server_packets'($*)) dnl
')
########################################
##
## Receive mpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mpd_server_packets'($*)) dnl
gen_require(`
type mpd_server_packet_t;
')
allow $1 mpd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mpd_server_packets'($*)) dnl
gen_require(`
type mpd_server_packet_t;
')
dontaudit $1 mpd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive mpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mpd_server_packets'($*)) dnl
corenet_send_mpd_server_packets($1)
corenet_receive_mpd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mpd_server_packets'($*)) dnl
corenet_dontaudit_send_mpd_server_packets($1)
corenet_dontaudit_receive_mpd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mpd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mpd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mpd_server_packets'($*)) dnl
gen_require(`
type mpd_server_packet_t;
')
allow $1 mpd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the msnp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
allow $1 msnp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_msnp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the msnp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
allow $1 msnp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_msnp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the msnp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
dontaudit $1 msnp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_msnp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the msnp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
allow $1 msnp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_msnp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the msnp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
dontaudit $1 msnp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_msnp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the msnp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_msnp_port'($*)) dnl
corenet_udp_send_msnp_port($1)
corenet_udp_receive_msnp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_msnp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the msnp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_msnp_port'($*)) dnl
corenet_dontaudit_udp_send_msnp_port($1)
corenet_dontaudit_udp_receive_msnp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_msnp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the msnp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
allow $1 msnp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_msnp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the msnp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
allow $1 msnp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_msnp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to msnp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
dontaudit $1 msnp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_msnp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the msnp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
allow $1 msnp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_msnp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to msnp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_msnp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_msnp_port'($*)) dnl
gen_require(`
type msnp_port_t;
')
dontaudit $1 msnp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_msnp_port'($*)) dnl
')
########################################
##
## Send msnp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_msnp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_msnp_client_packets'($*)) dnl
gen_require(`
type msnp_client_packet_t;
')
allow $1 msnp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_msnp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send msnp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_msnp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_msnp_client_packets'($*)) dnl
gen_require(`
type msnp_client_packet_t;
')
dontaudit $1 msnp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_msnp_client_packets'($*)) dnl
')
########################################
##
## Receive msnp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_msnp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_msnp_client_packets'($*)) dnl
gen_require(`
type msnp_client_packet_t;
')
allow $1 msnp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_msnp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive msnp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_msnp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_msnp_client_packets'($*)) dnl
gen_require(`
type msnp_client_packet_t;
')
dontaudit $1 msnp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_msnp_client_packets'($*)) dnl
')
########################################
##
## Send and receive msnp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_msnp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_msnp_client_packets'($*)) dnl
corenet_send_msnp_client_packets($1)
corenet_receive_msnp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_msnp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive msnp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_msnp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_msnp_client_packets'($*)) dnl
corenet_dontaudit_send_msnp_client_packets($1)
corenet_dontaudit_receive_msnp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_msnp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to msnp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_msnp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_msnp_client_packets'($*)) dnl
gen_require(`
type msnp_client_packet_t;
')
allow $1 msnp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_msnp_client_packets'($*)) dnl
')
########################################
##
## Send msnp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_msnp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_msnp_server_packets'($*)) dnl
gen_require(`
type msnp_server_packet_t;
')
allow $1 msnp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_msnp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send msnp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_msnp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_msnp_server_packets'($*)) dnl
gen_require(`
type msnp_server_packet_t;
')
dontaudit $1 msnp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_msnp_server_packets'($*)) dnl
')
########################################
##
## Receive msnp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_msnp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_msnp_server_packets'($*)) dnl
gen_require(`
type msnp_server_packet_t;
')
allow $1 msnp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_msnp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive msnp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_msnp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_msnp_server_packets'($*)) dnl
gen_require(`
type msnp_server_packet_t;
')
dontaudit $1 msnp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_msnp_server_packets'($*)) dnl
')
########################################
##
## Send and receive msnp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_msnp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_msnp_server_packets'($*)) dnl
corenet_send_msnp_server_packets($1)
corenet_receive_msnp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_msnp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive msnp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_msnp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_msnp_server_packets'($*)) dnl
corenet_dontaudit_send_msnp_server_packets($1)
corenet_dontaudit_receive_msnp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_msnp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to msnp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_msnp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_msnp_server_packets'($*)) dnl
gen_require(`
type msnp_server_packet_t;
')
allow $1 msnp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_msnp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mssql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
allow $1 mssql_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mssql_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mssql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
allow $1 mssql_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mssql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mssql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
dontaudit $1 mssql_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mssql_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mssql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
allow $1 mssql_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mssql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mssql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
dontaudit $1 mssql_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mssql_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mssql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mssql_port'($*)) dnl
corenet_udp_send_mssql_port($1)
corenet_udp_receive_mssql_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mssql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mssql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mssql_port'($*)) dnl
corenet_dontaudit_udp_send_mssql_port($1)
corenet_dontaudit_udp_receive_mssql_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mssql_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mssql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
allow $1 mssql_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mssql_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mssql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
allow $1 mssql_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mssql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mssql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
dontaudit $1 mssql_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mssql_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mssql port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
allow $1 mssql_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mssql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mssql port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mssql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mssql_port'($*)) dnl
gen_require(`
type mssql_port_t;
')
dontaudit $1 mssql_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mssql_port'($*)) dnl
')
########################################
##
## Send mssql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mssql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mssql_client_packets'($*)) dnl
gen_require(`
type mssql_client_packet_t;
')
allow $1 mssql_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mssql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mssql_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mssql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mssql_client_packets'($*)) dnl
gen_require(`
type mssql_client_packet_t;
')
dontaudit $1 mssql_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mssql_client_packets'($*)) dnl
')
########################################
##
## Receive mssql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mssql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mssql_client_packets'($*)) dnl
gen_require(`
type mssql_client_packet_t;
')
allow $1 mssql_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mssql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mssql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mssql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mssql_client_packets'($*)) dnl
gen_require(`
type mssql_client_packet_t;
')
dontaudit $1 mssql_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mssql_client_packets'($*)) dnl
')
########################################
##
## Send and receive mssql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mssql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mssql_client_packets'($*)) dnl
corenet_send_mssql_client_packets($1)
corenet_receive_mssql_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mssql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mssql_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mssql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mssql_client_packets'($*)) dnl
corenet_dontaudit_send_mssql_client_packets($1)
corenet_dontaudit_receive_mssql_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mssql_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mssql_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mssql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mssql_client_packets'($*)) dnl
gen_require(`
type mssql_client_packet_t;
')
allow $1 mssql_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mssql_client_packets'($*)) dnl
')
########################################
##
## Send mssql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mssql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mssql_server_packets'($*)) dnl
gen_require(`
type mssql_server_packet_t;
')
allow $1 mssql_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mssql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mssql_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mssql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mssql_server_packets'($*)) dnl
gen_require(`
type mssql_server_packet_t;
')
dontaudit $1 mssql_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mssql_server_packets'($*)) dnl
')
########################################
##
## Receive mssql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mssql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mssql_server_packets'($*)) dnl
gen_require(`
type mssql_server_packet_t;
')
allow $1 mssql_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mssql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mssql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mssql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mssql_server_packets'($*)) dnl
gen_require(`
type mssql_server_packet_t;
')
dontaudit $1 mssql_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mssql_server_packets'($*)) dnl
')
########################################
##
## Send and receive mssql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mssql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mssql_server_packets'($*)) dnl
corenet_send_mssql_server_packets($1)
corenet_receive_mssql_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mssql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mssql_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mssql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mssql_server_packets'($*)) dnl
corenet_dontaudit_send_mssql_server_packets($1)
corenet_dontaudit_receive_mssql_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mssql_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mssql_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mssql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mssql_server_packets'($*)) dnl
gen_require(`
type mssql_server_packet_t;
')
allow $1 mssql_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mssql_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ms_streaming port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
allow $1 ms_streaming_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ms_streaming_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ms_streaming port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
allow $1 ms_streaming_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ms_streaming_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ms_streaming port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
dontaudit $1 ms_streaming_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ms_streaming_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ms_streaming port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
allow $1 ms_streaming_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ms_streaming_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ms_streaming port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
dontaudit $1 ms_streaming_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ms_streaming_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ms_streaming port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ms_streaming_port'($*)) dnl
corenet_udp_send_ms_streaming_port($1)
corenet_udp_receive_ms_streaming_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ms_streaming_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ms_streaming port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ms_streaming_port'($*)) dnl
corenet_dontaudit_udp_send_ms_streaming_port($1)
corenet_dontaudit_udp_receive_ms_streaming_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ms_streaming_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ms_streaming port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
allow $1 ms_streaming_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ms_streaming_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ms_streaming port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
allow $1 ms_streaming_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ms_streaming_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ms_streaming port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
dontaudit $1 ms_streaming_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ms_streaming_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ms_streaming port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
allow $1 ms_streaming_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ms_streaming_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ms_streaming port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ms_streaming_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ms_streaming_port'($*)) dnl
gen_require(`
type ms_streaming_port_t;
')
dontaudit $1 ms_streaming_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ms_streaming_port'($*)) dnl
')
########################################
##
## Send ms_streaming_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ms_streaming_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ms_streaming_client_packets'($*)) dnl
gen_require(`
type ms_streaming_client_packet_t;
')
allow $1 ms_streaming_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ms_streaming_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ms_streaming_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ms_streaming_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ms_streaming_client_packets'($*)) dnl
gen_require(`
type ms_streaming_client_packet_t;
')
dontaudit $1 ms_streaming_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ms_streaming_client_packets'($*)) dnl
')
########################################
##
## Receive ms_streaming_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ms_streaming_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ms_streaming_client_packets'($*)) dnl
gen_require(`
type ms_streaming_client_packet_t;
')
allow $1 ms_streaming_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ms_streaming_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ms_streaming_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ms_streaming_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ms_streaming_client_packets'($*)) dnl
gen_require(`
type ms_streaming_client_packet_t;
')
dontaudit $1 ms_streaming_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ms_streaming_client_packets'($*)) dnl
')
########################################
##
## Send and receive ms_streaming_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ms_streaming_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ms_streaming_client_packets'($*)) dnl
corenet_send_ms_streaming_client_packets($1)
corenet_receive_ms_streaming_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ms_streaming_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ms_streaming_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ms_streaming_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ms_streaming_client_packets'($*)) dnl
corenet_dontaudit_send_ms_streaming_client_packets($1)
corenet_dontaudit_receive_ms_streaming_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ms_streaming_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ms_streaming_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ms_streaming_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ms_streaming_client_packets'($*)) dnl
gen_require(`
type ms_streaming_client_packet_t;
')
allow $1 ms_streaming_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ms_streaming_client_packets'($*)) dnl
')
########################################
##
## Send ms_streaming_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ms_streaming_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ms_streaming_server_packets'($*)) dnl
gen_require(`
type ms_streaming_server_packet_t;
')
allow $1 ms_streaming_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ms_streaming_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ms_streaming_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ms_streaming_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ms_streaming_server_packets'($*)) dnl
gen_require(`
type ms_streaming_server_packet_t;
')
dontaudit $1 ms_streaming_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ms_streaming_server_packets'($*)) dnl
')
########################################
##
## Receive ms_streaming_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ms_streaming_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ms_streaming_server_packets'($*)) dnl
gen_require(`
type ms_streaming_server_packet_t;
')
allow $1 ms_streaming_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ms_streaming_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ms_streaming_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ms_streaming_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ms_streaming_server_packets'($*)) dnl
gen_require(`
type ms_streaming_server_packet_t;
')
dontaudit $1 ms_streaming_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ms_streaming_server_packets'($*)) dnl
')
########################################
##
## Send and receive ms_streaming_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ms_streaming_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ms_streaming_server_packets'($*)) dnl
corenet_send_ms_streaming_server_packets($1)
corenet_receive_ms_streaming_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ms_streaming_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ms_streaming_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ms_streaming_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ms_streaming_server_packets'($*)) dnl
corenet_dontaudit_send_ms_streaming_server_packets($1)
corenet_dontaudit_receive_ms_streaming_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ms_streaming_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ms_streaming_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ms_streaming_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ms_streaming_server_packets'($*)) dnl
gen_require(`
type ms_streaming_server_packet_t;
')
allow $1 ms_streaming_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ms_streaming_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the munin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
allow $1 munin_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_munin_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the munin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
allow $1 munin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_munin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the munin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
dontaudit $1 munin_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_munin_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the munin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
allow $1 munin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_munin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the munin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
dontaudit $1 munin_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_munin_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the munin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_munin_port'($*)) dnl
corenet_udp_send_munin_port($1)
corenet_udp_receive_munin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_munin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the munin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_munin_port'($*)) dnl
corenet_dontaudit_udp_send_munin_port($1)
corenet_dontaudit_udp_receive_munin_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_munin_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the munin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
allow $1 munin_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_munin_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the munin port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
allow $1 munin_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_munin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to munin port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
dontaudit $1 munin_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_munin_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the munin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
allow $1 munin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_munin_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to munin port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_munin_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_munin_port'($*)) dnl
gen_require(`
type munin_port_t;
')
dontaudit $1 munin_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_munin_port'($*)) dnl
')
########################################
##
## Send munin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_munin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_munin_client_packets'($*)) dnl
gen_require(`
type munin_client_packet_t;
')
allow $1 munin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_munin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send munin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_munin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_munin_client_packets'($*)) dnl
gen_require(`
type munin_client_packet_t;
')
dontaudit $1 munin_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_munin_client_packets'($*)) dnl
')
########################################
##
## Receive munin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_munin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_munin_client_packets'($*)) dnl
gen_require(`
type munin_client_packet_t;
')
allow $1 munin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_munin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive munin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_munin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_munin_client_packets'($*)) dnl
gen_require(`
type munin_client_packet_t;
')
dontaudit $1 munin_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_munin_client_packets'($*)) dnl
')
########################################
##
## Send and receive munin_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_munin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_munin_client_packets'($*)) dnl
corenet_send_munin_client_packets($1)
corenet_receive_munin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_munin_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive munin_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_munin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_munin_client_packets'($*)) dnl
corenet_dontaudit_send_munin_client_packets($1)
corenet_dontaudit_receive_munin_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_munin_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to munin_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_munin_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_munin_client_packets'($*)) dnl
gen_require(`
type munin_client_packet_t;
')
allow $1 munin_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_munin_client_packets'($*)) dnl
')
########################################
##
## Send munin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_munin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_munin_server_packets'($*)) dnl
gen_require(`
type munin_server_packet_t;
')
allow $1 munin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_munin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send munin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_munin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_munin_server_packets'($*)) dnl
gen_require(`
type munin_server_packet_t;
')
dontaudit $1 munin_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_munin_server_packets'($*)) dnl
')
########################################
##
## Receive munin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_munin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_munin_server_packets'($*)) dnl
gen_require(`
type munin_server_packet_t;
')
allow $1 munin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_munin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive munin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_munin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_munin_server_packets'($*)) dnl
gen_require(`
type munin_server_packet_t;
')
dontaudit $1 munin_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_munin_server_packets'($*)) dnl
')
########################################
##
## Send and receive munin_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_munin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_munin_server_packets'($*)) dnl
corenet_send_munin_server_packets($1)
corenet_receive_munin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_munin_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive munin_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_munin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_munin_server_packets'($*)) dnl
corenet_dontaudit_send_munin_server_packets($1)
corenet_dontaudit_receive_munin_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_munin_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to munin_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_munin_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_munin_server_packets'($*)) dnl
gen_require(`
type munin_server_packet_t;
')
allow $1 munin_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_munin_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mxi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
allow $1 mxi_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mxi_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mxi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
allow $1 mxi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mxi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mxi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
dontaudit $1 mxi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mxi_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mxi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
allow $1 mxi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mxi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mxi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
dontaudit $1 mxi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mxi_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mxi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mxi_port'($*)) dnl
corenet_udp_send_mxi_port($1)
corenet_udp_receive_mxi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mxi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mxi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mxi_port'($*)) dnl
corenet_dontaudit_udp_send_mxi_port($1)
corenet_dontaudit_udp_receive_mxi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mxi_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mxi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
allow $1 mxi_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mxi_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mxi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
allow $1 mxi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mxi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mxi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
dontaudit $1 mxi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mxi_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mxi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
allow $1 mxi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mxi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mxi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mxi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mxi_port'($*)) dnl
gen_require(`
type mxi_port_t;
')
dontaudit $1 mxi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mxi_port'($*)) dnl
')
########################################
##
## Send mxi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mxi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mxi_client_packets'($*)) dnl
gen_require(`
type mxi_client_packet_t;
')
allow $1 mxi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mxi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mxi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mxi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mxi_client_packets'($*)) dnl
gen_require(`
type mxi_client_packet_t;
')
dontaudit $1 mxi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mxi_client_packets'($*)) dnl
')
########################################
##
## Receive mxi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mxi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mxi_client_packets'($*)) dnl
gen_require(`
type mxi_client_packet_t;
')
allow $1 mxi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mxi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mxi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mxi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mxi_client_packets'($*)) dnl
gen_require(`
type mxi_client_packet_t;
')
dontaudit $1 mxi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mxi_client_packets'($*)) dnl
')
########################################
##
## Send and receive mxi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mxi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mxi_client_packets'($*)) dnl
corenet_send_mxi_client_packets($1)
corenet_receive_mxi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mxi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mxi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mxi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mxi_client_packets'($*)) dnl
corenet_dontaudit_send_mxi_client_packets($1)
corenet_dontaudit_receive_mxi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mxi_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mxi_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mxi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mxi_client_packets'($*)) dnl
gen_require(`
type mxi_client_packet_t;
')
allow $1 mxi_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mxi_client_packets'($*)) dnl
')
########################################
##
## Send mxi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mxi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mxi_server_packets'($*)) dnl
gen_require(`
type mxi_server_packet_t;
')
allow $1 mxi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mxi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mxi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mxi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mxi_server_packets'($*)) dnl
gen_require(`
type mxi_server_packet_t;
')
dontaudit $1 mxi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mxi_server_packets'($*)) dnl
')
########################################
##
## Receive mxi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mxi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mxi_server_packets'($*)) dnl
gen_require(`
type mxi_server_packet_t;
')
allow $1 mxi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mxi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mxi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mxi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mxi_server_packets'($*)) dnl
gen_require(`
type mxi_server_packet_t;
')
dontaudit $1 mxi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mxi_server_packets'($*)) dnl
')
########################################
##
## Send and receive mxi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mxi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mxi_server_packets'($*)) dnl
corenet_send_mxi_server_packets($1)
corenet_receive_mxi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mxi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mxi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mxi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mxi_server_packets'($*)) dnl
corenet_dontaudit_send_mxi_server_packets($1)
corenet_dontaudit_receive_mxi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mxi_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mxi_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mxi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mxi_server_packets'($*)) dnl
gen_require(`
type mxi_server_packet_t;
')
allow $1 mxi_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mxi_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mysqld_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mysqld_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mysqld port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
dontaudit $1 mysqld_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mysqld_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mysqld_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mysqld port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
dontaudit $1 mysqld_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mysqld_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mysqld_port'($*)) dnl
corenet_udp_send_mysqld_port($1)
corenet_udp_receive_mysqld_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mysqld_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mysqld port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mysqld_port'($*)) dnl
corenet_dontaudit_udp_send_mysqld_port($1)
corenet_dontaudit_udp_receive_mysqld_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mysqld_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mysqld_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mysqld port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mysqld_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mysqld port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
dontaudit $1 mysqld_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mysqld_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mysqld port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
allow $1 mysqld_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mysqld_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mysqld port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mysqld_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mysqld_port'($*)) dnl
gen_require(`
type mysqld_port_t;
')
dontaudit $1 mysqld_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mysqld_port'($*)) dnl
')
########################################
##
## Send mysqld_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mysqld_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
allow $1 mysqld_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mysqld_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mysqld_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mysqld_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
dontaudit $1 mysqld_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqld_client_packets'($*)) dnl
')
########################################
##
## Receive mysqld_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mysqld_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
allow $1 mysqld_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mysqld_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mysqld_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mysqld_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
dontaudit $1 mysqld_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqld_client_packets'($*)) dnl
')
########################################
##
## Send and receive mysqld_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mysqld_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqld_client_packets'($*)) dnl
corenet_send_mysqld_client_packets($1)
corenet_receive_mysqld_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqld_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mysqld_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mysqld_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqld_client_packets'($*)) dnl
corenet_dontaudit_send_mysqld_client_packets($1)
corenet_dontaudit_receive_mysqld_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqld_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mysqld_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mysqld_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqld_client_packets'($*)) dnl
gen_require(`
type mysqld_client_packet_t;
')
allow $1 mysqld_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqld_client_packets'($*)) dnl
')
########################################
##
## Send mysqld_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mysqld_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
allow $1 mysqld_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mysqld_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mysqld_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mysqld_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
dontaudit $1 mysqld_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqld_server_packets'($*)) dnl
')
########################################
##
## Receive mysqld_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mysqld_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
allow $1 mysqld_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mysqld_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mysqld_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mysqld_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
dontaudit $1 mysqld_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqld_server_packets'($*)) dnl
')
########################################
##
## Send and receive mysqld_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mysqld_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqld_server_packets'($*)) dnl
corenet_send_mysqld_server_packets($1)
corenet_receive_mysqld_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqld_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mysqld_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mysqld_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqld_server_packets'($*)) dnl
corenet_dontaudit_send_mysqld_server_packets($1)
corenet_dontaudit_receive_mysqld_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqld_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mysqld_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mysqld_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqld_server_packets'($*)) dnl
gen_require(`
type mysqld_server_packet_t;
')
allow $1 mysqld_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqld_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mysqlmanagerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
allow $1 mysqlmanagerd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mysqlmanagerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
allow $1 mysqlmanagerd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mysqlmanagerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
dontaudit $1 mysqlmanagerd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mysqlmanagerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
allow $1 mysqlmanagerd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mysqlmanagerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
dontaudit $1 mysqlmanagerd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mysqlmanagerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mysqlmanagerd_port'($*)) dnl
corenet_udp_send_mysqlmanagerd_port($1)
corenet_udp_receive_mysqlmanagerd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mysqlmanagerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port'($*)) dnl
corenet_dontaudit_udp_send_mysqlmanagerd_port($1)
corenet_dontaudit_udp_receive_mysqlmanagerd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mysqlmanagerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
allow $1 mysqlmanagerd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mysqlmanagerd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
allow $1 mysqlmanagerd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mysqlmanagerd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
dontaudit $1 mysqlmanagerd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mysqlmanagerd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
allow $1 mysqlmanagerd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mysqlmanagerd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mysqlmanagerd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mysqlmanagerd_port'($*)) dnl
gen_require(`
type mysqlmanagerd_port_t;
')
dontaudit $1 mysqlmanagerd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mysqlmanagerd_port'($*)) dnl
')
########################################
##
## Send mysqlmanagerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mysqlmanagerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mysqlmanagerd_client_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_client_packet_t;
')
allow $1 mysqlmanagerd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mysqlmanagerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mysqlmanagerd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mysqlmanagerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqlmanagerd_client_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_client_packet_t;
')
dontaudit $1 mysqlmanagerd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqlmanagerd_client_packets'($*)) dnl
')
########################################
##
## Receive mysqlmanagerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mysqlmanagerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqlmanagerd_client_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_client_packet_t;
')
allow $1 mysqlmanagerd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mysqlmanagerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mysqlmanagerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mysqlmanagerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqlmanagerd_client_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_client_packet_t;
')
dontaudit $1 mysqlmanagerd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqlmanagerd_client_packets'($*)) dnl
')
########################################
##
## Send and receive mysqlmanagerd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mysqlmanagerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqlmanagerd_client_packets'($*)) dnl
corenet_send_mysqlmanagerd_client_packets($1)
corenet_receive_mysqlmanagerd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqlmanagerd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mysqlmanagerd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets'($*)) dnl
corenet_dontaudit_send_mysqlmanagerd_client_packets($1)
corenet_dontaudit_receive_mysqlmanagerd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mysqlmanagerd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mysqlmanagerd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqlmanagerd_client_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_client_packet_t;
')
allow $1 mysqlmanagerd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqlmanagerd_client_packets'($*)) dnl
')
########################################
##
## Send mysqlmanagerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mysqlmanagerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mysqlmanagerd_server_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_server_packet_t;
')
allow $1 mysqlmanagerd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mysqlmanagerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mysqlmanagerd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mysqlmanagerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqlmanagerd_server_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_server_packet_t;
')
dontaudit $1 mysqlmanagerd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqlmanagerd_server_packets'($*)) dnl
')
########################################
##
## Receive mysqlmanagerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mysqlmanagerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqlmanagerd_server_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_server_packet_t;
')
allow $1 mysqlmanagerd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mysqlmanagerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mysqlmanagerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mysqlmanagerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqlmanagerd_server_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_server_packet_t;
')
dontaudit $1 mysqlmanagerd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqlmanagerd_server_packets'($*)) dnl
')
########################################
##
## Send and receive mysqlmanagerd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mysqlmanagerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqlmanagerd_server_packets'($*)) dnl
corenet_send_mysqlmanagerd_server_packets($1)
corenet_receive_mysqlmanagerd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqlmanagerd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mysqlmanagerd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets'($*)) dnl
corenet_dontaudit_send_mysqlmanagerd_server_packets($1)
corenet_dontaudit_receive_mysqlmanagerd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mysqlmanagerd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mysqlmanagerd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqlmanagerd_server_packets'($*)) dnl
gen_require(`
type mysqlmanagerd_server_packet_t;
')
allow $1 mysqlmanagerd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqlmanagerd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the mythtv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
allow $1 mythtv_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mythtv_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the mythtv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
allow $1 mythtv_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_mythtv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the mythtv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
dontaudit $1 mythtv_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mythtv_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the mythtv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
allow $1 mythtv_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mythtv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the mythtv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
dontaudit $1 mythtv_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mythtv_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the mythtv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mythtv_port'($*)) dnl
corenet_udp_send_mythtv_port($1)
corenet_udp_receive_mythtv_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mythtv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the mythtv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mythtv_port'($*)) dnl
corenet_dontaudit_udp_send_mythtv_port($1)
corenet_dontaudit_udp_receive_mythtv_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mythtv_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the mythtv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
allow $1 mythtv_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mythtv_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the mythtv port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
allow $1 mythtv_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mythtv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to mythtv port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
dontaudit $1 mythtv_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mythtv_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the mythtv port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
allow $1 mythtv_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mythtv_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to mythtv port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_mythtv_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mythtv_port'($*)) dnl
gen_require(`
type mythtv_port_t;
')
dontaudit $1 mythtv_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mythtv_port'($*)) dnl
')
########################################
##
## Send mythtv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mythtv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mythtv_client_packets'($*)) dnl
gen_require(`
type mythtv_client_packet_t;
')
allow $1 mythtv_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mythtv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mythtv_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mythtv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mythtv_client_packets'($*)) dnl
gen_require(`
type mythtv_client_packet_t;
')
dontaudit $1 mythtv_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mythtv_client_packets'($*)) dnl
')
########################################
##
## Receive mythtv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mythtv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mythtv_client_packets'($*)) dnl
gen_require(`
type mythtv_client_packet_t;
')
allow $1 mythtv_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mythtv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mythtv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mythtv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mythtv_client_packets'($*)) dnl
gen_require(`
type mythtv_client_packet_t;
')
dontaudit $1 mythtv_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mythtv_client_packets'($*)) dnl
')
########################################
##
## Send and receive mythtv_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mythtv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mythtv_client_packets'($*)) dnl
corenet_send_mythtv_client_packets($1)
corenet_receive_mythtv_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mythtv_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mythtv_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mythtv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mythtv_client_packets'($*)) dnl
corenet_dontaudit_send_mythtv_client_packets($1)
corenet_dontaudit_receive_mythtv_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mythtv_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to mythtv_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mythtv_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mythtv_client_packets'($*)) dnl
gen_require(`
type mythtv_client_packet_t;
')
allow $1 mythtv_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mythtv_client_packets'($*)) dnl
')
########################################
##
## Send mythtv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_mythtv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_mythtv_server_packets'($*)) dnl
gen_require(`
type mythtv_server_packet_t;
')
allow $1 mythtv_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_mythtv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send mythtv_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_mythtv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mythtv_server_packets'($*)) dnl
gen_require(`
type mythtv_server_packet_t;
')
dontaudit $1 mythtv_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mythtv_server_packets'($*)) dnl
')
########################################
##
## Receive mythtv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_mythtv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_mythtv_server_packets'($*)) dnl
gen_require(`
type mythtv_server_packet_t;
')
allow $1 mythtv_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_mythtv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive mythtv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_mythtv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mythtv_server_packets'($*)) dnl
gen_require(`
type mythtv_server_packet_t;
')
dontaudit $1 mythtv_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mythtv_server_packets'($*)) dnl
')
########################################
##
## Send and receive mythtv_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_mythtv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mythtv_server_packets'($*)) dnl
corenet_send_mythtv_server_packets($1)
corenet_receive_mythtv_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mythtv_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive mythtv_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_mythtv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mythtv_server_packets'($*)) dnl
corenet_dontaudit_send_mythtv_server_packets($1)
corenet_dontaudit_receive_mythtv_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mythtv_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to mythtv_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_mythtv_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mythtv_server_packets'($*)) dnl
gen_require(`
type mythtv_server_packet_t;
')
allow $1 mythtv_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_mythtv_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nessus_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nessus_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nessus port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
dontaudit $1 nessus_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nessus_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nessus_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nessus port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
dontaudit $1 nessus_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nessus_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nessus_port'($*)) dnl
corenet_udp_send_nessus_port($1)
corenet_udp_receive_nessus_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nessus_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nessus port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nessus_port'($*)) dnl
corenet_dontaudit_udp_send_nessus_port($1)
corenet_dontaudit_udp_receive_nessus_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nessus_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nessus_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nessus port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nessus_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to nessus port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
dontaudit $1 nessus_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nessus_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nessus port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
allow $1 nessus_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nessus_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to nessus port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_nessus_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nessus_port'($*)) dnl
gen_require(`
type nessus_port_t;
')
dontaudit $1 nessus_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nessus_port'($*)) dnl
')
########################################
##
## Send nessus_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nessus_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
allow $1 nessus_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nessus_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nessus_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nessus_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
dontaudit $1 nessus_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nessus_client_packets'($*)) dnl
')
########################################
##
## Receive nessus_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nessus_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
allow $1 nessus_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nessus_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nessus_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nessus_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
dontaudit $1 nessus_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nessus_client_packets'($*)) dnl
')
########################################
##
## Send and receive nessus_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nessus_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nessus_client_packets'($*)) dnl
corenet_send_nessus_client_packets($1)
corenet_receive_nessus_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nessus_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nessus_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nessus_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nessus_client_packets'($*)) dnl
corenet_dontaudit_send_nessus_client_packets($1)
corenet_dontaudit_receive_nessus_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nessus_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nessus_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nessus_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nessus_client_packets'($*)) dnl
gen_require(`
type nessus_client_packet_t;
')
allow $1 nessus_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nessus_client_packets'($*)) dnl
')
########################################
##
## Send nessus_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nessus_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
allow $1 nessus_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nessus_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nessus_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nessus_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
dontaudit $1 nessus_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nessus_server_packets'($*)) dnl
')
########################################
##
## Receive nessus_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nessus_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
allow $1 nessus_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nessus_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nessus_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nessus_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
dontaudit $1 nessus_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nessus_server_packets'($*)) dnl
')
########################################
##
## Send and receive nessus_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nessus_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nessus_server_packets'($*)) dnl
corenet_send_nessus_server_packets($1)
corenet_receive_nessus_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nessus_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nessus_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nessus_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nessus_server_packets'($*)) dnl
corenet_dontaudit_send_nessus_server_packets($1)
corenet_dontaudit_receive_nessus_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nessus_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nessus_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nessus_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nessus_server_packets'($*)) dnl
gen_require(`
type nessus_server_packet_t;
')
allow $1 nessus_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nessus_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the netport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
allow $1 netport_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_netport_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the netport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
allow $1 netport_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_netport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the netport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
dontaudit $1 netport_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_netport_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the netport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
allow $1 netport_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_netport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the netport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
dontaudit $1 netport_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_netport_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the netport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_netport_port'($*)) dnl
corenet_udp_send_netport_port($1)
corenet_udp_receive_netport_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_netport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the netport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_netport_port'($*)) dnl
corenet_dontaudit_udp_send_netport_port($1)
corenet_dontaudit_udp_receive_netport_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_netport_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the netport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
allow $1 netport_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_netport_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the netport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
allow $1 netport_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_netport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to netport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
dontaudit $1 netport_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_netport_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the netport port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
allow $1 netport_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_netport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to netport port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_netport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_netport_port'($*)) dnl
gen_require(`
type netport_port_t;
')
dontaudit $1 netport_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_netport_port'($*)) dnl
')
########################################
##
## Send netport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_netport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_netport_client_packets'($*)) dnl
gen_require(`
type netport_client_packet_t;
')
allow $1 netport_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_netport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send netport_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_netport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netport_client_packets'($*)) dnl
gen_require(`
type netport_client_packet_t;
')
dontaudit $1 netport_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netport_client_packets'($*)) dnl
')
########################################
##
## Receive netport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_netport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_netport_client_packets'($*)) dnl
gen_require(`
type netport_client_packet_t;
')
allow $1 netport_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_netport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive netport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_netport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netport_client_packets'($*)) dnl
gen_require(`
type netport_client_packet_t;
')
dontaudit $1 netport_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netport_client_packets'($*)) dnl
')
########################################
##
## Send and receive netport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_netport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netport_client_packets'($*)) dnl
corenet_send_netport_client_packets($1)
corenet_receive_netport_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive netport_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_netport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netport_client_packets'($*)) dnl
corenet_dontaudit_send_netport_client_packets($1)
corenet_dontaudit_receive_netport_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netport_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to netport_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_netport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netport_client_packets'($*)) dnl
gen_require(`
type netport_client_packet_t;
')
allow $1 netport_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_netport_client_packets'($*)) dnl
')
########################################
##
## Send netport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_netport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_netport_server_packets'($*)) dnl
gen_require(`
type netport_server_packet_t;
')
allow $1 netport_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_netport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send netport_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_netport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netport_server_packets'($*)) dnl
gen_require(`
type netport_server_packet_t;
')
dontaudit $1 netport_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netport_server_packets'($*)) dnl
')
########################################
##
## Receive netport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_netport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_netport_server_packets'($*)) dnl
gen_require(`
type netport_server_packet_t;
')
allow $1 netport_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_netport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive netport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_netport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netport_server_packets'($*)) dnl
gen_require(`
type netport_server_packet_t;
')
dontaudit $1 netport_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netport_server_packets'($*)) dnl
')
########################################
##
## Send and receive netport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_netport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netport_server_packets'($*)) dnl
corenet_send_netport_server_packets($1)
corenet_receive_netport_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive netport_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_netport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netport_server_packets'($*)) dnl
corenet_dontaudit_send_netport_server_packets($1)
corenet_dontaudit_receive_netport_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netport_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to netport_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_netport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netport_server_packets'($*)) dnl
gen_require(`
type netport_server_packet_t;
')
allow $1 netport_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_netport_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_netsupport_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_netsupport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the netsupport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
dontaudit $1 netsupport_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_netsupport_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_netsupport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the netsupport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
dontaudit $1 netsupport_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_netsupport_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_netsupport_port'($*)) dnl
corenet_udp_send_netsupport_port($1)
corenet_udp_receive_netsupport_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_netsupport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the netsupport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_netsupport_port'($*)) dnl
corenet_dontaudit_udp_send_netsupport_port($1)
corenet_dontaudit_udp_receive_netsupport_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_netsupport_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_netsupport_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the netsupport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_netsupport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to netsupport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
dontaudit $1 netsupport_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_netsupport_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the netsupport port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
allow $1 netsupport_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_netsupport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to netsupport port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_netsupport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_netsupport_port'($*)) dnl
gen_require(`
type netsupport_port_t;
')
dontaudit $1 netsupport_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_netsupport_port'($*)) dnl
')
########################################
##
## Send netsupport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_netsupport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
allow $1 netsupport_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_netsupport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send netsupport_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_netsupport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
dontaudit $1 netsupport_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netsupport_client_packets'($*)) dnl
')
########################################
##
## Receive netsupport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_netsupport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
allow $1 netsupport_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_netsupport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive netsupport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_netsupport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
dontaudit $1 netsupport_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netsupport_client_packets'($*)) dnl
')
########################################
##
## Send and receive netsupport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_netsupport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netsupport_client_packets'($*)) dnl
corenet_send_netsupport_client_packets($1)
corenet_receive_netsupport_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netsupport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive netsupport_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_netsupport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netsupport_client_packets'($*)) dnl
corenet_dontaudit_send_netsupport_client_packets($1)
corenet_dontaudit_receive_netsupport_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netsupport_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to netsupport_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_netsupport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netsupport_client_packets'($*)) dnl
gen_require(`
type netsupport_client_packet_t;
')
allow $1 netsupport_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_netsupport_client_packets'($*)) dnl
')
########################################
##
## Send netsupport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_netsupport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
allow $1 netsupport_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_netsupport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send netsupport_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_netsupport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
dontaudit $1 netsupport_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netsupport_server_packets'($*)) dnl
')
########################################
##
## Receive netsupport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_netsupport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
allow $1 netsupport_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_netsupport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive netsupport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_netsupport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
dontaudit $1 netsupport_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netsupport_server_packets'($*)) dnl
')
########################################
##
## Send and receive netsupport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_netsupport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netsupport_server_packets'($*)) dnl
corenet_send_netsupport_server_packets($1)
corenet_receive_netsupport_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netsupport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive netsupport_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_netsupport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netsupport_server_packets'($*)) dnl
corenet_dontaudit_send_netsupport_server_packets($1)
corenet_dontaudit_receive_netsupport_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netsupport_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to netsupport_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_netsupport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netsupport_server_packets'($*)) dnl
gen_require(`
type netsupport_server_packet_t;
')
allow $1 netsupport_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_netsupport_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
allow $1 nfs_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nfs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
allow $1 nfs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
dontaudit $1 nfs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nfs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
allow $1 nfs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
dontaudit $1 nfs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nfs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nfs_port'($*)) dnl
corenet_udp_send_nfs_port($1)
corenet_udp_receive_nfs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nfs_port'($*)) dnl
corenet_dontaudit_udp_send_nfs_port($1)
corenet_dontaudit_udp_receive_nfs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nfs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
allow $1 nfs_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nfs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
allow $1 nfs_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to nfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
dontaudit $1 nfs_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nfs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nfs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
allow $1 nfs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to nfs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_nfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nfs_port'($*)) dnl
gen_require(`
type nfs_port_t;
')
dontaudit $1 nfs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nfs_port'($*)) dnl
')
########################################
##
## Send nfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nfs_client_packets'($*)) dnl
gen_require(`
type nfs_client_packet_t;
')
allow $1 nfs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nfs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nfs_client_packets'($*)) dnl
gen_require(`
type nfs_client_packet_t;
')
dontaudit $1 nfs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nfs_client_packets'($*)) dnl
')
########################################
##
## Receive nfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nfs_client_packets'($*)) dnl
gen_require(`
type nfs_client_packet_t;
')
allow $1 nfs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nfs_client_packets'($*)) dnl
gen_require(`
type nfs_client_packet_t;
')
dontaudit $1 nfs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nfs_client_packets'($*)) dnl
')
########################################
##
## Send and receive nfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nfs_client_packets'($*)) dnl
corenet_send_nfs_client_packets($1)
corenet_receive_nfs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nfs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nfs_client_packets'($*)) dnl
corenet_dontaudit_send_nfs_client_packets($1)
corenet_dontaudit_receive_nfs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nfs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nfs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nfs_client_packets'($*)) dnl
gen_require(`
type nfs_client_packet_t;
')
allow $1 nfs_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nfs_client_packets'($*)) dnl
')
########################################
##
## Send nfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nfs_server_packets'($*)) dnl
gen_require(`
type nfs_server_packet_t;
')
allow $1 nfs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nfs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nfs_server_packets'($*)) dnl
gen_require(`
type nfs_server_packet_t;
')
dontaudit $1 nfs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nfs_server_packets'($*)) dnl
')
########################################
##
## Receive nfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nfs_server_packets'($*)) dnl
gen_require(`
type nfs_server_packet_t;
')
allow $1 nfs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nfs_server_packets'($*)) dnl
gen_require(`
type nfs_server_packet_t;
')
dontaudit $1 nfs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nfs_server_packets'($*)) dnl
')
########################################
##
## Send and receive nfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nfs_server_packets'($*)) dnl
corenet_send_nfs_server_packets($1)
corenet_receive_nfs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nfs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nfs_server_packets'($*)) dnl
corenet_dontaudit_send_nfs_server_packets($1)
corenet_dontaudit_receive_nfs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nfs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nfs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nfs_server_packets'($*)) dnl
gen_require(`
type nfs_server_packet_t;
')
allow $1 nfs_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nfs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nmbd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nmbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nmbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
dontaudit $1 nmbd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nmbd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nmbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nmbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
dontaudit $1 nmbd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nmbd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nmbd_port'($*)) dnl
corenet_udp_send_nmbd_port($1)
corenet_udp_receive_nmbd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nmbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nmbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nmbd_port'($*)) dnl
corenet_dontaudit_udp_send_nmbd_port($1)
corenet_dontaudit_udp_receive_nmbd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nmbd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nmbd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nmbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nmbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to nmbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
dontaudit $1 nmbd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nmbd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nmbd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
allow $1 nmbd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nmbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to nmbd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_nmbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nmbd_port'($*)) dnl
gen_require(`
type nmbd_port_t;
')
dontaudit $1 nmbd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nmbd_port'($*)) dnl
')
########################################
##
## Send nmbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nmbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
allow $1 nmbd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nmbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nmbd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nmbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
dontaudit $1 nmbd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmbd_client_packets'($*)) dnl
')
########################################
##
## Receive nmbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nmbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
allow $1 nmbd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nmbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nmbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nmbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
dontaudit $1 nmbd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmbd_client_packets'($*)) dnl
')
########################################
##
## Send and receive nmbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nmbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmbd_client_packets'($*)) dnl
corenet_send_nmbd_client_packets($1)
corenet_receive_nmbd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nmbd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nmbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmbd_client_packets'($*)) dnl
corenet_dontaudit_send_nmbd_client_packets($1)
corenet_dontaudit_receive_nmbd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmbd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nmbd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nmbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmbd_client_packets'($*)) dnl
gen_require(`
type nmbd_client_packet_t;
')
allow $1 nmbd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmbd_client_packets'($*)) dnl
')
########################################
##
## Send nmbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nmbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
allow $1 nmbd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nmbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nmbd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nmbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
dontaudit $1 nmbd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmbd_server_packets'($*)) dnl
')
########################################
##
## Receive nmbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nmbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
allow $1 nmbd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nmbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nmbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nmbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
dontaudit $1 nmbd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmbd_server_packets'($*)) dnl
')
########################################
##
## Send and receive nmbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nmbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmbd_server_packets'($*)) dnl
corenet_send_nmbd_server_packets($1)
corenet_receive_nmbd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nmbd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nmbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmbd_server_packets'($*)) dnl
corenet_dontaudit_send_nmbd_server_packets($1)
corenet_dontaudit_receive_nmbd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmbd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nmbd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nmbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmbd_server_packets'($*)) dnl
gen_require(`
type nmbd_server_packet_t;
')
allow $1 nmbd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmbd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nmea port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
allow $1 nmea_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nmea_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nmea port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
allow $1 nmea_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nmea_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nmea port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
dontaudit $1 nmea_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nmea_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nmea port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
allow $1 nmea_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nmea_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nmea port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
dontaudit $1 nmea_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nmea_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nmea port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nmea_port'($*)) dnl
corenet_udp_send_nmea_port($1)
corenet_udp_receive_nmea_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nmea_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nmea port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nmea_port'($*)) dnl
corenet_dontaudit_udp_send_nmea_port($1)
corenet_dontaudit_udp_receive_nmea_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nmea_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nmea port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
allow $1 nmea_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nmea_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nmea port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
allow $1 nmea_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nmea_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to nmea port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
dontaudit $1 nmea_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nmea_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nmea port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
allow $1 nmea_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nmea_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to nmea port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_nmea_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nmea_port'($*)) dnl
gen_require(`
type nmea_port_t;
')
dontaudit $1 nmea_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nmea_port'($*)) dnl
')
########################################
##
## Send nmea_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nmea_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nmea_client_packets'($*)) dnl
gen_require(`
type nmea_client_packet_t;
')
allow $1 nmea_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nmea_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nmea_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nmea_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmea_client_packets'($*)) dnl
gen_require(`
type nmea_client_packet_t;
')
dontaudit $1 nmea_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmea_client_packets'($*)) dnl
')
########################################
##
## Receive nmea_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nmea_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nmea_client_packets'($*)) dnl
gen_require(`
type nmea_client_packet_t;
')
allow $1 nmea_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nmea_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nmea_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nmea_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmea_client_packets'($*)) dnl
gen_require(`
type nmea_client_packet_t;
')
dontaudit $1 nmea_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmea_client_packets'($*)) dnl
')
########################################
##
## Send and receive nmea_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nmea_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmea_client_packets'($*)) dnl
corenet_send_nmea_client_packets($1)
corenet_receive_nmea_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmea_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nmea_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nmea_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmea_client_packets'($*)) dnl
corenet_dontaudit_send_nmea_client_packets($1)
corenet_dontaudit_receive_nmea_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmea_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nmea_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nmea_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmea_client_packets'($*)) dnl
gen_require(`
type nmea_client_packet_t;
')
allow $1 nmea_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmea_client_packets'($*)) dnl
')
########################################
##
## Send nmea_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nmea_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nmea_server_packets'($*)) dnl
gen_require(`
type nmea_server_packet_t;
')
allow $1 nmea_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nmea_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nmea_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nmea_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmea_server_packets'($*)) dnl
gen_require(`
type nmea_server_packet_t;
')
dontaudit $1 nmea_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmea_server_packets'($*)) dnl
')
########################################
##
## Receive nmea_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nmea_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nmea_server_packets'($*)) dnl
gen_require(`
type nmea_server_packet_t;
')
allow $1 nmea_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nmea_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nmea_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nmea_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmea_server_packets'($*)) dnl
gen_require(`
type nmea_server_packet_t;
')
dontaudit $1 nmea_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmea_server_packets'($*)) dnl
')
########################################
##
## Send and receive nmea_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nmea_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmea_server_packets'($*)) dnl
corenet_send_nmea_server_packets($1)
corenet_receive_nmea_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmea_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nmea_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nmea_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmea_server_packets'($*)) dnl
corenet_dontaudit_send_nmea_server_packets($1)
corenet_dontaudit_receive_nmea_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmea_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nmea_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nmea_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmea_server_packets'($*)) dnl
gen_require(`
type nmea_server_packet_t;
')
allow $1 nmea_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmea_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nodejs_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
allow $1 nodejs_debug_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nodejs_debug_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nodejs_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
allow $1 nodejs_debug_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nodejs_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nodejs_debug port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
dontaudit $1 nodejs_debug_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nodejs_debug_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nodejs_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
allow $1 nodejs_debug_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nodejs_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nodejs_debug port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
dontaudit $1 nodejs_debug_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nodejs_debug_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nodejs_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nodejs_debug_port'($*)) dnl
corenet_udp_send_nodejs_debug_port($1)
corenet_udp_receive_nodejs_debug_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nodejs_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nodejs_debug port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nodejs_debug_port'($*)) dnl
corenet_dontaudit_udp_send_nodejs_debug_port($1)
corenet_dontaudit_udp_receive_nodejs_debug_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nodejs_debug_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nodejs_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
allow $1 nodejs_debug_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nodejs_debug_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nodejs_debug port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
allow $1 nodejs_debug_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nodejs_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to nodejs_debug port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
dontaudit $1 nodejs_debug_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nodejs_debug_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nodejs_debug port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
allow $1 nodejs_debug_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nodejs_debug_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to nodejs_debug port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_nodejs_debug_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nodejs_debug_port'($*)) dnl
gen_require(`
type nodejs_debug_port_t;
')
dontaudit $1 nodejs_debug_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nodejs_debug_port'($*)) dnl
')
########################################
##
## Send nodejs_debug_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nodejs_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nodejs_debug_client_packets'($*)) dnl
gen_require(`
type nodejs_debug_client_packet_t;
')
allow $1 nodejs_debug_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nodejs_debug_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nodejs_debug_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nodejs_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nodejs_debug_client_packets'($*)) dnl
gen_require(`
type nodejs_debug_client_packet_t;
')
dontaudit $1 nodejs_debug_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nodejs_debug_client_packets'($*)) dnl
')
########################################
##
## Receive nodejs_debug_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nodejs_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nodejs_debug_client_packets'($*)) dnl
gen_require(`
type nodejs_debug_client_packet_t;
')
allow $1 nodejs_debug_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nodejs_debug_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nodejs_debug_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nodejs_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nodejs_debug_client_packets'($*)) dnl
gen_require(`
type nodejs_debug_client_packet_t;
')
dontaudit $1 nodejs_debug_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nodejs_debug_client_packets'($*)) dnl
')
########################################
##
## Send and receive nodejs_debug_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nodejs_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nodejs_debug_client_packets'($*)) dnl
corenet_send_nodejs_debug_client_packets($1)
corenet_receive_nodejs_debug_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nodejs_debug_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nodejs_debug_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nodejs_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nodejs_debug_client_packets'($*)) dnl
corenet_dontaudit_send_nodejs_debug_client_packets($1)
corenet_dontaudit_receive_nodejs_debug_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nodejs_debug_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nodejs_debug_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nodejs_debug_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nodejs_debug_client_packets'($*)) dnl
gen_require(`
type nodejs_debug_client_packet_t;
')
allow $1 nodejs_debug_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nodejs_debug_client_packets'($*)) dnl
')
########################################
##
## Send nodejs_debug_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nodejs_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nodejs_debug_server_packets'($*)) dnl
gen_require(`
type nodejs_debug_server_packet_t;
')
allow $1 nodejs_debug_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nodejs_debug_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nodejs_debug_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nodejs_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nodejs_debug_server_packets'($*)) dnl
gen_require(`
type nodejs_debug_server_packet_t;
')
dontaudit $1 nodejs_debug_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nodejs_debug_server_packets'($*)) dnl
')
########################################
##
## Receive nodejs_debug_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nodejs_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nodejs_debug_server_packets'($*)) dnl
gen_require(`
type nodejs_debug_server_packet_t;
')
allow $1 nodejs_debug_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nodejs_debug_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nodejs_debug_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nodejs_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nodejs_debug_server_packets'($*)) dnl
gen_require(`
type nodejs_debug_server_packet_t;
')
dontaudit $1 nodejs_debug_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nodejs_debug_server_packets'($*)) dnl
')
########################################
##
## Send and receive nodejs_debug_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nodejs_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nodejs_debug_server_packets'($*)) dnl
corenet_send_nodejs_debug_server_packets($1)
corenet_receive_nodejs_debug_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nodejs_debug_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nodejs_debug_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nodejs_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nodejs_debug_server_packets'($*)) dnl
corenet_dontaudit_send_nodejs_debug_server_packets($1)
corenet_dontaudit_receive_nodejs_debug_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nodejs_debug_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nodejs_debug_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nodejs_debug_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nodejs_debug_server_packets'($*)) dnl
gen_require(`
type nodejs_debug_server_packet_t;
')
allow $1 nodejs_debug_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nodejs_debug_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nsca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
allow $1 nsca_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nsca_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nsca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
allow $1 nsca_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nsca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nsca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
dontaudit $1 nsca_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nsca_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nsca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
allow $1 nsca_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nsca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nsca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
dontaudit $1 nsca_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nsca_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nsca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nsca_port'($*)) dnl
corenet_udp_send_nsca_port($1)
corenet_udp_receive_nsca_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nsca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nsca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nsca_port'($*)) dnl
corenet_dontaudit_udp_send_nsca_port($1)
corenet_dontaudit_udp_receive_nsca_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nsca_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nsca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
allow $1 nsca_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nsca_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nsca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
allow $1 nsca_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nsca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to nsca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
dontaudit $1 nsca_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nsca_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nsca port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
allow $1 nsca_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nsca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to nsca port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_nsca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nsca_port'($*)) dnl
gen_require(`
type nsca_port_t;
')
dontaudit $1 nsca_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nsca_port'($*)) dnl
')
########################################
##
## Send nsca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nsca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nsca_client_packets'($*)) dnl
gen_require(`
type nsca_client_packet_t;
')
allow $1 nsca_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nsca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nsca_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nsca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nsca_client_packets'($*)) dnl
gen_require(`
type nsca_client_packet_t;
')
dontaudit $1 nsca_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nsca_client_packets'($*)) dnl
')
########################################
##
## Receive nsca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nsca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nsca_client_packets'($*)) dnl
gen_require(`
type nsca_client_packet_t;
')
allow $1 nsca_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nsca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nsca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nsca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nsca_client_packets'($*)) dnl
gen_require(`
type nsca_client_packet_t;
')
dontaudit $1 nsca_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nsca_client_packets'($*)) dnl
')
########################################
##
## Send and receive nsca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nsca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nsca_client_packets'($*)) dnl
corenet_send_nsca_client_packets($1)
corenet_receive_nsca_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nsca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nsca_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nsca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nsca_client_packets'($*)) dnl
corenet_dontaudit_send_nsca_client_packets($1)
corenet_dontaudit_receive_nsca_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nsca_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nsca_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nsca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nsca_client_packets'($*)) dnl
gen_require(`
type nsca_client_packet_t;
')
allow $1 nsca_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nsca_client_packets'($*)) dnl
')
########################################
##
## Send nsca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nsca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nsca_server_packets'($*)) dnl
gen_require(`
type nsca_server_packet_t;
')
allow $1 nsca_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nsca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nsca_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nsca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nsca_server_packets'($*)) dnl
gen_require(`
type nsca_server_packet_t;
')
dontaudit $1 nsca_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nsca_server_packets'($*)) dnl
')
########################################
##
## Receive nsca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nsca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nsca_server_packets'($*)) dnl
gen_require(`
type nsca_server_packet_t;
')
allow $1 nsca_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nsca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nsca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nsca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nsca_server_packets'($*)) dnl
gen_require(`
type nsca_server_packet_t;
')
dontaudit $1 nsca_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nsca_server_packets'($*)) dnl
')
########################################
##
## Send and receive nsca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nsca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nsca_server_packets'($*)) dnl
corenet_send_nsca_server_packets($1)
corenet_receive_nsca_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nsca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nsca_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nsca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nsca_server_packets'($*)) dnl
corenet_dontaudit_send_nsca_server_packets($1)
corenet_dontaudit_receive_nsca_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nsca_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nsca_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nsca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nsca_server_packets'($*)) dnl
gen_require(`
type nsca_server_packet_t;
')
allow $1 nsca_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nsca_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ntop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
allow $1 ntop_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntop_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ntop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
allow $1 ntop_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ntop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
dontaudit $1 ntop_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntop_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ntop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
allow $1 ntop_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ntop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
dontaudit $1 ntop_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntop_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ntop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntop_port'($*)) dnl
corenet_udp_send_ntop_port($1)
corenet_udp_receive_ntop_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ntop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntop_port'($*)) dnl
corenet_dontaudit_udp_send_ntop_port($1)
corenet_dontaudit_udp_receive_ntop_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntop_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ntop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
allow $1 ntop_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntop_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ntop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
allow $1 ntop_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ntop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
dontaudit $1 ntop_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ntop_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ntop port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
allow $1 ntop_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ntop port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ntop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ntop_port'($*)) dnl
gen_require(`
type ntop_port_t;
')
dontaudit $1 ntop_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ntop_port'($*)) dnl
')
########################################
##
## Send ntop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ntop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ntop_client_packets'($*)) dnl
gen_require(`
type ntop_client_packet_t;
')
allow $1 ntop_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ntop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ntop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ntop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntop_client_packets'($*)) dnl
gen_require(`
type ntop_client_packet_t;
')
dontaudit $1 ntop_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntop_client_packets'($*)) dnl
')
########################################
##
## Receive ntop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ntop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ntop_client_packets'($*)) dnl
gen_require(`
type ntop_client_packet_t;
')
allow $1 ntop_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ntop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ntop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ntop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntop_client_packets'($*)) dnl
gen_require(`
type ntop_client_packet_t;
')
dontaudit $1 ntop_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntop_client_packets'($*)) dnl
')
########################################
##
## Send and receive ntop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ntop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntop_client_packets'($*)) dnl
corenet_send_ntop_client_packets($1)
corenet_receive_ntop_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ntop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ntop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntop_client_packets'($*)) dnl
corenet_dontaudit_send_ntop_client_packets($1)
corenet_dontaudit_receive_ntop_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntop_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ntop_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ntop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntop_client_packets'($*)) dnl
gen_require(`
type ntop_client_packet_t;
')
allow $1 ntop_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntop_client_packets'($*)) dnl
')
########################################
##
## Send ntop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ntop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ntop_server_packets'($*)) dnl
gen_require(`
type ntop_server_packet_t;
')
allow $1 ntop_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ntop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ntop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ntop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntop_server_packets'($*)) dnl
gen_require(`
type ntop_server_packet_t;
')
dontaudit $1 ntop_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntop_server_packets'($*)) dnl
')
########################################
##
## Receive ntop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ntop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ntop_server_packets'($*)) dnl
gen_require(`
type ntop_server_packet_t;
')
allow $1 ntop_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ntop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ntop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ntop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntop_server_packets'($*)) dnl
gen_require(`
type ntop_server_packet_t;
')
dontaudit $1 ntop_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntop_server_packets'($*)) dnl
')
########################################
##
## Send and receive ntop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ntop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntop_server_packets'($*)) dnl
corenet_send_ntop_server_packets($1)
corenet_receive_ntop_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ntop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ntop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntop_server_packets'($*)) dnl
corenet_dontaudit_send_ntop_server_packets($1)
corenet_dontaudit_receive_ntop_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntop_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ntop_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ntop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntop_server_packets'($*)) dnl
gen_require(`
type ntop_server_packet_t;
')
allow $1 ntop_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntop_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ntp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
dontaudit $1 ntp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ntp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
dontaudit $1 ntp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntp_port'($*)) dnl
corenet_udp_send_ntp_port($1)
corenet_udp_receive_ntp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ntp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntp_port'($*)) dnl
corenet_dontaudit_udp_send_ntp_port($1)
corenet_dontaudit_udp_receive_ntp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ntp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ntp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
dontaudit $1 ntp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ntp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ntp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
allow $1 ntp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ntp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ntp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ntp_port'($*)) dnl
gen_require(`
type ntp_port_t;
')
dontaudit $1 ntp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ntp_port'($*)) dnl
')
########################################
##
## Send ntp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ntp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
allow $1 ntp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ntp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ntp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ntp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
dontaudit $1 ntp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntp_client_packets'($*)) dnl
')
########################################
##
## Receive ntp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ntp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
allow $1 ntp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ntp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ntp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ntp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
dontaudit $1 ntp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ntp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ntp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntp_client_packets'($*)) dnl
corenet_send_ntp_client_packets($1)
corenet_receive_ntp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ntp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ntp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntp_client_packets'($*)) dnl
corenet_dontaudit_send_ntp_client_packets($1)
corenet_dontaudit_receive_ntp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ntp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ntp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntp_client_packets'($*)) dnl
gen_require(`
type ntp_client_packet_t;
')
allow $1 ntp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntp_client_packets'($*)) dnl
')
########################################
##
## Send ntp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ntp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
allow $1 ntp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ntp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ntp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ntp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
dontaudit $1 ntp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntp_server_packets'($*)) dnl
')
########################################
##
## Receive ntp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ntp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
allow $1 ntp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ntp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ntp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ntp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
dontaudit $1 ntp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ntp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ntp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntp_server_packets'($*)) dnl
corenet_send_ntp_server_packets($1)
corenet_receive_ntp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ntp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ntp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntp_server_packets'($*)) dnl
corenet_dontaudit_send_ntp_server_packets($1)
corenet_dontaudit_receive_ntp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ntp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ntp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntp_server_packets'($*)) dnl
gen_require(`
type ntp_server_packet_t;
')
allow $1 ntp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ntske port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
allow $1 ntske_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntske_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ntske port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
allow $1 ntske_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntske_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ntske port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
dontaudit $1 ntske_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntske_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ntske port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
allow $1 ntske_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntske_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ntske port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
dontaudit $1 ntske_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntske_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ntske port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntske_port'($*)) dnl
corenet_udp_send_ntske_port($1)
corenet_udp_receive_ntske_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntske_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ntske port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntske_port'($*)) dnl
corenet_dontaudit_udp_send_ntske_port($1)
corenet_dontaudit_udp_receive_ntske_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntske_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ntske port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
allow $1 ntske_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntske_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ntske port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
allow $1 ntske_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntske_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ntske port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
dontaudit $1 ntske_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ntske_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ntske port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
allow $1 ntske_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntske_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ntske port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ntske_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ntske_port'($*)) dnl
gen_require(`
type ntske_port_t;
')
dontaudit $1 ntske_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ntske_port'($*)) dnl
')
########################################
##
## Send ntske_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ntske_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ntske_client_packets'($*)) dnl
gen_require(`
type ntske_client_packet_t;
')
allow $1 ntske_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ntske_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ntske_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ntske_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntske_client_packets'($*)) dnl
gen_require(`
type ntske_client_packet_t;
')
dontaudit $1 ntske_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntske_client_packets'($*)) dnl
')
########################################
##
## Receive ntske_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ntske_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ntske_client_packets'($*)) dnl
gen_require(`
type ntske_client_packet_t;
')
allow $1 ntske_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ntske_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ntske_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ntske_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntske_client_packets'($*)) dnl
gen_require(`
type ntske_client_packet_t;
')
dontaudit $1 ntske_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntske_client_packets'($*)) dnl
')
########################################
##
## Send and receive ntske_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ntske_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntske_client_packets'($*)) dnl
corenet_send_ntske_client_packets($1)
corenet_receive_ntske_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntske_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ntske_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ntske_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntske_client_packets'($*)) dnl
corenet_dontaudit_send_ntske_client_packets($1)
corenet_dontaudit_receive_ntske_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntske_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ntske_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ntske_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntske_client_packets'($*)) dnl
gen_require(`
type ntske_client_packet_t;
')
allow $1 ntske_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntske_client_packets'($*)) dnl
')
########################################
##
## Send ntske_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ntske_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ntske_server_packets'($*)) dnl
gen_require(`
type ntske_server_packet_t;
')
allow $1 ntske_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ntske_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ntske_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ntske_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntske_server_packets'($*)) dnl
gen_require(`
type ntske_server_packet_t;
')
dontaudit $1 ntske_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntske_server_packets'($*)) dnl
')
########################################
##
## Receive ntske_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ntske_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ntske_server_packets'($*)) dnl
gen_require(`
type ntske_server_packet_t;
')
allow $1 ntske_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ntske_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ntske_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ntske_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntske_server_packets'($*)) dnl
gen_require(`
type ntske_server_packet_t;
')
dontaudit $1 ntske_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntske_server_packets'($*)) dnl
')
########################################
##
## Send and receive ntske_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ntske_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntske_server_packets'($*)) dnl
corenet_send_ntske_server_packets($1)
corenet_receive_ntske_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntske_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ntske_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ntske_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntske_server_packets'($*)) dnl
corenet_dontaudit_send_ntske_server_packets($1)
corenet_dontaudit_receive_ntske_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntske_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ntske_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ntske_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntske_server_packets'($*)) dnl
gen_require(`
type ntske_server_packet_t;
')
allow $1 ntske_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntske_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the oracle port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_oracle_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the oracle port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_oracle_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the oracle port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
dontaudit $1 oracle_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_oracle_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the oracle port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_oracle_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the oracle port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
dontaudit $1 oracle_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_oracle_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the oracle port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_oracle_port'($*)) dnl
corenet_udp_send_oracle_port($1)
corenet_udp_receive_oracle_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_oracle_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the oracle port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_oracle_port'($*)) dnl
corenet_dontaudit_udp_send_oracle_port($1)
corenet_dontaudit_udp_receive_oracle_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_oracle_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the oracle port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_oracle_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the oracle port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_oracle_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to oracle port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
dontaudit $1 oracle_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_oracle_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the oracle port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
allow $1 oracle_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_oracle_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to oracle port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_oracle_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_oracle_port'($*)) dnl
gen_require(`
type oracle_port_t;
')
dontaudit $1 oracle_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_oracle_port'($*)) dnl
')
########################################
##
## Send oracle_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_oracle_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_oracle_client_packets'($*)) dnl
gen_require(`
type oracle_client_packet_t;
')
allow $1 oracle_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_oracle_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send oracle_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_oracle_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oracle_client_packets'($*)) dnl
gen_require(`
type oracle_client_packet_t;
')
dontaudit $1 oracle_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oracle_client_packets'($*)) dnl
')
########################################
##
## Receive oracle_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_oracle_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_oracle_client_packets'($*)) dnl
gen_require(`
type oracle_client_packet_t;
')
allow $1 oracle_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_oracle_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive oracle_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_oracle_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oracle_client_packets'($*)) dnl
gen_require(`
type oracle_client_packet_t;
')
dontaudit $1 oracle_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oracle_client_packets'($*)) dnl
')
########################################
##
## Send and receive oracle_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_oracle_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oracle_client_packets'($*)) dnl
corenet_send_oracle_client_packets($1)
corenet_receive_oracle_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oracle_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive oracle_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_oracle_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oracle_client_packets'($*)) dnl
corenet_dontaudit_send_oracle_client_packets($1)
corenet_dontaudit_receive_oracle_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oracle_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to oracle_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_oracle_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oracle_client_packets'($*)) dnl
gen_require(`
type oracle_client_packet_t;
')
allow $1 oracle_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_oracle_client_packets'($*)) dnl
')
########################################
##
## Send oracle_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_oracle_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_oracle_server_packets'($*)) dnl
gen_require(`
type oracle_server_packet_t;
')
allow $1 oracle_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_oracle_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send oracle_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_oracle_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oracle_server_packets'($*)) dnl
gen_require(`
type oracle_server_packet_t;
')
dontaudit $1 oracle_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oracle_server_packets'($*)) dnl
')
########################################
##
## Receive oracle_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_oracle_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_oracle_server_packets'($*)) dnl
gen_require(`
type oracle_server_packet_t;
')
allow $1 oracle_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_oracle_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive oracle_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_oracle_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oracle_server_packets'($*)) dnl
gen_require(`
type oracle_server_packet_t;
')
dontaudit $1 oracle_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oracle_server_packets'($*)) dnl
')
########################################
##
## Send and receive oracle_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_oracle_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oracle_server_packets'($*)) dnl
corenet_send_oracle_server_packets($1)
corenet_receive_oracle_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oracle_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive oracle_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_oracle_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oracle_server_packets'($*)) dnl
corenet_dontaudit_send_oracle_server_packets($1)
corenet_dontaudit_receive_oracle_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oracle_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to oracle_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_oracle_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oracle_server_packets'($*)) dnl
gen_require(`
type oracle_server_packet_t;
')
allow $1 oracle_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_oracle_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the oa_system port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
allow $1 oa_system_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_oa_system_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the oa_system port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
allow $1 oa_system_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_oa_system_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the oa_system port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
dontaudit $1 oa_system_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_oa_system_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the oa_system port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
allow $1 oa_system_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_oa_system_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the oa_system port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
dontaudit $1 oa_system_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_oa_system_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the oa_system port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_oa_system_port'($*)) dnl
corenet_udp_send_oa_system_port($1)
corenet_udp_receive_oa_system_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_oa_system_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the oa_system port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_oa_system_port'($*)) dnl
corenet_dontaudit_udp_send_oa_system_port($1)
corenet_dontaudit_udp_receive_oa_system_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_oa_system_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the oa_system port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
allow $1 oa_system_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_oa_system_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the oa_system port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
allow $1 oa_system_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_oa_system_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to oa_system port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
dontaudit $1 oa_system_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_oa_system_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the oa_system port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
allow $1 oa_system_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_oa_system_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to oa_system port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_oa_system_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_oa_system_port'($*)) dnl
gen_require(`
type oa_system_port_t;
')
dontaudit $1 oa_system_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_oa_system_port'($*)) dnl
')
########################################
##
## Send oa_system_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_oa_system_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_oa_system_client_packets'($*)) dnl
gen_require(`
type oa_system_client_packet_t;
')
allow $1 oa_system_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_oa_system_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send oa_system_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_oa_system_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oa_system_client_packets'($*)) dnl
gen_require(`
type oa_system_client_packet_t;
')
dontaudit $1 oa_system_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oa_system_client_packets'($*)) dnl
')
########################################
##
## Receive oa_system_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_oa_system_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_oa_system_client_packets'($*)) dnl
gen_require(`
type oa_system_client_packet_t;
')
allow $1 oa_system_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_oa_system_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive oa_system_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_oa_system_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oa_system_client_packets'($*)) dnl
gen_require(`
type oa_system_client_packet_t;
')
dontaudit $1 oa_system_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oa_system_client_packets'($*)) dnl
')
########################################
##
## Send and receive oa_system_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_oa_system_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oa_system_client_packets'($*)) dnl
corenet_send_oa_system_client_packets($1)
corenet_receive_oa_system_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oa_system_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive oa_system_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_oa_system_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oa_system_client_packets'($*)) dnl
corenet_dontaudit_send_oa_system_client_packets($1)
corenet_dontaudit_receive_oa_system_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oa_system_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to oa_system_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_oa_system_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oa_system_client_packets'($*)) dnl
gen_require(`
type oa_system_client_packet_t;
')
allow $1 oa_system_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_oa_system_client_packets'($*)) dnl
')
########################################
##
## Send oa_system_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_oa_system_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_oa_system_server_packets'($*)) dnl
gen_require(`
type oa_system_server_packet_t;
')
allow $1 oa_system_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_oa_system_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send oa_system_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_oa_system_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oa_system_server_packets'($*)) dnl
gen_require(`
type oa_system_server_packet_t;
')
dontaudit $1 oa_system_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oa_system_server_packets'($*)) dnl
')
########################################
##
## Receive oa_system_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_oa_system_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_oa_system_server_packets'($*)) dnl
gen_require(`
type oa_system_server_packet_t;
')
allow $1 oa_system_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_oa_system_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive oa_system_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_oa_system_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oa_system_server_packets'($*)) dnl
gen_require(`
type oa_system_server_packet_t;
')
dontaudit $1 oa_system_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oa_system_server_packets'($*)) dnl
')
########################################
##
## Send and receive oa_system_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_oa_system_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oa_system_server_packets'($*)) dnl
corenet_send_oa_system_server_packets($1)
corenet_receive_oa_system_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oa_system_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive oa_system_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_oa_system_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oa_system_server_packets'($*)) dnl
corenet_dontaudit_send_oa_system_server_packets($1)
corenet_dontaudit_receive_oa_system_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oa_system_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to oa_system_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_oa_system_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oa_system_server_packets'($*)) dnl
gen_require(`
type oa_system_server_packet_t;
')
allow $1 oa_system_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_oa_system_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ocsp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
dontaudit $1 ocsp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ocsp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
dontaudit $1 ocsp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ocsp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ocsp_port'($*)) dnl
corenet_udp_send_ocsp_port($1)
corenet_udp_receive_ocsp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ocsp_port'($*)) dnl
corenet_dontaudit_udp_send_ocsp_port($1)
corenet_dontaudit_udp_receive_ocsp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ocsp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ocsp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
dontaudit $1 ocsp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ocsp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ocsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
allow $1 ocsp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ocsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ocsp_port'($*)) dnl
gen_require(`
type ocsp_port_t;
')
dontaudit $1 ocsp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ocsp_port'($*)) dnl
')
########################################
##
## Send ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
allow $1 ocsp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ocsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
dontaudit $1 ocsp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ocsp_client_packets'($*)) dnl
')
########################################
##
## Receive ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
allow $1 ocsp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
dontaudit $1 ocsp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ocsp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ocsp_client_packets'($*)) dnl
corenet_send_ocsp_client_packets($1)
corenet_receive_ocsp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ocsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ocsp_client_packets'($*)) dnl
corenet_dontaudit_send_ocsp_client_packets($1)
corenet_dontaudit_receive_ocsp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ocsp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ocsp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ocsp_client_packets'($*)) dnl
gen_require(`
type ocsp_client_packet_t;
')
allow $1 ocsp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ocsp_client_packets'($*)) dnl
')
########################################
##
## Send ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
allow $1 ocsp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ocsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
dontaudit $1 ocsp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ocsp_server_packets'($*)) dnl
')
########################################
##
## Receive ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
allow $1 ocsp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
dontaudit $1 ocsp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ocsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ocsp_server_packets'($*)) dnl
corenet_send_ocsp_server_packets($1)
corenet_receive_ocsp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ocsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ocsp_server_packets'($*)) dnl
corenet_dontaudit_send_ocsp_server_packets($1)
corenet_dontaudit_receive_ocsp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ocsp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ocsp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ocsp_server_packets'($*)) dnl
gen_require(`
type ocsp_server_packet_t;
')
allow $1 ocsp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ocsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the openflow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
allow $1 openflow_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openflow_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the openflow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
allow $1 openflow_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_openflow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the openflow port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
dontaudit $1 openflow_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openflow_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the openflow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
allow $1 openflow_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openflow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the openflow port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
dontaudit $1 openflow_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openflow_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the openflow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openflow_port'($*)) dnl
corenet_udp_send_openflow_port($1)
corenet_udp_receive_openflow_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openflow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the openflow port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openflow_port'($*)) dnl
corenet_dontaudit_udp_send_openflow_port($1)
corenet_dontaudit_udp_receive_openflow_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openflow_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the openflow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
allow $1 openflow_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openflow_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the openflow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
allow $1 openflow_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openflow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to openflow port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
dontaudit $1 openflow_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openflow_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the openflow port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
allow $1 openflow_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openflow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to openflow port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_openflow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openflow_port'($*)) dnl
gen_require(`
type openflow_port_t;
')
dontaudit $1 openflow_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openflow_port'($*)) dnl
')
########################################
##
## Send openflow_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openflow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openflow_client_packets'($*)) dnl
gen_require(`
type openflow_client_packet_t;
')
allow $1 openflow_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openflow_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openflow_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openflow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openflow_client_packets'($*)) dnl
gen_require(`
type openflow_client_packet_t;
')
dontaudit $1 openflow_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openflow_client_packets'($*)) dnl
')
########################################
##
## Receive openflow_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openflow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openflow_client_packets'($*)) dnl
gen_require(`
type openflow_client_packet_t;
')
allow $1 openflow_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openflow_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openflow_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openflow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openflow_client_packets'($*)) dnl
gen_require(`
type openflow_client_packet_t;
')
dontaudit $1 openflow_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openflow_client_packets'($*)) dnl
')
########################################
##
## Send and receive openflow_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openflow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openflow_client_packets'($*)) dnl
corenet_send_openflow_client_packets($1)
corenet_receive_openflow_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openflow_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openflow_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openflow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openflow_client_packets'($*)) dnl
corenet_dontaudit_send_openflow_client_packets($1)
corenet_dontaudit_receive_openflow_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openflow_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to openflow_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openflow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openflow_client_packets'($*)) dnl
gen_require(`
type openflow_client_packet_t;
')
allow $1 openflow_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openflow_client_packets'($*)) dnl
')
########################################
##
## Send openflow_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openflow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openflow_server_packets'($*)) dnl
gen_require(`
type openflow_server_packet_t;
')
allow $1 openflow_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openflow_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openflow_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openflow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openflow_server_packets'($*)) dnl
gen_require(`
type openflow_server_packet_t;
')
dontaudit $1 openflow_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openflow_server_packets'($*)) dnl
')
########################################
##
## Receive openflow_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openflow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openflow_server_packets'($*)) dnl
gen_require(`
type openflow_server_packet_t;
')
allow $1 openflow_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openflow_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openflow_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openflow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openflow_server_packets'($*)) dnl
gen_require(`
type openflow_server_packet_t;
')
dontaudit $1 openflow_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openflow_server_packets'($*)) dnl
')
########################################
##
## Send and receive openflow_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openflow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openflow_server_packets'($*)) dnl
corenet_send_openflow_server_packets($1)
corenet_receive_openflow_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openflow_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openflow_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openflow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openflow_server_packets'($*)) dnl
corenet_dontaudit_send_openflow_server_packets($1)
corenet_dontaudit_receive_openflow_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openflow_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to openflow_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openflow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openflow_server_packets'($*)) dnl
gen_require(`
type openflow_server_packet_t;
')
allow $1 openflow_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openflow_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the openhpid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
allow $1 openhpid_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openhpid_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the openhpid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
allow $1 openhpid_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_openhpid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the openhpid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
dontaudit $1 openhpid_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openhpid_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the openhpid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
allow $1 openhpid_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openhpid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the openhpid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
dontaudit $1 openhpid_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openhpid_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the openhpid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openhpid_port'($*)) dnl
corenet_udp_send_openhpid_port($1)
corenet_udp_receive_openhpid_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openhpid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the openhpid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openhpid_port'($*)) dnl
corenet_dontaudit_udp_send_openhpid_port($1)
corenet_dontaudit_udp_receive_openhpid_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openhpid_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the openhpid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
allow $1 openhpid_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openhpid_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the openhpid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
allow $1 openhpid_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openhpid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to openhpid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
dontaudit $1 openhpid_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openhpid_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the openhpid port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
allow $1 openhpid_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openhpid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to openhpid port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_openhpid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openhpid_port'($*)) dnl
gen_require(`
type openhpid_port_t;
')
dontaudit $1 openhpid_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openhpid_port'($*)) dnl
')
########################################
##
## Send openhpid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openhpid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openhpid_client_packets'($*)) dnl
gen_require(`
type openhpid_client_packet_t;
')
allow $1 openhpid_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openhpid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openhpid_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openhpid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openhpid_client_packets'($*)) dnl
gen_require(`
type openhpid_client_packet_t;
')
dontaudit $1 openhpid_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openhpid_client_packets'($*)) dnl
')
########################################
##
## Receive openhpid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openhpid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openhpid_client_packets'($*)) dnl
gen_require(`
type openhpid_client_packet_t;
')
allow $1 openhpid_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openhpid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openhpid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openhpid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openhpid_client_packets'($*)) dnl
gen_require(`
type openhpid_client_packet_t;
')
dontaudit $1 openhpid_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openhpid_client_packets'($*)) dnl
')
########################################
##
## Send and receive openhpid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openhpid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openhpid_client_packets'($*)) dnl
corenet_send_openhpid_client_packets($1)
corenet_receive_openhpid_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openhpid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openhpid_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openhpid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openhpid_client_packets'($*)) dnl
corenet_dontaudit_send_openhpid_client_packets($1)
corenet_dontaudit_receive_openhpid_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openhpid_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to openhpid_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openhpid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openhpid_client_packets'($*)) dnl
gen_require(`
type openhpid_client_packet_t;
')
allow $1 openhpid_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openhpid_client_packets'($*)) dnl
')
########################################
##
## Send openhpid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openhpid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openhpid_server_packets'($*)) dnl
gen_require(`
type openhpid_server_packet_t;
')
allow $1 openhpid_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openhpid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openhpid_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openhpid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openhpid_server_packets'($*)) dnl
gen_require(`
type openhpid_server_packet_t;
')
dontaudit $1 openhpid_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openhpid_server_packets'($*)) dnl
')
########################################
##
## Receive openhpid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openhpid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openhpid_server_packets'($*)) dnl
gen_require(`
type openhpid_server_packet_t;
')
allow $1 openhpid_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openhpid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openhpid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openhpid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openhpid_server_packets'($*)) dnl
gen_require(`
type openhpid_server_packet_t;
')
dontaudit $1 openhpid_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openhpid_server_packets'($*)) dnl
')
########################################
##
## Send and receive openhpid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openhpid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openhpid_server_packets'($*)) dnl
corenet_send_openhpid_server_packets($1)
corenet_receive_openhpid_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openhpid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openhpid_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openhpid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openhpid_server_packets'($*)) dnl
corenet_dontaudit_send_openhpid_server_packets($1)
corenet_dontaudit_receive_openhpid_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openhpid_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to openhpid_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openhpid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openhpid_server_packets'($*)) dnl
gen_require(`
type openhpid_server_packet_t;
')
allow $1 openhpid_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openhpid_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openvpn_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_openvpn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the openvpn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
dontaudit $1 openvpn_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openvpn_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openvpn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the openvpn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
dontaudit $1 openvpn_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openvpn_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openvpn_port'($*)) dnl
corenet_udp_send_openvpn_port($1)
corenet_udp_receive_openvpn_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openvpn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the openvpn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openvpn_port'($*)) dnl
corenet_dontaudit_udp_send_openvpn_port($1)
corenet_dontaudit_udp_receive_openvpn_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openvpn_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openvpn_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the openvpn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openvpn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to openvpn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
dontaudit $1 openvpn_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openvpn_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the openvpn port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
allow $1 openvpn_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openvpn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to openvpn port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_openvpn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openvpn_port'($*)) dnl
gen_require(`
type openvpn_port_t;
')
dontaudit $1 openvpn_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openvpn_port'($*)) dnl
')
########################################
##
## Send openvpn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openvpn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
allow $1 openvpn_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openvpn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openvpn_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openvpn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
dontaudit $1 openvpn_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvpn_client_packets'($*)) dnl
')
########################################
##
## Receive openvpn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openvpn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
allow $1 openvpn_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openvpn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openvpn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openvpn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
dontaudit $1 openvpn_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvpn_client_packets'($*)) dnl
')
########################################
##
## Send and receive openvpn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openvpn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvpn_client_packets'($*)) dnl
corenet_send_openvpn_client_packets($1)
corenet_receive_openvpn_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvpn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openvpn_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openvpn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvpn_client_packets'($*)) dnl
corenet_dontaudit_send_openvpn_client_packets($1)
corenet_dontaudit_receive_openvpn_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvpn_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to openvpn_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openvpn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvpn_client_packets'($*)) dnl
gen_require(`
type openvpn_client_packet_t;
')
allow $1 openvpn_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvpn_client_packets'($*)) dnl
')
########################################
##
## Send openvpn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openvpn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
allow $1 openvpn_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openvpn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openvpn_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openvpn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
dontaudit $1 openvpn_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvpn_server_packets'($*)) dnl
')
########################################
##
## Receive openvpn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openvpn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
allow $1 openvpn_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openvpn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openvpn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openvpn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
dontaudit $1 openvpn_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvpn_server_packets'($*)) dnl
')
########################################
##
## Send and receive openvpn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openvpn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvpn_server_packets'($*)) dnl
corenet_send_openvpn_server_packets($1)
corenet_receive_openvpn_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvpn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openvpn_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openvpn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvpn_server_packets'($*)) dnl
corenet_dontaudit_send_openvpn_server_packets($1)
corenet_dontaudit_receive_openvpn_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvpn_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to openvpn_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openvpn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvpn_server_packets'($*)) dnl
gen_require(`
type openvpn_server_packet_t;
')
allow $1 openvpn_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvpn_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the openvswitch port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
allow $1 openvswitch_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openvswitch_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the openvswitch port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
allow $1 openvswitch_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_openvswitch_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the openvswitch port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
dontaudit $1 openvswitch_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openvswitch_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the openvswitch port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
allow $1 openvswitch_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openvswitch_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the openvswitch port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
dontaudit $1 openvswitch_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openvswitch_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the openvswitch port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openvswitch_port'($*)) dnl
corenet_udp_send_openvswitch_port($1)
corenet_udp_receive_openvswitch_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openvswitch_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the openvswitch port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openvswitch_port'($*)) dnl
corenet_dontaudit_udp_send_openvswitch_port($1)
corenet_dontaudit_udp_receive_openvswitch_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openvswitch_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the openvswitch port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
allow $1 openvswitch_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openvswitch_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the openvswitch port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
allow $1 openvswitch_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openvswitch_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to openvswitch port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
dontaudit $1 openvswitch_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openvswitch_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the openvswitch port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
allow $1 openvswitch_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openvswitch_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to openvswitch port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_openvswitch_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openvswitch_port'($*)) dnl
gen_require(`
type openvswitch_port_t;
')
dontaudit $1 openvswitch_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openvswitch_port'($*)) dnl
')
########################################
##
## Send openvswitch_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openvswitch_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openvswitch_client_packets'($*)) dnl
gen_require(`
type openvswitch_client_packet_t;
')
allow $1 openvswitch_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openvswitch_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openvswitch_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openvswitch_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvswitch_client_packets'($*)) dnl
gen_require(`
type openvswitch_client_packet_t;
')
dontaudit $1 openvswitch_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvswitch_client_packets'($*)) dnl
')
########################################
##
## Receive openvswitch_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openvswitch_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openvswitch_client_packets'($*)) dnl
gen_require(`
type openvswitch_client_packet_t;
')
allow $1 openvswitch_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openvswitch_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openvswitch_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openvswitch_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvswitch_client_packets'($*)) dnl
gen_require(`
type openvswitch_client_packet_t;
')
dontaudit $1 openvswitch_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvswitch_client_packets'($*)) dnl
')
########################################
##
## Send and receive openvswitch_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openvswitch_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvswitch_client_packets'($*)) dnl
corenet_send_openvswitch_client_packets($1)
corenet_receive_openvswitch_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvswitch_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openvswitch_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openvswitch_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvswitch_client_packets'($*)) dnl
corenet_dontaudit_send_openvswitch_client_packets($1)
corenet_dontaudit_receive_openvswitch_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvswitch_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to openvswitch_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openvswitch_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvswitch_client_packets'($*)) dnl
gen_require(`
type openvswitch_client_packet_t;
')
allow $1 openvswitch_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvswitch_client_packets'($*)) dnl
')
########################################
##
## Send openvswitch_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openvswitch_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openvswitch_server_packets'($*)) dnl
gen_require(`
type openvswitch_server_packet_t;
')
allow $1 openvswitch_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openvswitch_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openvswitch_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openvswitch_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvswitch_server_packets'($*)) dnl
gen_require(`
type openvswitch_server_packet_t;
')
dontaudit $1 openvswitch_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvswitch_server_packets'($*)) dnl
')
########################################
##
## Receive openvswitch_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openvswitch_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openvswitch_server_packets'($*)) dnl
gen_require(`
type openvswitch_server_packet_t;
')
allow $1 openvswitch_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openvswitch_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openvswitch_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openvswitch_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvswitch_server_packets'($*)) dnl
gen_require(`
type openvswitch_server_packet_t;
')
dontaudit $1 openvswitch_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvswitch_server_packets'($*)) dnl
')
########################################
##
## Send and receive openvswitch_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openvswitch_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvswitch_server_packets'($*)) dnl
corenet_send_openvswitch_server_packets($1)
corenet_receive_openvswitch_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvswitch_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openvswitch_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openvswitch_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvswitch_server_packets'($*)) dnl
corenet_dontaudit_send_openvswitch_server_packets($1)
corenet_dontaudit_receive_openvswitch_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvswitch_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to openvswitch_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openvswitch_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvswitch_server_packets'($*)) dnl
gen_require(`
type openvswitch_server_packet_t;
')
allow $1 openvswitch_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvswitch_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the openqa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
allow $1 openqa_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openqa_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the openqa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
allow $1 openqa_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_openqa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the openqa port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
dontaudit $1 openqa_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openqa_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the openqa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
allow $1 openqa_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openqa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the openqa port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
dontaudit $1 openqa_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openqa_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the openqa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openqa_port'($*)) dnl
corenet_udp_send_openqa_port($1)
corenet_udp_receive_openqa_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openqa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the openqa port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openqa_port'($*)) dnl
corenet_dontaudit_udp_send_openqa_port($1)
corenet_dontaudit_udp_receive_openqa_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openqa_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the openqa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
allow $1 openqa_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openqa_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the openqa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
allow $1 openqa_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openqa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to openqa port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
dontaudit $1 openqa_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openqa_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the openqa port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
allow $1 openqa_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openqa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to openqa port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_openqa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openqa_port'($*)) dnl
gen_require(`
type openqa_port_t;
')
dontaudit $1 openqa_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openqa_port'($*)) dnl
')
########################################
##
## Send openqa_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openqa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openqa_client_packets'($*)) dnl
gen_require(`
type openqa_client_packet_t;
')
allow $1 openqa_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openqa_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openqa_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openqa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openqa_client_packets'($*)) dnl
gen_require(`
type openqa_client_packet_t;
')
dontaudit $1 openqa_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openqa_client_packets'($*)) dnl
')
########################################
##
## Receive openqa_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openqa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openqa_client_packets'($*)) dnl
gen_require(`
type openqa_client_packet_t;
')
allow $1 openqa_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openqa_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openqa_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openqa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openqa_client_packets'($*)) dnl
gen_require(`
type openqa_client_packet_t;
')
dontaudit $1 openqa_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openqa_client_packets'($*)) dnl
')
########################################
##
## Send and receive openqa_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openqa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openqa_client_packets'($*)) dnl
corenet_send_openqa_client_packets($1)
corenet_receive_openqa_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openqa_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openqa_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openqa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openqa_client_packets'($*)) dnl
corenet_dontaudit_send_openqa_client_packets($1)
corenet_dontaudit_receive_openqa_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openqa_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to openqa_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openqa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openqa_client_packets'($*)) dnl
gen_require(`
type openqa_client_packet_t;
')
allow $1 openqa_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openqa_client_packets'($*)) dnl
')
########################################
##
## Send openqa_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openqa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openqa_server_packets'($*)) dnl
gen_require(`
type openqa_server_packet_t;
')
allow $1 openqa_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openqa_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openqa_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openqa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openqa_server_packets'($*)) dnl
gen_require(`
type openqa_server_packet_t;
')
dontaudit $1 openqa_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openqa_server_packets'($*)) dnl
')
########################################
##
## Receive openqa_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openqa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openqa_server_packets'($*)) dnl
gen_require(`
type openqa_server_packet_t;
')
allow $1 openqa_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openqa_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openqa_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openqa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openqa_server_packets'($*)) dnl
gen_require(`
type openqa_server_packet_t;
')
dontaudit $1 openqa_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openqa_server_packets'($*)) dnl
')
########################################
##
## Send and receive openqa_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openqa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openqa_server_packets'($*)) dnl
corenet_send_openqa_server_packets($1)
corenet_receive_openqa_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openqa_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openqa_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openqa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openqa_server_packets'($*)) dnl
corenet_dontaudit_send_openqa_server_packets($1)
corenet_dontaudit_receive_openqa_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openqa_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to openqa_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openqa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openqa_server_packets'($*)) dnl
gen_require(`
type openqa_server_packet_t;
')
allow $1 openqa_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openqa_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the openqa_websockets port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
allow $1 openqa_websockets_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openqa_websockets_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the openqa_websockets port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
allow $1 openqa_websockets_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_openqa_websockets_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the openqa_websockets port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
dontaudit $1 openqa_websockets_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openqa_websockets_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the openqa_websockets port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
allow $1 openqa_websockets_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openqa_websockets_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the openqa_websockets port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
dontaudit $1 openqa_websockets_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openqa_websockets_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the openqa_websockets port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openqa_websockets_port'($*)) dnl
corenet_udp_send_openqa_websockets_port($1)
corenet_udp_receive_openqa_websockets_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openqa_websockets_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the openqa_websockets port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openqa_websockets_port'($*)) dnl
corenet_dontaudit_udp_send_openqa_websockets_port($1)
corenet_dontaudit_udp_receive_openqa_websockets_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openqa_websockets_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the openqa_websockets port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
allow $1 openqa_websockets_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openqa_websockets_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the openqa_websockets port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
allow $1 openqa_websockets_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openqa_websockets_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to openqa_websockets port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
dontaudit $1 openqa_websockets_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openqa_websockets_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the openqa_websockets port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
allow $1 openqa_websockets_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openqa_websockets_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to openqa_websockets port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_openqa_websockets_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openqa_websockets_port'($*)) dnl
gen_require(`
type openqa_websockets_port_t;
')
dontaudit $1 openqa_websockets_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openqa_websockets_port'($*)) dnl
')
########################################
##
## Send openqa_websockets_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openqa_websockets_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openqa_websockets_client_packets'($*)) dnl
gen_require(`
type openqa_websockets_client_packet_t;
')
allow $1 openqa_websockets_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openqa_websockets_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openqa_websockets_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openqa_websockets_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openqa_websockets_client_packets'($*)) dnl
gen_require(`
type openqa_websockets_client_packet_t;
')
dontaudit $1 openqa_websockets_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openqa_websockets_client_packets'($*)) dnl
')
########################################
##
## Receive openqa_websockets_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openqa_websockets_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openqa_websockets_client_packets'($*)) dnl
gen_require(`
type openqa_websockets_client_packet_t;
')
allow $1 openqa_websockets_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openqa_websockets_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openqa_websockets_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openqa_websockets_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openqa_websockets_client_packets'($*)) dnl
gen_require(`
type openqa_websockets_client_packet_t;
')
dontaudit $1 openqa_websockets_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openqa_websockets_client_packets'($*)) dnl
')
########################################
##
## Send and receive openqa_websockets_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openqa_websockets_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openqa_websockets_client_packets'($*)) dnl
corenet_send_openqa_websockets_client_packets($1)
corenet_receive_openqa_websockets_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openqa_websockets_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openqa_websockets_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openqa_websockets_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openqa_websockets_client_packets'($*)) dnl
corenet_dontaudit_send_openqa_websockets_client_packets($1)
corenet_dontaudit_receive_openqa_websockets_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openqa_websockets_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to openqa_websockets_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openqa_websockets_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openqa_websockets_client_packets'($*)) dnl
gen_require(`
type openqa_websockets_client_packet_t;
')
allow $1 openqa_websockets_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openqa_websockets_client_packets'($*)) dnl
')
########################################
##
## Send openqa_websockets_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_openqa_websockets_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_openqa_websockets_server_packets'($*)) dnl
gen_require(`
type openqa_websockets_server_packet_t;
')
allow $1 openqa_websockets_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_openqa_websockets_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send openqa_websockets_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_openqa_websockets_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openqa_websockets_server_packets'($*)) dnl
gen_require(`
type openqa_websockets_server_packet_t;
')
dontaudit $1 openqa_websockets_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openqa_websockets_server_packets'($*)) dnl
')
########################################
##
## Receive openqa_websockets_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_openqa_websockets_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_openqa_websockets_server_packets'($*)) dnl
gen_require(`
type openqa_websockets_server_packet_t;
')
allow $1 openqa_websockets_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_openqa_websockets_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive openqa_websockets_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_openqa_websockets_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openqa_websockets_server_packets'($*)) dnl
gen_require(`
type openqa_websockets_server_packet_t;
')
dontaudit $1 openqa_websockets_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openqa_websockets_server_packets'($*)) dnl
')
########################################
##
## Send and receive openqa_websockets_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_openqa_websockets_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openqa_websockets_server_packets'($*)) dnl
corenet_send_openqa_websockets_server_packets($1)
corenet_receive_openqa_websockets_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openqa_websockets_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive openqa_websockets_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_openqa_websockets_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openqa_websockets_server_packets'($*)) dnl
corenet_dontaudit_send_openqa_websockets_server_packets($1)
corenet_dontaudit_receive_openqa_websockets_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openqa_websockets_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to openqa_websockets_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_openqa_websockets_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openqa_websockets_server_packets'($*)) dnl
gen_require(`
type openqa_websockets_server_packet_t;
')
allow $1 openqa_websockets_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_openqa_websockets_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the osapi_compute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
allow $1 osapi_compute_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_osapi_compute_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the osapi_compute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
allow $1 osapi_compute_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_osapi_compute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the osapi_compute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
dontaudit $1 osapi_compute_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_osapi_compute_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the osapi_compute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
allow $1 osapi_compute_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_osapi_compute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the osapi_compute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
dontaudit $1 osapi_compute_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_osapi_compute_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the osapi_compute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_osapi_compute_port'($*)) dnl
corenet_udp_send_osapi_compute_port($1)
corenet_udp_receive_osapi_compute_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_osapi_compute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the osapi_compute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_osapi_compute_port'($*)) dnl
corenet_dontaudit_udp_send_osapi_compute_port($1)
corenet_dontaudit_udp_receive_osapi_compute_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_osapi_compute_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the osapi_compute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
allow $1 osapi_compute_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_osapi_compute_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the osapi_compute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
allow $1 osapi_compute_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_osapi_compute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to osapi_compute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
dontaudit $1 osapi_compute_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_osapi_compute_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the osapi_compute port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
allow $1 osapi_compute_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_osapi_compute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to osapi_compute port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_osapi_compute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_osapi_compute_port'($*)) dnl
gen_require(`
type osapi_compute_port_t;
')
dontaudit $1 osapi_compute_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_osapi_compute_port'($*)) dnl
')
########################################
##
## Send osapi_compute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_osapi_compute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_osapi_compute_client_packets'($*)) dnl
gen_require(`
type osapi_compute_client_packet_t;
')
allow $1 osapi_compute_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_osapi_compute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send osapi_compute_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_osapi_compute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_osapi_compute_client_packets'($*)) dnl
gen_require(`
type osapi_compute_client_packet_t;
')
dontaudit $1 osapi_compute_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_osapi_compute_client_packets'($*)) dnl
')
########################################
##
## Receive osapi_compute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_osapi_compute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_osapi_compute_client_packets'($*)) dnl
gen_require(`
type osapi_compute_client_packet_t;
')
allow $1 osapi_compute_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_osapi_compute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive osapi_compute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_osapi_compute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_osapi_compute_client_packets'($*)) dnl
gen_require(`
type osapi_compute_client_packet_t;
')
dontaudit $1 osapi_compute_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_osapi_compute_client_packets'($*)) dnl
')
########################################
##
## Send and receive osapi_compute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_osapi_compute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_osapi_compute_client_packets'($*)) dnl
corenet_send_osapi_compute_client_packets($1)
corenet_receive_osapi_compute_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_osapi_compute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive osapi_compute_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_osapi_compute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_osapi_compute_client_packets'($*)) dnl
corenet_dontaudit_send_osapi_compute_client_packets($1)
corenet_dontaudit_receive_osapi_compute_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_osapi_compute_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to osapi_compute_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_osapi_compute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_osapi_compute_client_packets'($*)) dnl
gen_require(`
type osapi_compute_client_packet_t;
')
allow $1 osapi_compute_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_osapi_compute_client_packets'($*)) dnl
')
########################################
##
## Send osapi_compute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_osapi_compute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_osapi_compute_server_packets'($*)) dnl
gen_require(`
type osapi_compute_server_packet_t;
')
allow $1 osapi_compute_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_osapi_compute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send osapi_compute_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_osapi_compute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_osapi_compute_server_packets'($*)) dnl
gen_require(`
type osapi_compute_server_packet_t;
')
dontaudit $1 osapi_compute_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_osapi_compute_server_packets'($*)) dnl
')
########################################
##
## Receive osapi_compute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_osapi_compute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_osapi_compute_server_packets'($*)) dnl
gen_require(`
type osapi_compute_server_packet_t;
')
allow $1 osapi_compute_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_osapi_compute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive osapi_compute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_osapi_compute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_osapi_compute_server_packets'($*)) dnl
gen_require(`
type osapi_compute_server_packet_t;
')
dontaudit $1 osapi_compute_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_osapi_compute_server_packets'($*)) dnl
')
########################################
##
## Send and receive osapi_compute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_osapi_compute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_osapi_compute_server_packets'($*)) dnl
corenet_send_osapi_compute_server_packets($1)
corenet_receive_osapi_compute_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_osapi_compute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive osapi_compute_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_osapi_compute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_osapi_compute_server_packets'($*)) dnl
corenet_dontaudit_send_osapi_compute_server_packets($1)
corenet_dontaudit_receive_osapi_compute_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_osapi_compute_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to osapi_compute_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_osapi_compute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_osapi_compute_server_packets'($*)) dnl
gen_require(`
type osapi_compute_server_packet_t;
')
allow $1 osapi_compute_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_osapi_compute_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ovsdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
allow $1 ovsdb_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ovsdb_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ovsdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
allow $1 ovsdb_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ovsdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ovsdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
dontaudit $1 ovsdb_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ovsdb_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ovsdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
allow $1 ovsdb_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ovsdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ovsdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
dontaudit $1 ovsdb_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ovsdb_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ovsdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ovsdb_port'($*)) dnl
corenet_udp_send_ovsdb_port($1)
corenet_udp_receive_ovsdb_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ovsdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ovsdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ovsdb_port'($*)) dnl
corenet_dontaudit_udp_send_ovsdb_port($1)
corenet_dontaudit_udp_receive_ovsdb_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ovsdb_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ovsdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
allow $1 ovsdb_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ovsdb_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ovsdb port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
allow $1 ovsdb_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ovsdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ovsdb port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
dontaudit $1 ovsdb_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ovsdb_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ovsdb port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
allow $1 ovsdb_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ovsdb_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ovsdb port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ovsdb_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ovsdb_port'($*)) dnl
gen_require(`
type ovsdb_port_t;
')
dontaudit $1 ovsdb_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ovsdb_port'($*)) dnl
')
########################################
##
## Send ovsdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ovsdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ovsdb_client_packets'($*)) dnl
gen_require(`
type ovsdb_client_packet_t;
')
allow $1 ovsdb_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ovsdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ovsdb_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ovsdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ovsdb_client_packets'($*)) dnl
gen_require(`
type ovsdb_client_packet_t;
')
dontaudit $1 ovsdb_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ovsdb_client_packets'($*)) dnl
')
########################################
##
## Receive ovsdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ovsdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ovsdb_client_packets'($*)) dnl
gen_require(`
type ovsdb_client_packet_t;
')
allow $1 ovsdb_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ovsdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ovsdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ovsdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ovsdb_client_packets'($*)) dnl
gen_require(`
type ovsdb_client_packet_t;
')
dontaudit $1 ovsdb_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ovsdb_client_packets'($*)) dnl
')
########################################
##
## Send and receive ovsdb_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ovsdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ovsdb_client_packets'($*)) dnl
corenet_send_ovsdb_client_packets($1)
corenet_receive_ovsdb_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ovsdb_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ovsdb_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ovsdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ovsdb_client_packets'($*)) dnl
corenet_dontaudit_send_ovsdb_client_packets($1)
corenet_dontaudit_receive_ovsdb_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ovsdb_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ovsdb_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ovsdb_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ovsdb_client_packets'($*)) dnl
gen_require(`
type ovsdb_client_packet_t;
')
allow $1 ovsdb_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ovsdb_client_packets'($*)) dnl
')
########################################
##
## Send ovsdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ovsdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ovsdb_server_packets'($*)) dnl
gen_require(`
type ovsdb_server_packet_t;
')
allow $1 ovsdb_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ovsdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ovsdb_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ovsdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ovsdb_server_packets'($*)) dnl
gen_require(`
type ovsdb_server_packet_t;
')
dontaudit $1 ovsdb_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ovsdb_server_packets'($*)) dnl
')
########################################
##
## Receive ovsdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ovsdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ovsdb_server_packets'($*)) dnl
gen_require(`
type ovsdb_server_packet_t;
')
allow $1 ovsdb_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ovsdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ovsdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ovsdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ovsdb_server_packets'($*)) dnl
gen_require(`
type ovsdb_server_packet_t;
')
dontaudit $1 ovsdb_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ovsdb_server_packets'($*)) dnl
')
########################################
##
## Send and receive ovsdb_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ovsdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ovsdb_server_packets'($*)) dnl
corenet_send_ovsdb_server_packets($1)
corenet_receive_ovsdb_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ovsdb_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ovsdb_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ovsdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ovsdb_server_packets'($*)) dnl
corenet_dontaudit_send_ovsdb_server_packets($1)
corenet_dontaudit_receive_ovsdb_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ovsdb_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ovsdb_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ovsdb_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ovsdb_server_packets'($*)) dnl
gen_require(`
type ovsdb_server_packet_t;
')
allow $1 ovsdb_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ovsdb_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pdps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
allow $1 pdps_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pdps_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pdps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
allow $1 pdps_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pdps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pdps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
dontaudit $1 pdps_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pdps_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pdps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
allow $1 pdps_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pdps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pdps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
dontaudit $1 pdps_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pdps_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pdps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pdps_port'($*)) dnl
corenet_udp_send_pdps_port($1)
corenet_udp_receive_pdps_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pdps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pdps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pdps_port'($*)) dnl
corenet_dontaudit_udp_send_pdps_port($1)
corenet_dontaudit_udp_receive_pdps_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pdps_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pdps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
allow $1 pdps_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pdps_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pdps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
allow $1 pdps_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pdps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pdps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
dontaudit $1 pdps_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pdps_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pdps port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
allow $1 pdps_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pdps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pdps port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pdps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pdps_port'($*)) dnl
gen_require(`
type pdps_port_t;
')
dontaudit $1 pdps_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pdps_port'($*)) dnl
')
########################################
##
## Send pdps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pdps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pdps_client_packets'($*)) dnl
gen_require(`
type pdps_client_packet_t;
')
allow $1 pdps_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pdps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pdps_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pdps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pdps_client_packets'($*)) dnl
gen_require(`
type pdps_client_packet_t;
')
dontaudit $1 pdps_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pdps_client_packets'($*)) dnl
')
########################################
##
## Receive pdps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pdps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pdps_client_packets'($*)) dnl
gen_require(`
type pdps_client_packet_t;
')
allow $1 pdps_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pdps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pdps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pdps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pdps_client_packets'($*)) dnl
gen_require(`
type pdps_client_packet_t;
')
dontaudit $1 pdps_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pdps_client_packets'($*)) dnl
')
########################################
##
## Send and receive pdps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pdps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pdps_client_packets'($*)) dnl
corenet_send_pdps_client_packets($1)
corenet_receive_pdps_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pdps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pdps_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pdps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pdps_client_packets'($*)) dnl
corenet_dontaudit_send_pdps_client_packets($1)
corenet_dontaudit_receive_pdps_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pdps_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pdps_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pdps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pdps_client_packets'($*)) dnl
gen_require(`
type pdps_client_packet_t;
')
allow $1 pdps_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pdps_client_packets'($*)) dnl
')
########################################
##
## Send pdps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pdps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pdps_server_packets'($*)) dnl
gen_require(`
type pdps_server_packet_t;
')
allow $1 pdps_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pdps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pdps_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pdps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pdps_server_packets'($*)) dnl
gen_require(`
type pdps_server_packet_t;
')
dontaudit $1 pdps_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pdps_server_packets'($*)) dnl
')
########################################
##
## Receive pdps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pdps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pdps_server_packets'($*)) dnl
gen_require(`
type pdps_server_packet_t;
')
allow $1 pdps_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pdps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pdps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pdps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pdps_server_packets'($*)) dnl
gen_require(`
type pdps_server_packet_t;
')
dontaudit $1 pdps_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pdps_server_packets'($*)) dnl
')
########################################
##
## Send and receive pdps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pdps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pdps_server_packets'($*)) dnl
corenet_send_pdps_server_packets($1)
corenet_receive_pdps_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pdps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pdps_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pdps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pdps_server_packets'($*)) dnl
corenet_dontaudit_send_pdps_server_packets($1)
corenet_dontaudit_receive_pdps_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pdps_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pdps_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pdps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pdps_server_packets'($*)) dnl
gen_require(`
type pdps_server_packet_t;
')
allow $1 pdps_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pdps_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pegasus_http_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pegasus_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pegasus_http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
dontaudit $1 pegasus_http_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pegasus_http_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pegasus_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pegasus_http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
dontaudit $1 pegasus_http_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pegasus_http_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pegasus_http_port'($*)) dnl
corenet_udp_send_pegasus_http_port($1)
corenet_udp_receive_pegasus_http_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pegasus_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pegasus_http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pegasus_http_port'($*)) dnl
corenet_dontaudit_udp_send_pegasus_http_port($1)
corenet_dontaudit_udp_receive_pegasus_http_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pegasus_http_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pegasus_http_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pegasus_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pegasus_http port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
dontaudit $1 pegasus_http_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pegasus_http_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pegasus_http port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
allow $1 pegasus_http_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pegasus_http_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pegasus_http port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pegasus_http_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pegasus_http_port'($*)) dnl
gen_require(`
type pegasus_http_port_t;
')
dontaudit $1 pegasus_http_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pegasus_http_port'($*)) dnl
')
########################################
##
## Send pegasus_http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pegasus_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
allow $1 pegasus_http_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pegasus_http_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pegasus_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
dontaudit $1 pegasus_http_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Receive pegasus_http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pegasus_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
allow $1 pegasus_http_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pegasus_http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pegasus_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
dontaudit $1 pegasus_http_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Send and receive pegasus_http_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pegasus_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_http_client_packets'($*)) dnl
corenet_send_pegasus_http_client_packets($1)
corenet_receive_pegasus_http_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pegasus_http_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pegasus_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_http_client_packets'($*)) dnl
corenet_dontaudit_send_pegasus_http_client_packets($1)
corenet_dontaudit_receive_pegasus_http_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pegasus_http_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pegasus_http_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_http_client_packets'($*)) dnl
gen_require(`
type pegasus_http_client_packet_t;
')
allow $1 pegasus_http_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_http_client_packets'($*)) dnl
')
########################################
##
## Send pegasus_http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pegasus_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
allow $1 pegasus_http_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pegasus_http_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pegasus_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
dontaudit $1 pegasus_http_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Receive pegasus_http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pegasus_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
allow $1 pegasus_http_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pegasus_http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pegasus_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
dontaudit $1 pegasus_http_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Send and receive pegasus_http_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pegasus_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_http_server_packets'($*)) dnl
corenet_send_pegasus_http_server_packets($1)
corenet_receive_pegasus_http_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pegasus_http_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pegasus_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_http_server_packets'($*)) dnl
corenet_dontaudit_send_pegasus_http_server_packets($1)
corenet_dontaudit_receive_pegasus_http_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pegasus_http_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pegasus_http_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_http_server_packets'($*)) dnl
gen_require(`
type pegasus_http_server_packet_t;
')
allow $1 pegasus_http_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_http_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pegasus_https_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pegasus_https_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pegasus_https port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
dontaudit $1 pegasus_https_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pegasus_https_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pegasus_https_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pegasus_https port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
dontaudit $1 pegasus_https_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pegasus_https_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pegasus_https_port'($*)) dnl
corenet_udp_send_pegasus_https_port($1)
corenet_udp_receive_pegasus_https_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pegasus_https_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pegasus_https port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pegasus_https_port'($*)) dnl
corenet_dontaudit_udp_send_pegasus_https_port($1)
corenet_dontaudit_udp_receive_pegasus_https_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pegasus_https_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pegasus_https_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pegasus_https_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pegasus_https port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
dontaudit $1 pegasus_https_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pegasus_https_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pegasus_https port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
allow $1 pegasus_https_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pegasus_https_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pegasus_https port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pegasus_https_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pegasus_https_port'($*)) dnl
gen_require(`
type pegasus_https_port_t;
')
dontaudit $1 pegasus_https_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pegasus_https_port'($*)) dnl
')
########################################
##
## Send pegasus_https_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pegasus_https_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
allow $1 pegasus_https_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pegasus_https_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pegasus_https_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
dontaudit $1 pegasus_https_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Receive pegasus_https_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pegasus_https_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
allow $1 pegasus_https_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pegasus_https_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pegasus_https_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
dontaudit $1 pegasus_https_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Send and receive pegasus_https_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pegasus_https_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_https_client_packets'($*)) dnl
corenet_send_pegasus_https_client_packets($1)
corenet_receive_pegasus_https_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pegasus_https_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pegasus_https_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_https_client_packets'($*)) dnl
corenet_dontaudit_send_pegasus_https_client_packets($1)
corenet_dontaudit_receive_pegasus_https_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pegasus_https_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pegasus_https_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_https_client_packets'($*)) dnl
gen_require(`
type pegasus_https_client_packet_t;
')
allow $1 pegasus_https_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_https_client_packets'($*)) dnl
')
########################################
##
## Send pegasus_https_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pegasus_https_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
allow $1 pegasus_https_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pegasus_https_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pegasus_https_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
dontaudit $1 pegasus_https_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Receive pegasus_https_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pegasus_https_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
allow $1 pegasus_https_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pegasus_https_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pegasus_https_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
dontaudit $1 pegasus_https_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Send and receive pegasus_https_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pegasus_https_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_https_server_packets'($*)) dnl
corenet_send_pegasus_https_server_packets($1)
corenet_receive_pegasus_https_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pegasus_https_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pegasus_https_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_https_server_packets'($*)) dnl
corenet_dontaudit_send_pegasus_https_server_packets($1)
corenet_dontaudit_receive_pegasus_https_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pegasus_https_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pegasus_https_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_https_server_packets'($*)) dnl
gen_require(`
type pegasus_https_server_packet_t;
')
allow $1 pegasus_https_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_https_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pgpkeyserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
dontaudit $1 pgpkeyserver_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pgpkeyserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
dontaudit $1 pgpkeyserver_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pgpkeyserver_port'($*)) dnl
corenet_udp_send_pgpkeyserver_port($1)
corenet_udp_receive_pgpkeyserver_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pgpkeyserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pgpkeyserver_port'($*)) dnl
corenet_dontaudit_udp_send_pgpkeyserver_port($1)
corenet_dontaudit_udp_receive_pgpkeyserver_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pgpkeyserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
dontaudit $1 pgpkeyserver_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
allow $1 pgpkeyserver_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pgpkeyserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pgpkeyserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pgpkeyserver_port'($*)) dnl
gen_require(`
type pgpkeyserver_port_t;
')
dontaudit $1 pgpkeyserver_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pgpkeyserver_port'($*)) dnl
')
########################################
##
## Send pgpkeyserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pgpkeyserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
allow $1 pgpkeyserver_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pgpkeyserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pgpkeyserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
dontaudit $1 pgpkeyserver_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Receive pgpkeyserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pgpkeyserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
allow $1 pgpkeyserver_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pgpkeyserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pgpkeyserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
dontaudit $1 pgpkeyserver_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Send and receive pgpkeyserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pgpkeyserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pgpkeyserver_client_packets'($*)) dnl
corenet_send_pgpkeyserver_client_packets($1)
corenet_receive_pgpkeyserver_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pgpkeyserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pgpkeyserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pgpkeyserver_client_packets'($*)) dnl
corenet_dontaudit_send_pgpkeyserver_client_packets($1)
corenet_dontaudit_receive_pgpkeyserver_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pgpkeyserver_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pgpkeyserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pgpkeyserver_client_packets'($*)) dnl
gen_require(`
type pgpkeyserver_client_packet_t;
')
allow $1 pgpkeyserver_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pgpkeyserver_client_packets'($*)) dnl
')
########################################
##
## Send pgpkeyserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pgpkeyserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
allow $1 pgpkeyserver_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pgpkeyserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pgpkeyserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
dontaudit $1 pgpkeyserver_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Receive pgpkeyserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pgpkeyserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
allow $1 pgpkeyserver_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pgpkeyserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pgpkeyserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
dontaudit $1 pgpkeyserver_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive pgpkeyserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pgpkeyserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pgpkeyserver_server_packets'($*)) dnl
corenet_send_pgpkeyserver_server_packets($1)
corenet_receive_pgpkeyserver_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pgpkeyserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pgpkeyserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pgpkeyserver_server_packets'($*)) dnl
corenet_dontaudit_send_pgpkeyserver_server_packets($1)
corenet_dontaudit_receive_pgpkeyserver_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pgpkeyserver_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pgpkeyserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pgpkeyserver_server_packets'($*)) dnl
gen_require(`
type pgpkeyserver_server_packet_t;
')
allow $1 pgpkeyserver_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pgpkeyserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pingd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
allow $1 pingd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pingd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pingd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
allow $1 pingd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pingd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pingd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
dontaudit $1 pingd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pingd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pingd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
allow $1 pingd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pingd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pingd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
dontaudit $1 pingd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pingd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pingd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pingd_port'($*)) dnl
corenet_udp_send_pingd_port($1)
corenet_udp_receive_pingd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pingd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pingd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pingd_port'($*)) dnl
corenet_dontaudit_udp_send_pingd_port($1)
corenet_dontaudit_udp_receive_pingd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pingd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pingd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
allow $1 pingd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pingd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pingd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
allow $1 pingd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pingd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pingd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
dontaudit $1 pingd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pingd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pingd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
allow $1 pingd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pingd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pingd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pingd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pingd_port'($*)) dnl
gen_require(`
type pingd_port_t;
')
dontaudit $1 pingd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pingd_port'($*)) dnl
')
########################################
##
## Send pingd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pingd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pingd_client_packets'($*)) dnl
gen_require(`
type pingd_client_packet_t;
')
allow $1 pingd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pingd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pingd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pingd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pingd_client_packets'($*)) dnl
gen_require(`
type pingd_client_packet_t;
')
dontaudit $1 pingd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pingd_client_packets'($*)) dnl
')
########################################
##
## Receive pingd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pingd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pingd_client_packets'($*)) dnl
gen_require(`
type pingd_client_packet_t;
')
allow $1 pingd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pingd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pingd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pingd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pingd_client_packets'($*)) dnl
gen_require(`
type pingd_client_packet_t;
')
dontaudit $1 pingd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pingd_client_packets'($*)) dnl
')
########################################
##
## Send and receive pingd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pingd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pingd_client_packets'($*)) dnl
corenet_send_pingd_client_packets($1)
corenet_receive_pingd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pingd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pingd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pingd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pingd_client_packets'($*)) dnl
corenet_dontaudit_send_pingd_client_packets($1)
corenet_dontaudit_receive_pingd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pingd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pingd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pingd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pingd_client_packets'($*)) dnl
gen_require(`
type pingd_client_packet_t;
')
allow $1 pingd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pingd_client_packets'($*)) dnl
')
########################################
##
## Send pingd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pingd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pingd_server_packets'($*)) dnl
gen_require(`
type pingd_server_packet_t;
')
allow $1 pingd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pingd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pingd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pingd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pingd_server_packets'($*)) dnl
gen_require(`
type pingd_server_packet_t;
')
dontaudit $1 pingd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pingd_server_packets'($*)) dnl
')
########################################
##
## Receive pingd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pingd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pingd_server_packets'($*)) dnl
gen_require(`
type pingd_server_packet_t;
')
allow $1 pingd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pingd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pingd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pingd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pingd_server_packets'($*)) dnl
gen_require(`
type pingd_server_packet_t;
')
dontaudit $1 pingd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pingd_server_packets'($*)) dnl
')
########################################
##
## Send and receive pingd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pingd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pingd_server_packets'($*)) dnl
corenet_send_pingd_server_packets($1)
corenet_receive_pingd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pingd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pingd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pingd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pingd_server_packets'($*)) dnl
corenet_dontaudit_send_pingd_server_packets($1)
corenet_dontaudit_receive_pingd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pingd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pingd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pingd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pingd_server_packets'($*)) dnl
gen_require(`
type pingd_server_packet_t;
')
allow $1 pingd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pingd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ca_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_ca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
dontaudit $1 pki_ca_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ca_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_ca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
dontaudit $1 pki_ca_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ca_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ca_port'($*)) dnl
corenet_udp_send_pki_ca_port($1)
corenet_udp_receive_pki_ca_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_ca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ca_port'($*)) dnl
corenet_dontaudit_udp_send_pki_ca_port($1)
corenet_dontaudit_udp_receive_pki_ca_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ca_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ca_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_ca port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pki_ca port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
dontaudit $1 pki_ca_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_ca_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_ca port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
allow $1 pki_ca_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ca_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pki_ca port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pki_ca_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_ca_port'($*)) dnl
gen_require(`
type pki_ca_port_t;
')
dontaudit $1 pki_ca_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_ca_port'($*)) dnl
')
########################################
##
## Send pki_ca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
allow $1 pki_ca_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ca_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
dontaudit $1 pki_ca_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Receive pki_ca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
allow $1 pki_ca_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
dontaudit $1 pki_ca_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ca_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ca_client_packets'($*)) dnl
corenet_send_pki_ca_client_packets($1)
corenet_receive_pki_ca_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ca_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ca_client_packets'($*)) dnl
corenet_dontaudit_send_pki_ca_client_packets($1)
corenet_dontaudit_receive_pki_ca_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ca_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ca_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ca_client_packets'($*)) dnl
gen_require(`
type pki_ca_client_packet_t;
')
allow $1 pki_ca_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ca_client_packets'($*)) dnl
')
########################################
##
## Send pki_ca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
allow $1 pki_ca_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ca_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
dontaudit $1 pki_ca_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Receive pki_ca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
allow $1 pki_ca_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
dontaudit $1 pki_ca_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ca_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ca_server_packets'($*)) dnl
corenet_send_pki_ca_server_packets($1)
corenet_receive_pki_ca_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ca_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ca_server_packets'($*)) dnl
corenet_dontaudit_send_pki_ca_server_packets($1)
corenet_dontaudit_receive_pki_ca_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ca_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ca_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ca_server_packets'($*)) dnl
gen_require(`
type pki_ca_server_packet_t;
')
allow $1 pki_ca_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ca_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_kra_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_kra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_kra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
dontaudit $1 pki_kra_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_kra_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_kra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_kra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
dontaudit $1 pki_kra_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_kra_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_kra_port'($*)) dnl
corenet_udp_send_pki_kra_port($1)
corenet_udp_receive_pki_kra_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_kra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_kra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_kra_port'($*)) dnl
corenet_dontaudit_udp_send_pki_kra_port($1)
corenet_dontaudit_udp_receive_pki_kra_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_kra_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_kra_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_kra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_kra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pki_kra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
dontaudit $1 pki_kra_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_kra_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_kra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
allow $1 pki_kra_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_kra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pki_kra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pki_kra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_kra_port'($*)) dnl
gen_require(`
type pki_kra_port_t;
')
dontaudit $1 pki_kra_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_kra_port'($*)) dnl
')
########################################
##
## Send pki_kra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_kra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
allow $1 pki_kra_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_kra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_kra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
dontaudit $1 pki_kra_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Receive pki_kra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_kra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
allow $1 pki_kra_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_kra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_kra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
dontaudit $1 pki_kra_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_kra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_kra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_kra_client_packets'($*)) dnl
corenet_send_pki_kra_client_packets($1)
corenet_receive_pki_kra_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_kra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_kra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_kra_client_packets'($*)) dnl
corenet_dontaudit_send_pki_kra_client_packets($1)
corenet_dontaudit_receive_pki_kra_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_kra_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_kra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_kra_client_packets'($*)) dnl
gen_require(`
type pki_kra_client_packet_t;
')
allow $1 pki_kra_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_kra_client_packets'($*)) dnl
')
########################################
##
## Send pki_kra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_kra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
allow $1 pki_kra_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_kra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_kra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
dontaudit $1 pki_kra_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Receive pki_kra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_kra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
allow $1 pki_kra_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_kra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_kra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
dontaudit $1 pki_kra_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_kra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_kra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_kra_server_packets'($*)) dnl
corenet_send_pki_kra_server_packets($1)
corenet_receive_pki_kra_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_kra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_kra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_kra_server_packets'($*)) dnl
corenet_dontaudit_send_pki_kra_server_packets($1)
corenet_dontaudit_receive_pki_kra_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_kra_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_kra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_kra_server_packets'($*)) dnl
gen_require(`
type pki_kra_server_packet_t;
')
allow $1 pki_kra_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_kra_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ocsp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
dontaudit $1 pki_ocsp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ocsp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
dontaudit $1 pki_ocsp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ocsp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ocsp_port'($*)) dnl
corenet_udp_send_pki_ocsp_port($1)
corenet_udp_receive_pki_ocsp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ocsp_port'($*)) dnl
corenet_dontaudit_udp_send_pki_ocsp_port($1)
corenet_dontaudit_udp_receive_pki_ocsp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ocsp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ocsp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pki_ocsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
dontaudit $1 pki_ocsp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_ocsp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
allow $1 pki_ocsp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ocsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pki_ocsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pki_ocsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_ocsp_port'($*)) dnl
gen_require(`
type pki_ocsp_port_t;
')
dontaudit $1 pki_ocsp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_ocsp_port'($*)) dnl
')
########################################
##
## Send pki_ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
allow $1 pki_ocsp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ocsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
dontaudit $1 pki_ocsp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Receive pki_ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
allow $1 pki_ocsp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
dontaudit $1 pki_ocsp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ocsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ocsp_client_packets'($*)) dnl
corenet_send_pki_ocsp_client_packets($1)
corenet_receive_pki_ocsp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ocsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ocsp_client_packets'($*)) dnl
corenet_dontaudit_send_pki_ocsp_client_packets($1)
corenet_dontaudit_receive_pki_ocsp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ocsp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ocsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ocsp_client_packets'($*)) dnl
gen_require(`
type pki_ocsp_client_packet_t;
')
allow $1 pki_ocsp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ocsp_client_packets'($*)) dnl
')
########################################
##
## Send pki_ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
allow $1 pki_ocsp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ocsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
dontaudit $1 pki_ocsp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Receive pki_ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
allow $1 pki_ocsp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
dontaudit $1 pki_ocsp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ocsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ocsp_server_packets'($*)) dnl
corenet_send_pki_ocsp_server_packets($1)
corenet_receive_pki_ocsp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ocsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ocsp_server_packets'($*)) dnl
corenet_dontaudit_send_pki_ocsp_server_packets($1)
corenet_dontaudit_receive_pki_ocsp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ocsp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ocsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ocsp_server_packets'($*)) dnl
gen_require(`
type pki_ocsp_server_packet_t;
')
allow $1 pki_ocsp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ocsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_tks_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_tks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_tks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
dontaudit $1 pki_tks_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_tks_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_tks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_tks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
dontaudit $1 pki_tks_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_tks_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_tks_port'($*)) dnl
corenet_udp_send_pki_tks_port($1)
corenet_udp_receive_pki_tks_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_tks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_tks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_tks_port'($*)) dnl
corenet_dontaudit_udp_send_pki_tks_port($1)
corenet_dontaudit_udp_receive_pki_tks_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_tks_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_tks_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_tks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_tks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pki_tks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
dontaudit $1 pki_tks_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_tks_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_tks port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
allow $1 pki_tks_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_tks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pki_tks port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pki_tks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_tks_port'($*)) dnl
gen_require(`
type pki_tks_port_t;
')
dontaudit $1 pki_tks_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_tks_port'($*)) dnl
')
########################################
##
## Send pki_tks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_tks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
allow $1 pki_tks_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_tks_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_tks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
dontaudit $1 pki_tks_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Receive pki_tks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_tks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
allow $1 pki_tks_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_tks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_tks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
dontaudit $1 pki_tks_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_tks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_tks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tks_client_packets'($*)) dnl
corenet_send_pki_tks_client_packets($1)
corenet_receive_pki_tks_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_tks_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_tks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tks_client_packets'($*)) dnl
corenet_dontaudit_send_pki_tks_client_packets($1)
corenet_dontaudit_receive_pki_tks_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_tks_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_tks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tks_client_packets'($*)) dnl
gen_require(`
type pki_tks_client_packet_t;
')
allow $1 pki_tks_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tks_client_packets'($*)) dnl
')
########################################
##
## Send pki_tks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_tks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
allow $1 pki_tks_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_tks_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_tks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
dontaudit $1 pki_tks_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Receive pki_tks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_tks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
allow $1 pki_tks_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_tks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_tks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
dontaudit $1 pki_tks_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_tks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_tks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tks_server_packets'($*)) dnl
corenet_send_pki_tks_server_packets($1)
corenet_receive_pki_tks_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_tks_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_tks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tks_server_packets'($*)) dnl
corenet_dontaudit_send_pki_tks_server_packets($1)
corenet_dontaudit_receive_pki_tks_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_tks_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_tks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tks_server_packets'($*)) dnl
gen_require(`
type pki_tks_server_packet_t;
')
allow $1 pki_tks_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tks_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ra_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_ra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
dontaudit $1 pki_ra_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ra_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_ra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
dontaudit $1 pki_ra_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ra_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ra_port'($*)) dnl
corenet_udp_send_pki_ra_port($1)
corenet_udp_receive_pki_ra_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_ra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ra_port'($*)) dnl
corenet_dontaudit_udp_send_pki_ra_port($1)
corenet_dontaudit_udp_receive_pki_ra_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ra_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ra_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_ra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pki_ra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
dontaudit $1 pki_ra_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_ra_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_ra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
allow $1 pki_ra_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pki_ra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pki_ra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_ra_port'($*)) dnl
gen_require(`
type pki_ra_port_t;
')
dontaudit $1 pki_ra_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_ra_port'($*)) dnl
')
########################################
##
## Send pki_ra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
allow $1 pki_ra_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
dontaudit $1 pki_ra_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Receive pki_ra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
allow $1 pki_ra_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
dontaudit $1 pki_ra_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ra_client_packets'($*)) dnl
corenet_send_pki_ra_client_packets($1)
corenet_receive_pki_ra_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ra_client_packets'($*)) dnl
corenet_dontaudit_send_pki_ra_client_packets($1)
corenet_dontaudit_receive_pki_ra_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ra_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ra_client_packets'($*)) dnl
gen_require(`
type pki_ra_client_packet_t;
')
allow $1 pki_ra_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ra_client_packets'($*)) dnl
')
########################################
##
## Send pki_ra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_ra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
allow $1 pki_ra_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_ra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_ra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
dontaudit $1 pki_ra_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Receive pki_ra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_ra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
allow $1 pki_ra_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_ra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_ra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
dontaudit $1 pki_ra_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_ra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_ra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ra_server_packets'($*)) dnl
corenet_send_pki_ra_server_packets($1)
corenet_receive_pki_ra_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_ra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_ra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ra_server_packets'($*)) dnl
corenet_dontaudit_send_pki_ra_server_packets($1)
corenet_dontaudit_receive_pki_ra_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_ra_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_ra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ra_server_packets'($*)) dnl
gen_require(`
type pki_ra_server_packet_t;
')
allow $1 pki_ra_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ra_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_tps_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_tps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pki_tps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
dontaudit $1 pki_tps_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_tps_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_tps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pki_tps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
dontaudit $1 pki_tps_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_tps_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_tps_port'($*)) dnl
corenet_udp_send_pki_tps_port($1)
corenet_udp_receive_pki_tps_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_tps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pki_tps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_tps_port'($*)) dnl
corenet_dontaudit_udp_send_pki_tps_port($1)
corenet_dontaudit_udp_receive_pki_tps_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_tps_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_tps_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pki_tps port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_tps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pki_tps port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
dontaudit $1 pki_tps_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_tps_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pki_tps port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
allow $1 pki_tps_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_tps_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pki_tps port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pki_tps_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_tps_port'($*)) dnl
gen_require(`
type pki_tps_port_t;
')
dontaudit $1 pki_tps_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_tps_port'($*)) dnl
')
########################################
##
## Send pki_tps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_tps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
allow $1 pki_tps_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_tps_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_tps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
dontaudit $1 pki_tps_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Receive pki_tps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_tps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
allow $1 pki_tps_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_tps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_tps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
dontaudit $1 pki_tps_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Send and receive pki_tps_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_tps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tps_client_packets'($*)) dnl
corenet_send_pki_tps_client_packets($1)
corenet_receive_pki_tps_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_tps_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_tps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tps_client_packets'($*)) dnl
corenet_dontaudit_send_pki_tps_client_packets($1)
corenet_dontaudit_receive_pki_tps_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_tps_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_tps_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tps_client_packets'($*)) dnl
gen_require(`
type pki_tps_client_packet_t;
')
allow $1 pki_tps_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tps_client_packets'($*)) dnl
')
########################################
##
## Send pki_tps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pki_tps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
allow $1 pki_tps_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pki_tps_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pki_tps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
dontaudit $1 pki_tps_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Receive pki_tps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pki_tps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
allow $1 pki_tps_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pki_tps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pki_tps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
dontaudit $1 pki_tps_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Send and receive pki_tps_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pki_tps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tps_server_packets'($*)) dnl
corenet_send_pki_tps_server_packets($1)
corenet_receive_pki_tps_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pki_tps_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pki_tps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tps_server_packets'($*)) dnl
corenet_dontaudit_send_pki_tps_server_packets($1)
corenet_dontaudit_receive_pki_tps_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pki_tps_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pki_tps_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tps_server_packets'($*)) dnl
gen_require(`
type pki_tps_server_packet_t;
')
allow $1 pki_tps_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tps_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pktcable_cops port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
allow $1 pktcable_cops_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pktcable_cops_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pktcable_cops port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
allow $1 pktcable_cops_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pktcable_cops_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pktcable_cops port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
dontaudit $1 pktcable_cops_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pktcable_cops_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pktcable_cops port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
allow $1 pktcable_cops_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pktcable_cops_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pktcable_cops port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
dontaudit $1 pktcable_cops_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pktcable_cops_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pktcable_cops port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pktcable_cops_port'($*)) dnl
corenet_udp_send_pktcable_cops_port($1)
corenet_udp_receive_pktcable_cops_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pktcable_cops_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pktcable_cops port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pktcable_cops_port'($*)) dnl
corenet_dontaudit_udp_send_pktcable_cops_port($1)
corenet_dontaudit_udp_receive_pktcable_cops_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pktcable_cops_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pktcable_cops port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
allow $1 pktcable_cops_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pktcable_cops_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pktcable_cops port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
allow $1 pktcable_cops_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pktcable_cops_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pktcable_cops port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
dontaudit $1 pktcable_cops_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pktcable_cops_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pktcable_cops port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
allow $1 pktcable_cops_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pktcable_cops_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pktcable_cops port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pktcable_cops_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pktcable_cops_port'($*)) dnl
gen_require(`
type pktcable_cops_port_t;
')
dontaudit $1 pktcable_cops_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pktcable_cops_port'($*)) dnl
')
########################################
##
## Send pktcable_cops_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pktcable_cops_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pktcable_cops_client_packets'($*)) dnl
gen_require(`
type pktcable_cops_client_packet_t;
')
allow $1 pktcable_cops_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pktcable_cops_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pktcable_cops_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pktcable_cops_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pktcable_cops_client_packets'($*)) dnl
gen_require(`
type pktcable_cops_client_packet_t;
')
dontaudit $1 pktcable_cops_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pktcable_cops_client_packets'($*)) dnl
')
########################################
##
## Receive pktcable_cops_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pktcable_cops_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pktcable_cops_client_packets'($*)) dnl
gen_require(`
type pktcable_cops_client_packet_t;
')
allow $1 pktcable_cops_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pktcable_cops_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pktcable_cops_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pktcable_cops_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pktcable_cops_client_packets'($*)) dnl
gen_require(`
type pktcable_cops_client_packet_t;
')
dontaudit $1 pktcable_cops_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pktcable_cops_client_packets'($*)) dnl
')
########################################
##
## Send and receive pktcable_cops_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pktcable_cops_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pktcable_cops_client_packets'($*)) dnl
corenet_send_pktcable_cops_client_packets($1)
corenet_receive_pktcable_cops_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pktcable_cops_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pktcable_cops_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pktcable_cops_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pktcable_cops_client_packets'($*)) dnl
corenet_dontaudit_send_pktcable_cops_client_packets($1)
corenet_dontaudit_receive_pktcable_cops_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pktcable_cops_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pktcable_cops_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pktcable_cops_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pktcable_cops_client_packets'($*)) dnl
gen_require(`
type pktcable_cops_client_packet_t;
')
allow $1 pktcable_cops_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pktcable_cops_client_packets'($*)) dnl
')
########################################
##
## Send pktcable_cops_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pktcable_cops_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pktcable_cops_server_packets'($*)) dnl
gen_require(`
type pktcable_cops_server_packet_t;
')
allow $1 pktcable_cops_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pktcable_cops_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pktcable_cops_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pktcable_cops_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pktcable_cops_server_packets'($*)) dnl
gen_require(`
type pktcable_cops_server_packet_t;
')
dontaudit $1 pktcable_cops_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pktcable_cops_server_packets'($*)) dnl
')
########################################
##
## Receive pktcable_cops_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pktcable_cops_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pktcable_cops_server_packets'($*)) dnl
gen_require(`
type pktcable_cops_server_packet_t;
')
allow $1 pktcable_cops_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pktcable_cops_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pktcable_cops_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pktcable_cops_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pktcable_cops_server_packets'($*)) dnl
gen_require(`
type pktcable_cops_server_packet_t;
')
dontaudit $1 pktcable_cops_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pktcable_cops_server_packets'($*)) dnl
')
########################################
##
## Send and receive pktcable_cops_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pktcable_cops_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pktcable_cops_server_packets'($*)) dnl
corenet_send_pktcable_cops_server_packets($1)
corenet_receive_pktcable_cops_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pktcable_cops_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pktcable_cops_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pktcable_cops_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pktcable_cops_server_packets'($*)) dnl
corenet_dontaudit_send_pktcable_cops_server_packets($1)
corenet_dontaudit_receive_pktcable_cops_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pktcable_cops_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pktcable_cops_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pktcable_cops_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pktcable_cops_server_packets'($*)) dnl
gen_require(`
type pktcable_cops_server_packet_t;
')
allow $1 pktcable_cops_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pktcable_cops_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pop_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
dontaudit $1 pop_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pop_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
dontaudit $1 pop_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pop_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pop_port'($*)) dnl
corenet_udp_send_pop_port($1)
corenet_udp_receive_pop_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pop_port'($*)) dnl
corenet_dontaudit_udp_send_pop_port($1)
corenet_dontaudit_udp_receive_pop_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pop_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pop_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pop port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pop port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
dontaudit $1 pop_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pop_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pop port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
allow $1 pop_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pop_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pop port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pop_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pop_port'($*)) dnl
gen_require(`
type pop_port_t;
')
dontaudit $1 pop_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pop_port'($*)) dnl
')
########################################
##
## Send pop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
allow $1 pop_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
dontaudit $1 pop_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pop_client_packets'($*)) dnl
')
########################################
##
## Receive pop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
allow $1 pop_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
dontaudit $1 pop_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pop_client_packets'($*)) dnl
')
########################################
##
## Send and receive pop_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pop_client_packets'($*)) dnl
corenet_send_pop_client_packets($1)
corenet_receive_pop_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pop_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pop_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pop_client_packets'($*)) dnl
corenet_dontaudit_send_pop_client_packets($1)
corenet_dontaudit_receive_pop_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pop_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pop_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pop_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pop_client_packets'($*)) dnl
gen_require(`
type pop_client_packet_t;
')
allow $1 pop_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pop_client_packets'($*)) dnl
')
########################################
##
## Send pop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
allow $1 pop_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
dontaudit $1 pop_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pop_server_packets'($*)) dnl
')
########################################
##
## Receive pop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
allow $1 pop_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
dontaudit $1 pop_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pop_server_packets'($*)) dnl
')
########################################
##
## Send and receive pop_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pop_server_packets'($*)) dnl
corenet_send_pop_server_packets($1)
corenet_receive_pop_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pop_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pop_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pop_server_packets'($*)) dnl
corenet_dontaudit_send_pop_server_packets($1)
corenet_dontaudit_receive_pop_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pop_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pop_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pop_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pop_server_packets'($*)) dnl
gen_require(`
type pop_server_packet_t;
')
allow $1 pop_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pop_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_portmap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_portmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the portmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
dontaudit $1 portmap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_portmap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_portmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the portmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
dontaudit $1 portmap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_portmap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_portmap_port'($*)) dnl
corenet_udp_send_portmap_port($1)
corenet_udp_receive_portmap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_portmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the portmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_portmap_port'($*)) dnl
corenet_dontaudit_udp_send_portmap_port($1)
corenet_dontaudit_udp_receive_portmap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_portmap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_portmap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the portmap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_portmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to portmap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
dontaudit $1 portmap_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_portmap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the portmap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
allow $1 portmap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_portmap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to portmap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_portmap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_portmap_port'($*)) dnl
gen_require(`
type portmap_port_t;
')
dontaudit $1 portmap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_portmap_port'($*)) dnl
')
########################################
##
## Send portmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_portmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
allow $1 portmap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_portmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send portmap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_portmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
dontaudit $1 portmap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_portmap_client_packets'($*)) dnl
')
########################################
##
## Receive portmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_portmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
allow $1 portmap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_portmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive portmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_portmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
dontaudit $1 portmap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_portmap_client_packets'($*)) dnl
')
########################################
##
## Send and receive portmap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_portmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_portmap_client_packets'($*)) dnl
corenet_send_portmap_client_packets($1)
corenet_receive_portmap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_portmap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive portmap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_portmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_portmap_client_packets'($*)) dnl
corenet_dontaudit_send_portmap_client_packets($1)
corenet_dontaudit_receive_portmap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_portmap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to portmap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_portmap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_portmap_client_packets'($*)) dnl
gen_require(`
type portmap_client_packet_t;
')
allow $1 portmap_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_portmap_client_packets'($*)) dnl
')
########################################
##
## Send portmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_portmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
allow $1 portmap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_portmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send portmap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_portmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
dontaudit $1 portmap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_portmap_server_packets'($*)) dnl
')
########################################
##
## Receive portmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_portmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
allow $1 portmap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_portmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive portmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_portmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
dontaudit $1 portmap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_portmap_server_packets'($*)) dnl
')
########################################
##
## Send and receive portmap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_portmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_portmap_server_packets'($*)) dnl
corenet_send_portmap_server_packets($1)
corenet_receive_portmap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_portmap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive portmap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_portmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_portmap_server_packets'($*)) dnl
corenet_dontaudit_send_portmap_server_packets($1)
corenet_dontaudit_receive_portmap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_portmap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to portmap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_portmap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_portmap_server_packets'($*)) dnl
gen_require(`
type portmap_server_packet_t;
')
allow $1 portmap_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_portmap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the postfix_policyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
allow $1 postfix_policyd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postfix_policyd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the postfix_policyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
allow $1 postfix_policyd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_postfix_policyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the postfix_policyd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
dontaudit $1 postfix_policyd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postfix_policyd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the postfix_policyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
allow $1 postfix_policyd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postfix_policyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the postfix_policyd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
dontaudit $1 postfix_policyd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postfix_policyd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the postfix_policyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postfix_policyd_port'($*)) dnl
corenet_udp_send_postfix_policyd_port($1)
corenet_udp_receive_postfix_policyd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postfix_policyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the postfix_policyd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postfix_policyd_port'($*)) dnl
corenet_dontaudit_udp_send_postfix_policyd_port($1)
corenet_dontaudit_udp_receive_postfix_policyd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postfix_policyd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the postfix_policyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
allow $1 postfix_policyd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postfix_policyd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the postfix_policyd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
allow $1 postfix_policyd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postfix_policyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to postfix_policyd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
dontaudit $1 postfix_policyd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_postfix_policyd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the postfix_policyd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
allow $1 postfix_policyd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postfix_policyd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to postfix_policyd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_postfix_policyd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_postfix_policyd_port'($*)) dnl
gen_require(`
type postfix_policyd_port_t;
')
dontaudit $1 postfix_policyd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_postfix_policyd_port'($*)) dnl
')
########################################
##
## Send postfix_policyd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postfix_policyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postfix_policyd_client_packets'($*)) dnl
gen_require(`
type postfix_policyd_client_packet_t;
')
allow $1 postfix_policyd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postfix_policyd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postfix_policyd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postfix_policyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postfix_policyd_client_packets'($*)) dnl
gen_require(`
type postfix_policyd_client_packet_t;
')
dontaudit $1 postfix_policyd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postfix_policyd_client_packets'($*)) dnl
')
########################################
##
## Receive postfix_policyd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postfix_policyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postfix_policyd_client_packets'($*)) dnl
gen_require(`
type postfix_policyd_client_packet_t;
')
allow $1 postfix_policyd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postfix_policyd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postfix_policyd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postfix_policyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postfix_policyd_client_packets'($*)) dnl
gen_require(`
type postfix_policyd_client_packet_t;
')
dontaudit $1 postfix_policyd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postfix_policyd_client_packets'($*)) dnl
')
########################################
##
## Send and receive postfix_policyd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postfix_policyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postfix_policyd_client_packets'($*)) dnl
corenet_send_postfix_policyd_client_packets($1)
corenet_receive_postfix_policyd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postfix_policyd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postfix_policyd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postfix_policyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postfix_policyd_client_packets'($*)) dnl
corenet_dontaudit_send_postfix_policyd_client_packets($1)
corenet_dontaudit_receive_postfix_policyd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postfix_policyd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to postfix_policyd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postfix_policyd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postfix_policyd_client_packets'($*)) dnl
gen_require(`
type postfix_policyd_client_packet_t;
')
allow $1 postfix_policyd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postfix_policyd_client_packets'($*)) dnl
')
########################################
##
## Send postfix_policyd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postfix_policyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postfix_policyd_server_packets'($*)) dnl
gen_require(`
type postfix_policyd_server_packet_t;
')
allow $1 postfix_policyd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postfix_policyd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postfix_policyd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postfix_policyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postfix_policyd_server_packets'($*)) dnl
gen_require(`
type postfix_policyd_server_packet_t;
')
dontaudit $1 postfix_policyd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postfix_policyd_server_packets'($*)) dnl
')
########################################
##
## Receive postfix_policyd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postfix_policyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postfix_policyd_server_packets'($*)) dnl
gen_require(`
type postfix_policyd_server_packet_t;
')
allow $1 postfix_policyd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postfix_policyd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postfix_policyd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postfix_policyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postfix_policyd_server_packets'($*)) dnl
gen_require(`
type postfix_policyd_server_packet_t;
')
dontaudit $1 postfix_policyd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postfix_policyd_server_packets'($*)) dnl
')
########################################
##
## Send and receive postfix_policyd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postfix_policyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postfix_policyd_server_packets'($*)) dnl
corenet_send_postfix_policyd_server_packets($1)
corenet_receive_postfix_policyd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postfix_policyd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postfix_policyd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postfix_policyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postfix_policyd_server_packets'($*)) dnl
corenet_dontaudit_send_postfix_policyd_server_packets($1)
corenet_dontaudit_receive_postfix_policyd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postfix_policyd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to postfix_policyd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postfix_policyd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postfix_policyd_server_packets'($*)) dnl
gen_require(`
type postfix_policyd_server_packet_t;
')
allow $1 postfix_policyd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postfix_policyd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postgresql_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_postgresql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the postgresql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
dontaudit $1 postgresql_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postgresql_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postgresql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the postgresql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
dontaudit $1 postgresql_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postgresql_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postgresql_port'($*)) dnl
corenet_udp_send_postgresql_port($1)
corenet_udp_receive_postgresql_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postgresql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the postgresql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postgresql_port'($*)) dnl
corenet_dontaudit_udp_send_postgresql_port($1)
corenet_dontaudit_udp_receive_postgresql_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postgresql_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postgresql_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the postgresql port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postgresql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to postgresql port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
dontaudit $1 postgresql_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_postgresql_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the postgresql port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
allow $1 postgresql_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postgresql_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to postgresql port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_postgresql_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_postgresql_port'($*)) dnl
gen_require(`
type postgresql_port_t;
')
dontaudit $1 postgresql_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_postgresql_port'($*)) dnl
')
########################################
##
## Send postgresql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postgresql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
allow $1 postgresql_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postgresql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postgresql_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postgresql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
dontaudit $1 postgresql_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgresql_client_packets'($*)) dnl
')
########################################
##
## Receive postgresql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postgresql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
allow $1 postgresql_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postgresql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postgresql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postgresql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
dontaudit $1 postgresql_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgresql_client_packets'($*)) dnl
')
########################################
##
## Send and receive postgresql_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postgresql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgresql_client_packets'($*)) dnl
corenet_send_postgresql_client_packets($1)
corenet_receive_postgresql_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgresql_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postgresql_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postgresql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgresql_client_packets'($*)) dnl
corenet_dontaudit_send_postgresql_client_packets($1)
corenet_dontaudit_receive_postgresql_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgresql_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to postgresql_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postgresql_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgresql_client_packets'($*)) dnl
gen_require(`
type postgresql_client_packet_t;
')
allow $1 postgresql_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgresql_client_packets'($*)) dnl
')
########################################
##
## Send postgresql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postgresql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
allow $1 postgresql_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postgresql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postgresql_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postgresql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
dontaudit $1 postgresql_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgresql_server_packets'($*)) dnl
')
########################################
##
## Receive postgresql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postgresql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
allow $1 postgresql_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postgresql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postgresql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postgresql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
dontaudit $1 postgresql_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgresql_server_packets'($*)) dnl
')
########################################
##
## Send and receive postgresql_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postgresql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgresql_server_packets'($*)) dnl
corenet_send_postgresql_server_packets($1)
corenet_receive_postgresql_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgresql_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postgresql_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postgresql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgresql_server_packets'($*)) dnl
corenet_dontaudit_send_postgresql_server_packets($1)
corenet_dontaudit_receive_postgresql_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgresql_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to postgresql_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postgresql_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgresql_server_packets'($*)) dnl
gen_require(`
type postgresql_server_packet_t;
')
allow $1 postgresql_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgresql_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postgrey_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_postgrey_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the postgrey port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
dontaudit $1 postgrey_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postgrey_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postgrey_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the postgrey port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
dontaudit $1 postgrey_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postgrey_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postgrey_port'($*)) dnl
corenet_udp_send_postgrey_port($1)
corenet_udp_receive_postgrey_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postgrey_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the postgrey port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postgrey_port'($*)) dnl
corenet_dontaudit_udp_send_postgrey_port($1)
corenet_dontaudit_udp_receive_postgrey_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postgrey_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postgrey_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the postgrey port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postgrey_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to postgrey port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
dontaudit $1 postgrey_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_postgrey_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the postgrey port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
allow $1 postgrey_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postgrey_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to postgrey port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_postgrey_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_postgrey_port'($*)) dnl
gen_require(`
type postgrey_port_t;
')
dontaudit $1 postgrey_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_postgrey_port'($*)) dnl
')
########################################
##
## Send postgrey_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postgrey_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
allow $1 postgrey_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postgrey_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postgrey_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postgrey_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
dontaudit $1 postgrey_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgrey_client_packets'($*)) dnl
')
########################################
##
## Receive postgrey_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postgrey_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
allow $1 postgrey_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postgrey_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postgrey_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postgrey_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
dontaudit $1 postgrey_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgrey_client_packets'($*)) dnl
')
########################################
##
## Send and receive postgrey_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postgrey_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgrey_client_packets'($*)) dnl
corenet_send_postgrey_client_packets($1)
corenet_receive_postgrey_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgrey_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postgrey_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postgrey_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgrey_client_packets'($*)) dnl
corenet_dontaudit_send_postgrey_client_packets($1)
corenet_dontaudit_receive_postgrey_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgrey_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to postgrey_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postgrey_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgrey_client_packets'($*)) dnl
gen_require(`
type postgrey_client_packet_t;
')
allow $1 postgrey_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgrey_client_packets'($*)) dnl
')
########################################
##
## Send postgrey_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_postgrey_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
allow $1 postgrey_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_postgrey_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send postgrey_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_postgrey_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
dontaudit $1 postgrey_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgrey_server_packets'($*)) dnl
')
########################################
##
## Receive postgrey_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_postgrey_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
allow $1 postgrey_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_postgrey_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive postgrey_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_postgrey_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
dontaudit $1 postgrey_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgrey_server_packets'($*)) dnl
')
########################################
##
## Send and receive postgrey_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_postgrey_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgrey_server_packets'($*)) dnl
corenet_send_postgrey_server_packets($1)
corenet_receive_postgrey_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgrey_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive postgrey_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_postgrey_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgrey_server_packets'($*)) dnl
corenet_dontaudit_send_postgrey_server_packets($1)
corenet_dontaudit_receive_postgrey_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgrey_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to postgrey_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_postgrey_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgrey_server_packets'($*)) dnl
gen_require(`
type postgrey_server_packet_t;
')
allow $1 postgrey_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgrey_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pptp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
allow $1 pptp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pptp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pptp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
allow $1 pptp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pptp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pptp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
dontaudit $1 pptp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pptp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pptp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
allow $1 pptp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pptp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pptp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
dontaudit $1 pptp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pptp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pptp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pptp_port'($*)) dnl
corenet_udp_send_pptp_port($1)
corenet_udp_receive_pptp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pptp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pptp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pptp_port'($*)) dnl
corenet_dontaudit_udp_send_pptp_port($1)
corenet_dontaudit_udp_receive_pptp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pptp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pptp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
allow $1 pptp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pptp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pptp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
allow $1 pptp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pptp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pptp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
dontaudit $1 pptp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pptp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pptp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
allow $1 pptp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pptp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pptp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pptp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pptp_port'($*)) dnl
gen_require(`
type pptp_port_t;
')
dontaudit $1 pptp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pptp_port'($*)) dnl
')
########################################
##
## Send pptp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pptp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pptp_client_packets'($*)) dnl
gen_require(`
type pptp_client_packet_t;
')
allow $1 pptp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pptp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pptp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pptp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pptp_client_packets'($*)) dnl
gen_require(`
type pptp_client_packet_t;
')
dontaudit $1 pptp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pptp_client_packets'($*)) dnl
')
########################################
##
## Receive pptp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pptp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pptp_client_packets'($*)) dnl
gen_require(`
type pptp_client_packet_t;
')
allow $1 pptp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pptp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pptp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pptp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pptp_client_packets'($*)) dnl
gen_require(`
type pptp_client_packet_t;
')
dontaudit $1 pptp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pptp_client_packets'($*)) dnl
')
########################################
##
## Send and receive pptp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pptp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pptp_client_packets'($*)) dnl
corenet_send_pptp_client_packets($1)
corenet_receive_pptp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pptp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pptp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pptp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pptp_client_packets'($*)) dnl
corenet_dontaudit_send_pptp_client_packets($1)
corenet_dontaudit_receive_pptp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pptp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pptp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pptp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pptp_client_packets'($*)) dnl
gen_require(`
type pptp_client_packet_t;
')
allow $1 pptp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pptp_client_packets'($*)) dnl
')
########################################
##
## Send pptp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pptp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pptp_server_packets'($*)) dnl
gen_require(`
type pptp_server_packet_t;
')
allow $1 pptp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pptp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pptp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pptp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pptp_server_packets'($*)) dnl
gen_require(`
type pptp_server_packet_t;
')
dontaudit $1 pptp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pptp_server_packets'($*)) dnl
')
########################################
##
## Receive pptp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pptp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pptp_server_packets'($*)) dnl
gen_require(`
type pptp_server_packet_t;
')
allow $1 pptp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pptp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pptp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pptp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pptp_server_packets'($*)) dnl
gen_require(`
type pptp_server_packet_t;
')
dontaudit $1 pptp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pptp_server_packets'($*)) dnl
')
########################################
##
## Send and receive pptp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pptp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pptp_server_packets'($*)) dnl
corenet_send_pptp_server_packets($1)
corenet_receive_pptp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pptp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pptp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pptp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pptp_server_packets'($*)) dnl
corenet_dontaudit_send_pptp_server_packets($1)
corenet_dontaudit_receive_pptp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pptp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pptp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pptp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pptp_server_packets'($*)) dnl
gen_require(`
type pptp_server_packet_t;
')
allow $1 pptp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pptp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_prelude_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_prelude_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the prelude port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
dontaudit $1 prelude_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_prelude_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_prelude_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the prelude port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
dontaudit $1 prelude_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_prelude_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_prelude_port'($*)) dnl
corenet_udp_send_prelude_port($1)
corenet_udp_receive_prelude_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_prelude_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the prelude port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_prelude_port'($*)) dnl
corenet_dontaudit_udp_send_prelude_port($1)
corenet_dontaudit_udp_receive_prelude_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_prelude_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_prelude_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the prelude port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_prelude_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to prelude port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
dontaudit $1 prelude_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_prelude_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the prelude port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
allow $1 prelude_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_prelude_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to prelude port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_prelude_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_prelude_port'($*)) dnl
gen_require(`
type prelude_port_t;
')
dontaudit $1 prelude_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_prelude_port'($*)) dnl
')
########################################
##
## Send prelude_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_prelude_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
allow $1 prelude_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_prelude_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send prelude_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_prelude_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
dontaudit $1 prelude_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prelude_client_packets'($*)) dnl
')
########################################
##
## Receive prelude_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_prelude_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
allow $1 prelude_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_prelude_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive prelude_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_prelude_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
dontaudit $1 prelude_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prelude_client_packets'($*)) dnl
')
########################################
##
## Send and receive prelude_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_prelude_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prelude_client_packets'($*)) dnl
corenet_send_prelude_client_packets($1)
corenet_receive_prelude_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prelude_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive prelude_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_prelude_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prelude_client_packets'($*)) dnl
corenet_dontaudit_send_prelude_client_packets($1)
corenet_dontaudit_receive_prelude_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prelude_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to prelude_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_prelude_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prelude_client_packets'($*)) dnl
gen_require(`
type prelude_client_packet_t;
')
allow $1 prelude_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_prelude_client_packets'($*)) dnl
')
########################################
##
## Send prelude_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_prelude_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
allow $1 prelude_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_prelude_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send prelude_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_prelude_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
dontaudit $1 prelude_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prelude_server_packets'($*)) dnl
')
########################################
##
## Receive prelude_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_prelude_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
allow $1 prelude_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_prelude_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive prelude_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_prelude_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
dontaudit $1 prelude_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prelude_server_packets'($*)) dnl
')
########################################
##
## Send and receive prelude_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_prelude_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prelude_server_packets'($*)) dnl
corenet_send_prelude_server_packets($1)
corenet_receive_prelude_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prelude_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive prelude_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_prelude_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prelude_server_packets'($*)) dnl
corenet_dontaudit_send_prelude_server_packets($1)
corenet_dontaudit_receive_prelude_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prelude_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to prelude_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_prelude_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prelude_server_packets'($*)) dnl
gen_require(`
type prelude_server_packet_t;
')
allow $1 prelude_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_prelude_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the presence port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
allow $1 presence_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_presence_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the presence port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
allow $1 presence_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_presence_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the presence port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
dontaudit $1 presence_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_presence_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the presence port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
allow $1 presence_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_presence_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the presence port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
dontaudit $1 presence_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_presence_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the presence port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_presence_port'($*)) dnl
corenet_udp_send_presence_port($1)
corenet_udp_receive_presence_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_presence_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the presence port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_presence_port'($*)) dnl
corenet_dontaudit_udp_send_presence_port($1)
corenet_dontaudit_udp_receive_presence_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_presence_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the presence port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
allow $1 presence_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_presence_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the presence port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
allow $1 presence_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_presence_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to presence port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
dontaudit $1 presence_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_presence_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the presence port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
allow $1 presence_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_presence_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to presence port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_presence_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_presence_port'($*)) dnl
gen_require(`
type presence_port_t;
')
dontaudit $1 presence_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_presence_port'($*)) dnl
')
########################################
##
## Send presence_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_presence_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_presence_client_packets'($*)) dnl
gen_require(`
type presence_client_packet_t;
')
allow $1 presence_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_presence_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send presence_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_presence_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_presence_client_packets'($*)) dnl
gen_require(`
type presence_client_packet_t;
')
dontaudit $1 presence_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_presence_client_packets'($*)) dnl
')
########################################
##
## Receive presence_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_presence_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_presence_client_packets'($*)) dnl
gen_require(`
type presence_client_packet_t;
')
allow $1 presence_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_presence_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive presence_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_presence_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_presence_client_packets'($*)) dnl
gen_require(`
type presence_client_packet_t;
')
dontaudit $1 presence_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_presence_client_packets'($*)) dnl
')
########################################
##
## Send and receive presence_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_presence_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_presence_client_packets'($*)) dnl
corenet_send_presence_client_packets($1)
corenet_receive_presence_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_presence_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive presence_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_presence_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_presence_client_packets'($*)) dnl
corenet_dontaudit_send_presence_client_packets($1)
corenet_dontaudit_receive_presence_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_presence_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to presence_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_presence_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_presence_client_packets'($*)) dnl
gen_require(`
type presence_client_packet_t;
')
allow $1 presence_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_presence_client_packets'($*)) dnl
')
########################################
##
## Send presence_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_presence_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_presence_server_packets'($*)) dnl
gen_require(`
type presence_server_packet_t;
')
allow $1 presence_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_presence_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send presence_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_presence_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_presence_server_packets'($*)) dnl
gen_require(`
type presence_server_packet_t;
')
dontaudit $1 presence_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_presence_server_packets'($*)) dnl
')
########################################
##
## Receive presence_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_presence_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_presence_server_packets'($*)) dnl
gen_require(`
type presence_server_packet_t;
')
allow $1 presence_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_presence_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive presence_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_presence_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_presence_server_packets'($*)) dnl
gen_require(`
type presence_server_packet_t;
')
dontaudit $1 presence_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_presence_server_packets'($*)) dnl
')
########################################
##
## Send and receive presence_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_presence_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_presence_server_packets'($*)) dnl
corenet_send_presence_server_packets($1)
corenet_receive_presence_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_presence_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive presence_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_presence_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_presence_server_packets'($*)) dnl
corenet_dontaudit_send_presence_server_packets($1)
corenet_dontaudit_receive_presence_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_presence_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to presence_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_presence_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_presence_server_packets'($*)) dnl
gen_require(`
type presence_server_packet_t;
')
allow $1 presence_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_presence_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the preupgrade port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
allow $1 preupgrade_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_preupgrade_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the preupgrade port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
allow $1 preupgrade_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_preupgrade_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the preupgrade port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
dontaudit $1 preupgrade_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_preupgrade_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the preupgrade port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
allow $1 preupgrade_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_preupgrade_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the preupgrade port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
dontaudit $1 preupgrade_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_preupgrade_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the preupgrade port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_preupgrade_port'($*)) dnl
corenet_udp_send_preupgrade_port($1)
corenet_udp_receive_preupgrade_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_preupgrade_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the preupgrade port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_preupgrade_port'($*)) dnl
corenet_dontaudit_udp_send_preupgrade_port($1)
corenet_dontaudit_udp_receive_preupgrade_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_preupgrade_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the preupgrade port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
allow $1 preupgrade_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_preupgrade_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the preupgrade port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
allow $1 preupgrade_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_preupgrade_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to preupgrade port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
dontaudit $1 preupgrade_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_preupgrade_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the preupgrade port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
allow $1 preupgrade_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_preupgrade_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to preupgrade port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_preupgrade_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_preupgrade_port'($*)) dnl
gen_require(`
type preupgrade_port_t;
')
dontaudit $1 preupgrade_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_preupgrade_port'($*)) dnl
')
########################################
##
## Send preupgrade_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_preupgrade_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_preupgrade_client_packets'($*)) dnl
gen_require(`
type preupgrade_client_packet_t;
')
allow $1 preupgrade_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_preupgrade_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send preupgrade_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_preupgrade_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_preupgrade_client_packets'($*)) dnl
gen_require(`
type preupgrade_client_packet_t;
')
dontaudit $1 preupgrade_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_preupgrade_client_packets'($*)) dnl
')
########################################
##
## Receive preupgrade_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_preupgrade_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_preupgrade_client_packets'($*)) dnl
gen_require(`
type preupgrade_client_packet_t;
')
allow $1 preupgrade_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_preupgrade_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive preupgrade_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_preupgrade_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_preupgrade_client_packets'($*)) dnl
gen_require(`
type preupgrade_client_packet_t;
')
dontaudit $1 preupgrade_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_preupgrade_client_packets'($*)) dnl
')
########################################
##
## Send and receive preupgrade_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_preupgrade_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_preupgrade_client_packets'($*)) dnl
corenet_send_preupgrade_client_packets($1)
corenet_receive_preupgrade_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_preupgrade_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive preupgrade_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_preupgrade_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_preupgrade_client_packets'($*)) dnl
corenet_dontaudit_send_preupgrade_client_packets($1)
corenet_dontaudit_receive_preupgrade_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_preupgrade_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to preupgrade_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_preupgrade_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_preupgrade_client_packets'($*)) dnl
gen_require(`
type preupgrade_client_packet_t;
')
allow $1 preupgrade_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_preupgrade_client_packets'($*)) dnl
')
########################################
##
## Send preupgrade_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_preupgrade_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_preupgrade_server_packets'($*)) dnl
gen_require(`
type preupgrade_server_packet_t;
')
allow $1 preupgrade_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_preupgrade_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send preupgrade_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_preupgrade_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_preupgrade_server_packets'($*)) dnl
gen_require(`
type preupgrade_server_packet_t;
')
dontaudit $1 preupgrade_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_preupgrade_server_packets'($*)) dnl
')
########################################
##
## Receive preupgrade_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_preupgrade_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_preupgrade_server_packets'($*)) dnl
gen_require(`
type preupgrade_server_packet_t;
')
allow $1 preupgrade_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_preupgrade_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive preupgrade_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_preupgrade_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_preupgrade_server_packets'($*)) dnl
gen_require(`
type preupgrade_server_packet_t;
')
dontaudit $1 preupgrade_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_preupgrade_server_packets'($*)) dnl
')
########################################
##
## Send and receive preupgrade_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_preupgrade_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_preupgrade_server_packets'($*)) dnl
corenet_send_preupgrade_server_packets($1)
corenet_receive_preupgrade_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_preupgrade_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive preupgrade_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_preupgrade_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_preupgrade_server_packets'($*)) dnl
corenet_dontaudit_send_preupgrade_server_packets($1)
corenet_dontaudit_receive_preupgrade_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_preupgrade_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to preupgrade_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_preupgrade_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_preupgrade_server_packets'($*)) dnl
gen_require(`
type preupgrade_server_packet_t;
')
allow $1 preupgrade_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_preupgrade_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_printer_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_printer_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the printer port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
dontaudit $1 printer_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_printer_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_printer_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the printer port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
dontaudit $1 printer_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_printer_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_printer_port'($*)) dnl
corenet_udp_send_printer_port($1)
corenet_udp_receive_printer_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_printer_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the printer port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_printer_port'($*)) dnl
corenet_dontaudit_udp_send_printer_port($1)
corenet_dontaudit_udp_receive_printer_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_printer_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_printer_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the printer port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_printer_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to printer port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
dontaudit $1 printer_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_printer_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the printer port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
allow $1 printer_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_printer_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to printer port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_printer_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_printer_port'($*)) dnl
gen_require(`
type printer_port_t;
')
dontaudit $1 printer_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_printer_port'($*)) dnl
')
########################################
##
## Send printer_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_printer_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
allow $1 printer_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_printer_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send printer_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_printer_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
dontaudit $1 printer_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_printer_client_packets'($*)) dnl
')
########################################
##
## Receive printer_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_printer_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
allow $1 printer_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_printer_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive printer_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_printer_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
dontaudit $1 printer_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_printer_client_packets'($*)) dnl
')
########################################
##
## Send and receive printer_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_printer_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_printer_client_packets'($*)) dnl
corenet_send_printer_client_packets($1)
corenet_receive_printer_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_printer_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive printer_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_printer_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_printer_client_packets'($*)) dnl
corenet_dontaudit_send_printer_client_packets($1)
corenet_dontaudit_receive_printer_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_printer_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to printer_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_printer_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_printer_client_packets'($*)) dnl
gen_require(`
type printer_client_packet_t;
')
allow $1 printer_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_printer_client_packets'($*)) dnl
')
########################################
##
## Send printer_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_printer_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
allow $1 printer_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_printer_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send printer_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_printer_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
dontaudit $1 printer_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_printer_server_packets'($*)) dnl
')
########################################
##
## Receive printer_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_printer_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
allow $1 printer_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_printer_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive printer_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_printer_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
dontaudit $1 printer_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_printer_server_packets'($*)) dnl
')
########################################
##
## Send and receive printer_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_printer_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_printer_server_packets'($*)) dnl
corenet_send_printer_server_packets($1)
corenet_receive_printer_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_printer_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive printer_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_printer_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_printer_server_packets'($*)) dnl
corenet_dontaudit_send_printer_server_packets($1)
corenet_dontaudit_receive_printer_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_printer_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to printer_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_printer_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_printer_server_packets'($*)) dnl
gen_require(`
type printer_server_packet_t;
')
allow $1 printer_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_printer_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the priority_e_com port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
allow $1 priority_e_com_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_priority_e_com_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the priority_e_com port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
allow $1 priority_e_com_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_priority_e_com_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the priority_e_com port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
dontaudit $1 priority_e_com_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_priority_e_com_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the priority_e_com port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
allow $1 priority_e_com_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_priority_e_com_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the priority_e_com port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
dontaudit $1 priority_e_com_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_priority_e_com_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the priority_e_com port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_priority_e_com_port'($*)) dnl
corenet_udp_send_priority_e_com_port($1)
corenet_udp_receive_priority_e_com_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_priority_e_com_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the priority_e_com port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_priority_e_com_port'($*)) dnl
corenet_dontaudit_udp_send_priority_e_com_port($1)
corenet_dontaudit_udp_receive_priority_e_com_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_priority_e_com_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the priority_e_com port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
allow $1 priority_e_com_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_priority_e_com_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the priority_e_com port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
allow $1 priority_e_com_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_priority_e_com_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to priority_e_com port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
dontaudit $1 priority_e_com_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_priority_e_com_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the priority_e_com port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
allow $1 priority_e_com_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_priority_e_com_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to priority_e_com port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_priority_e_com_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_priority_e_com_port'($*)) dnl
gen_require(`
type priority_e_com_port_t;
')
dontaudit $1 priority_e_com_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_priority_e_com_port'($*)) dnl
')
########################################
##
## Send priority_e_com_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_priority_e_com_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_priority_e_com_client_packets'($*)) dnl
gen_require(`
type priority_e_com_client_packet_t;
')
allow $1 priority_e_com_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_priority_e_com_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send priority_e_com_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_priority_e_com_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_priority_e_com_client_packets'($*)) dnl
gen_require(`
type priority_e_com_client_packet_t;
')
dontaudit $1 priority_e_com_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_priority_e_com_client_packets'($*)) dnl
')
########################################
##
## Receive priority_e_com_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_priority_e_com_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_priority_e_com_client_packets'($*)) dnl
gen_require(`
type priority_e_com_client_packet_t;
')
allow $1 priority_e_com_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_priority_e_com_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive priority_e_com_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_priority_e_com_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_priority_e_com_client_packets'($*)) dnl
gen_require(`
type priority_e_com_client_packet_t;
')
dontaudit $1 priority_e_com_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_priority_e_com_client_packets'($*)) dnl
')
########################################
##
## Send and receive priority_e_com_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_priority_e_com_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_priority_e_com_client_packets'($*)) dnl
corenet_send_priority_e_com_client_packets($1)
corenet_receive_priority_e_com_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_priority_e_com_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive priority_e_com_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_priority_e_com_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_priority_e_com_client_packets'($*)) dnl
corenet_dontaudit_send_priority_e_com_client_packets($1)
corenet_dontaudit_receive_priority_e_com_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_priority_e_com_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to priority_e_com_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_priority_e_com_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_priority_e_com_client_packets'($*)) dnl
gen_require(`
type priority_e_com_client_packet_t;
')
allow $1 priority_e_com_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_priority_e_com_client_packets'($*)) dnl
')
########################################
##
## Send priority_e_com_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_priority_e_com_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_priority_e_com_server_packets'($*)) dnl
gen_require(`
type priority_e_com_server_packet_t;
')
allow $1 priority_e_com_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_priority_e_com_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send priority_e_com_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_priority_e_com_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_priority_e_com_server_packets'($*)) dnl
gen_require(`
type priority_e_com_server_packet_t;
')
dontaudit $1 priority_e_com_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_priority_e_com_server_packets'($*)) dnl
')
########################################
##
## Receive priority_e_com_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_priority_e_com_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_priority_e_com_server_packets'($*)) dnl
gen_require(`
type priority_e_com_server_packet_t;
')
allow $1 priority_e_com_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_priority_e_com_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive priority_e_com_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_priority_e_com_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_priority_e_com_server_packets'($*)) dnl
gen_require(`
type priority_e_com_server_packet_t;
')
dontaudit $1 priority_e_com_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_priority_e_com_server_packets'($*)) dnl
')
########################################
##
## Send and receive priority_e_com_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_priority_e_com_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_priority_e_com_server_packets'($*)) dnl
corenet_send_priority_e_com_server_packets($1)
corenet_receive_priority_e_com_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_priority_e_com_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive priority_e_com_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_priority_e_com_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_priority_e_com_server_packets'($*)) dnl
corenet_dontaudit_send_priority_e_com_server_packets($1)
corenet_dontaudit_receive_priority_e_com_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_priority_e_com_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to priority_e_com_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_priority_e_com_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_priority_e_com_server_packets'($*)) dnl
gen_require(`
type priority_e_com_server_packet_t;
')
allow $1 priority_e_com_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_priority_e_com_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the prosody port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
allow $1 prosody_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_prosody_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the prosody port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
allow $1 prosody_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_prosody_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the prosody port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
dontaudit $1 prosody_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_prosody_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the prosody port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
allow $1 prosody_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_prosody_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the prosody port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
dontaudit $1 prosody_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_prosody_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the prosody port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_prosody_port'($*)) dnl
corenet_udp_send_prosody_port($1)
corenet_udp_receive_prosody_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_prosody_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the prosody port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_prosody_port'($*)) dnl
corenet_dontaudit_udp_send_prosody_port($1)
corenet_dontaudit_udp_receive_prosody_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_prosody_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the prosody port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
allow $1 prosody_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_prosody_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the prosody port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
allow $1 prosody_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_prosody_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to prosody port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
dontaudit $1 prosody_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_prosody_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the prosody port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
allow $1 prosody_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_prosody_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to prosody port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_prosody_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_prosody_port'($*)) dnl
gen_require(`
type prosody_port_t;
')
dontaudit $1 prosody_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_prosody_port'($*)) dnl
')
########################################
##
## Send prosody_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_prosody_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_prosody_client_packets'($*)) dnl
gen_require(`
type prosody_client_packet_t;
')
allow $1 prosody_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_prosody_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send prosody_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_prosody_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prosody_client_packets'($*)) dnl
gen_require(`
type prosody_client_packet_t;
')
dontaudit $1 prosody_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prosody_client_packets'($*)) dnl
')
########################################
##
## Receive prosody_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_prosody_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_prosody_client_packets'($*)) dnl
gen_require(`
type prosody_client_packet_t;
')
allow $1 prosody_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_prosody_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive prosody_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_prosody_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prosody_client_packets'($*)) dnl
gen_require(`
type prosody_client_packet_t;
')
dontaudit $1 prosody_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prosody_client_packets'($*)) dnl
')
########################################
##
## Send and receive prosody_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_prosody_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prosody_client_packets'($*)) dnl
corenet_send_prosody_client_packets($1)
corenet_receive_prosody_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prosody_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive prosody_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_prosody_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prosody_client_packets'($*)) dnl
corenet_dontaudit_send_prosody_client_packets($1)
corenet_dontaudit_receive_prosody_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prosody_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to prosody_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_prosody_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prosody_client_packets'($*)) dnl
gen_require(`
type prosody_client_packet_t;
')
allow $1 prosody_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_prosody_client_packets'($*)) dnl
')
########################################
##
## Send prosody_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_prosody_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_prosody_server_packets'($*)) dnl
gen_require(`
type prosody_server_packet_t;
')
allow $1 prosody_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_prosody_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send prosody_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_prosody_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prosody_server_packets'($*)) dnl
gen_require(`
type prosody_server_packet_t;
')
dontaudit $1 prosody_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prosody_server_packets'($*)) dnl
')
########################################
##
## Receive prosody_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_prosody_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_prosody_server_packets'($*)) dnl
gen_require(`
type prosody_server_packet_t;
')
allow $1 prosody_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_prosody_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive prosody_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_prosody_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prosody_server_packets'($*)) dnl
gen_require(`
type prosody_server_packet_t;
')
dontaudit $1 prosody_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prosody_server_packets'($*)) dnl
')
########################################
##
## Send and receive prosody_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_prosody_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prosody_server_packets'($*)) dnl
corenet_send_prosody_server_packets($1)
corenet_receive_prosody_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prosody_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive prosody_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_prosody_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prosody_server_packets'($*)) dnl
corenet_dontaudit_send_prosody_server_packets($1)
corenet_dontaudit_receive_prosody_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prosody_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to prosody_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_prosody_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prosody_server_packets'($*)) dnl
gen_require(`
type prosody_server_packet_t;
')
allow $1 prosody_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_prosody_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ptal_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ptal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ptal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
dontaudit $1 ptal_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ptal_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ptal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ptal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
dontaudit $1 ptal_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ptal_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ptal_port'($*)) dnl
corenet_udp_send_ptal_port($1)
corenet_udp_receive_ptal_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ptal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ptal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ptal_port'($*)) dnl
corenet_dontaudit_udp_send_ptal_port($1)
corenet_dontaudit_udp_receive_ptal_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ptal_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ptal_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ptal port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ptal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ptal port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
dontaudit $1 ptal_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ptal_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ptal port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
allow $1 ptal_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ptal_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ptal port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ptal_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ptal_port'($*)) dnl
gen_require(`
type ptal_port_t;
')
dontaudit $1 ptal_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ptal_port'($*)) dnl
')
########################################
##
## Send ptal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ptal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
allow $1 ptal_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ptal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ptal_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ptal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
dontaudit $1 ptal_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ptal_client_packets'($*)) dnl
')
########################################
##
## Receive ptal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ptal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
allow $1 ptal_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ptal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ptal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ptal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
dontaudit $1 ptal_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ptal_client_packets'($*)) dnl
')
########################################
##
## Send and receive ptal_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ptal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ptal_client_packets'($*)) dnl
corenet_send_ptal_client_packets($1)
corenet_receive_ptal_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ptal_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ptal_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ptal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ptal_client_packets'($*)) dnl
corenet_dontaudit_send_ptal_client_packets($1)
corenet_dontaudit_receive_ptal_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ptal_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ptal_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ptal_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ptal_client_packets'($*)) dnl
gen_require(`
type ptal_client_packet_t;
')
allow $1 ptal_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ptal_client_packets'($*)) dnl
')
########################################
##
## Send ptal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ptal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
allow $1 ptal_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ptal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ptal_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ptal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
dontaudit $1 ptal_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ptal_server_packets'($*)) dnl
')
########################################
##
## Receive ptal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ptal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
allow $1 ptal_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ptal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ptal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ptal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
dontaudit $1 ptal_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ptal_server_packets'($*)) dnl
')
########################################
##
## Send and receive ptal_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ptal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ptal_server_packets'($*)) dnl
corenet_send_ptal_server_packets($1)
corenet_receive_ptal_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ptal_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ptal_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ptal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ptal_server_packets'($*)) dnl
corenet_dontaudit_send_ptal_server_packets($1)
corenet_dontaudit_receive_ptal_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ptal_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ptal_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ptal_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ptal_server_packets'($*)) dnl
gen_require(`
type ptal_server_packet_t;
')
allow $1 ptal_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ptal_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pulseaudio port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
allow $1 pulseaudio_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pulseaudio_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pulseaudio port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
allow $1 pulseaudio_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pulseaudio_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pulseaudio port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
dontaudit $1 pulseaudio_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pulseaudio_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pulseaudio port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
allow $1 pulseaudio_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pulseaudio_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pulseaudio port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
dontaudit $1 pulseaudio_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pulseaudio_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pulseaudio port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pulseaudio_port'($*)) dnl
corenet_udp_send_pulseaudio_port($1)
corenet_udp_receive_pulseaudio_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pulseaudio_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pulseaudio port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pulseaudio_port'($*)) dnl
corenet_dontaudit_udp_send_pulseaudio_port($1)
corenet_dontaudit_udp_receive_pulseaudio_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pulseaudio_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pulseaudio port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
allow $1 pulseaudio_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pulseaudio_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pulseaudio port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
allow $1 pulseaudio_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pulseaudio_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pulseaudio port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
dontaudit $1 pulseaudio_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pulseaudio_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pulseaudio port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
allow $1 pulseaudio_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pulseaudio_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pulseaudio port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pulseaudio_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pulseaudio_port'($*)) dnl
gen_require(`
type pulseaudio_port_t;
')
dontaudit $1 pulseaudio_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pulseaudio_port'($*)) dnl
')
########################################
##
## Send pulseaudio_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pulseaudio_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pulseaudio_client_packets'($*)) dnl
gen_require(`
type pulseaudio_client_packet_t;
')
allow $1 pulseaudio_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pulseaudio_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pulseaudio_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pulseaudio_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulseaudio_client_packets'($*)) dnl
gen_require(`
type pulseaudio_client_packet_t;
')
dontaudit $1 pulseaudio_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulseaudio_client_packets'($*)) dnl
')
########################################
##
## Receive pulseaudio_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pulseaudio_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pulseaudio_client_packets'($*)) dnl
gen_require(`
type pulseaudio_client_packet_t;
')
allow $1 pulseaudio_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pulseaudio_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pulseaudio_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pulseaudio_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulseaudio_client_packets'($*)) dnl
gen_require(`
type pulseaudio_client_packet_t;
')
dontaudit $1 pulseaudio_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulseaudio_client_packets'($*)) dnl
')
########################################
##
## Send and receive pulseaudio_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pulseaudio_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulseaudio_client_packets'($*)) dnl
corenet_send_pulseaudio_client_packets($1)
corenet_receive_pulseaudio_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulseaudio_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pulseaudio_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pulseaudio_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulseaudio_client_packets'($*)) dnl
corenet_dontaudit_send_pulseaudio_client_packets($1)
corenet_dontaudit_receive_pulseaudio_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulseaudio_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pulseaudio_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pulseaudio_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulseaudio_client_packets'($*)) dnl
gen_require(`
type pulseaudio_client_packet_t;
')
allow $1 pulseaudio_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulseaudio_client_packets'($*)) dnl
')
########################################
##
## Send pulseaudio_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pulseaudio_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pulseaudio_server_packets'($*)) dnl
gen_require(`
type pulseaudio_server_packet_t;
')
allow $1 pulseaudio_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pulseaudio_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pulseaudio_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pulseaudio_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulseaudio_server_packets'($*)) dnl
gen_require(`
type pulseaudio_server_packet_t;
')
dontaudit $1 pulseaudio_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulseaudio_server_packets'($*)) dnl
')
########################################
##
## Receive pulseaudio_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pulseaudio_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pulseaudio_server_packets'($*)) dnl
gen_require(`
type pulseaudio_server_packet_t;
')
allow $1 pulseaudio_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pulseaudio_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pulseaudio_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pulseaudio_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulseaudio_server_packets'($*)) dnl
gen_require(`
type pulseaudio_server_packet_t;
')
dontaudit $1 pulseaudio_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulseaudio_server_packets'($*)) dnl
')
########################################
##
## Send and receive pulseaudio_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pulseaudio_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulseaudio_server_packets'($*)) dnl
corenet_send_pulseaudio_server_packets($1)
corenet_receive_pulseaudio_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulseaudio_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pulseaudio_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pulseaudio_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulseaudio_server_packets'($*)) dnl
corenet_dontaudit_send_pulseaudio_server_packets($1)
corenet_dontaudit_receive_pulseaudio_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulseaudio_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pulseaudio_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pulseaudio_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulseaudio_server_packets'($*)) dnl
gen_require(`
type pulseaudio_server_packet_t;
')
allow $1 pulseaudio_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulseaudio_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pulp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
allow $1 pulp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pulp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pulp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
allow $1 pulp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pulp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pulp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
dontaudit $1 pulp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pulp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pulp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
allow $1 pulp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pulp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pulp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
dontaudit $1 pulp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pulp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pulp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pulp_port'($*)) dnl
corenet_udp_send_pulp_port($1)
corenet_udp_receive_pulp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pulp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pulp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pulp_port'($*)) dnl
corenet_dontaudit_udp_send_pulp_port($1)
corenet_dontaudit_udp_receive_pulp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pulp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pulp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
allow $1 pulp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pulp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pulp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
allow $1 pulp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pulp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pulp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
dontaudit $1 pulp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pulp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pulp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
allow $1 pulp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pulp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pulp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pulp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pulp_port'($*)) dnl
gen_require(`
type pulp_port_t;
')
dontaudit $1 pulp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pulp_port'($*)) dnl
')
########################################
##
## Send pulp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pulp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pulp_client_packets'($*)) dnl
gen_require(`
type pulp_client_packet_t;
')
allow $1 pulp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pulp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pulp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pulp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulp_client_packets'($*)) dnl
gen_require(`
type pulp_client_packet_t;
')
dontaudit $1 pulp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulp_client_packets'($*)) dnl
')
########################################
##
## Receive pulp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pulp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pulp_client_packets'($*)) dnl
gen_require(`
type pulp_client_packet_t;
')
allow $1 pulp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pulp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pulp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pulp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulp_client_packets'($*)) dnl
gen_require(`
type pulp_client_packet_t;
')
dontaudit $1 pulp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulp_client_packets'($*)) dnl
')
########################################
##
## Send and receive pulp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pulp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulp_client_packets'($*)) dnl
corenet_send_pulp_client_packets($1)
corenet_receive_pulp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pulp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pulp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulp_client_packets'($*)) dnl
corenet_dontaudit_send_pulp_client_packets($1)
corenet_dontaudit_receive_pulp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pulp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pulp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulp_client_packets'($*)) dnl
gen_require(`
type pulp_client_packet_t;
')
allow $1 pulp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulp_client_packets'($*)) dnl
')
########################################
##
## Send pulp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pulp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pulp_server_packets'($*)) dnl
gen_require(`
type pulp_server_packet_t;
')
allow $1 pulp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pulp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pulp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pulp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulp_server_packets'($*)) dnl
gen_require(`
type pulp_server_packet_t;
')
dontaudit $1 pulp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulp_server_packets'($*)) dnl
')
########################################
##
## Receive pulp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pulp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pulp_server_packets'($*)) dnl
gen_require(`
type pulp_server_packet_t;
')
allow $1 pulp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pulp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pulp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pulp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulp_server_packets'($*)) dnl
gen_require(`
type pulp_server_packet_t;
')
dontaudit $1 pulp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulp_server_packets'($*)) dnl
')
########################################
##
## Send and receive pulp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pulp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulp_server_packets'($*)) dnl
corenet_send_pulp_server_packets($1)
corenet_receive_pulp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pulp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pulp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulp_server_packets'($*)) dnl
corenet_dontaudit_send_pulp_server_packets($1)
corenet_dontaudit_receive_pulp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pulp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pulp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulp_server_packets'($*)) dnl
gen_require(`
type pulp_server_packet_t;
')
allow $1 pulp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the puppet port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
allow $1 puppet_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_puppet_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the puppet port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
allow $1 puppet_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_puppet_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the puppet port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
dontaudit $1 puppet_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_puppet_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the puppet port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
allow $1 puppet_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_puppet_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the puppet port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
dontaudit $1 puppet_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_puppet_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the puppet port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_puppet_port'($*)) dnl
corenet_udp_send_puppet_port($1)
corenet_udp_receive_puppet_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_puppet_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the puppet port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_puppet_port'($*)) dnl
corenet_dontaudit_udp_send_puppet_port($1)
corenet_dontaudit_udp_receive_puppet_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_puppet_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the puppet port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
allow $1 puppet_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_puppet_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the puppet port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
allow $1 puppet_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_puppet_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to puppet port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
dontaudit $1 puppet_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_puppet_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the puppet port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
allow $1 puppet_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_puppet_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to puppet port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_puppet_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_puppet_port'($*)) dnl
gen_require(`
type puppet_port_t;
')
dontaudit $1 puppet_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_puppet_port'($*)) dnl
')
########################################
##
## Send puppet_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_puppet_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_puppet_client_packets'($*)) dnl
gen_require(`
type puppet_client_packet_t;
')
allow $1 puppet_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_puppet_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send puppet_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_puppet_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_puppet_client_packets'($*)) dnl
gen_require(`
type puppet_client_packet_t;
')
dontaudit $1 puppet_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_puppet_client_packets'($*)) dnl
')
########################################
##
## Receive puppet_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_puppet_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_puppet_client_packets'($*)) dnl
gen_require(`
type puppet_client_packet_t;
')
allow $1 puppet_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_puppet_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive puppet_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_puppet_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_puppet_client_packets'($*)) dnl
gen_require(`
type puppet_client_packet_t;
')
dontaudit $1 puppet_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_puppet_client_packets'($*)) dnl
')
########################################
##
## Send and receive puppet_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_puppet_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_puppet_client_packets'($*)) dnl
corenet_send_puppet_client_packets($1)
corenet_receive_puppet_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_puppet_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive puppet_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_puppet_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_puppet_client_packets'($*)) dnl
corenet_dontaudit_send_puppet_client_packets($1)
corenet_dontaudit_receive_puppet_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_puppet_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to puppet_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_puppet_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_puppet_client_packets'($*)) dnl
gen_require(`
type puppet_client_packet_t;
')
allow $1 puppet_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_puppet_client_packets'($*)) dnl
')
########################################
##
## Send puppet_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_puppet_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_puppet_server_packets'($*)) dnl
gen_require(`
type puppet_server_packet_t;
')
allow $1 puppet_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_puppet_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send puppet_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_puppet_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_puppet_server_packets'($*)) dnl
gen_require(`
type puppet_server_packet_t;
')
dontaudit $1 puppet_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_puppet_server_packets'($*)) dnl
')
########################################
##
## Receive puppet_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_puppet_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_puppet_server_packets'($*)) dnl
gen_require(`
type puppet_server_packet_t;
')
allow $1 puppet_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_puppet_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive puppet_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_puppet_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_puppet_server_packets'($*)) dnl
gen_require(`
type puppet_server_packet_t;
')
dontaudit $1 puppet_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_puppet_server_packets'($*)) dnl
')
########################################
##
## Send and receive puppet_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_puppet_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_puppet_server_packets'($*)) dnl
corenet_send_puppet_server_packets($1)
corenet_receive_puppet_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_puppet_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive puppet_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_puppet_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_puppet_server_packets'($*)) dnl
corenet_dontaudit_send_puppet_server_packets($1)
corenet_dontaudit_receive_puppet_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_puppet_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to puppet_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_puppet_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_puppet_server_packets'($*)) dnl
gen_require(`
type puppet_server_packet_t;
')
allow $1 puppet_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_puppet_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pxe_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pxe_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pxe port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
dontaudit $1 pxe_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pxe_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pxe_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pxe port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
dontaudit $1 pxe_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pxe_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pxe_port'($*)) dnl
corenet_udp_send_pxe_port($1)
corenet_udp_receive_pxe_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pxe_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pxe port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pxe_port'($*)) dnl
corenet_dontaudit_udp_send_pxe_port($1)
corenet_dontaudit_udp_receive_pxe_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pxe_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pxe_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pxe port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pxe_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pxe port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
dontaudit $1 pxe_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pxe_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pxe port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
allow $1 pxe_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pxe_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pxe port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pxe_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pxe_port'($*)) dnl
gen_require(`
type pxe_port_t;
')
dontaudit $1 pxe_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pxe_port'($*)) dnl
')
########################################
##
## Send pxe_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pxe_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
allow $1 pxe_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pxe_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pxe_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pxe_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
dontaudit $1 pxe_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pxe_client_packets'($*)) dnl
')
########################################
##
## Receive pxe_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pxe_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
allow $1 pxe_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pxe_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pxe_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pxe_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
dontaudit $1 pxe_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pxe_client_packets'($*)) dnl
')
########################################
##
## Send and receive pxe_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pxe_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pxe_client_packets'($*)) dnl
corenet_send_pxe_client_packets($1)
corenet_receive_pxe_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pxe_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pxe_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pxe_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pxe_client_packets'($*)) dnl
corenet_dontaudit_send_pxe_client_packets($1)
corenet_dontaudit_receive_pxe_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pxe_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pxe_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pxe_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pxe_client_packets'($*)) dnl
gen_require(`
type pxe_client_packet_t;
')
allow $1 pxe_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pxe_client_packets'($*)) dnl
')
########################################
##
## Send pxe_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pxe_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
allow $1 pxe_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pxe_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pxe_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pxe_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
dontaudit $1 pxe_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pxe_server_packets'($*)) dnl
')
########################################
##
## Receive pxe_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pxe_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
allow $1 pxe_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pxe_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pxe_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pxe_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
dontaudit $1 pxe_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pxe_server_packets'($*)) dnl
')
########################################
##
## Send and receive pxe_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pxe_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pxe_server_packets'($*)) dnl
corenet_send_pxe_server_packets($1)
corenet_receive_pxe_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pxe_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pxe_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pxe_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pxe_server_packets'($*)) dnl
corenet_dontaudit_send_pxe_server_packets($1)
corenet_dontaudit_receive_pxe_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pxe_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pxe_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pxe_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pxe_server_packets'($*)) dnl
gen_require(`
type pxe_server_packet_t;
')
allow $1 pxe_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pxe_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pyzor_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_pyzor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the pyzor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
dontaudit $1 pyzor_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pyzor_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pyzor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the pyzor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
dontaudit $1 pyzor_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pyzor_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pyzor_port'($*)) dnl
corenet_udp_send_pyzor_port($1)
corenet_udp_receive_pyzor_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pyzor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the pyzor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pyzor_port'($*)) dnl
corenet_dontaudit_udp_send_pyzor_port($1)
corenet_dontaudit_udp_receive_pyzor_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pyzor_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pyzor_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the pyzor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pyzor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to pyzor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
dontaudit $1 pyzor_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pyzor_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the pyzor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
allow $1 pyzor_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pyzor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to pyzor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_pyzor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pyzor_port'($*)) dnl
gen_require(`
type pyzor_port_t;
')
dontaudit $1 pyzor_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pyzor_port'($*)) dnl
')
########################################
##
## Send pyzor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pyzor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
allow $1 pyzor_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pyzor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pyzor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pyzor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
dontaudit $1 pyzor_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pyzor_client_packets'($*)) dnl
')
########################################
##
## Receive pyzor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pyzor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
allow $1 pyzor_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pyzor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pyzor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pyzor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
dontaudit $1 pyzor_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pyzor_client_packets'($*)) dnl
')
########################################
##
## Send and receive pyzor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pyzor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pyzor_client_packets'($*)) dnl
corenet_send_pyzor_client_packets($1)
corenet_receive_pyzor_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pyzor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pyzor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pyzor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pyzor_client_packets'($*)) dnl
corenet_dontaudit_send_pyzor_client_packets($1)
corenet_dontaudit_receive_pyzor_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pyzor_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to pyzor_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pyzor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pyzor_client_packets'($*)) dnl
gen_require(`
type pyzor_client_packet_t;
')
allow $1 pyzor_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pyzor_client_packets'($*)) dnl
')
########################################
##
## Send pyzor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_pyzor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
allow $1 pyzor_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_pyzor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send pyzor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_pyzor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
dontaudit $1 pyzor_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pyzor_server_packets'($*)) dnl
')
########################################
##
## Receive pyzor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_pyzor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
allow $1 pyzor_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_pyzor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive pyzor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_pyzor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
dontaudit $1 pyzor_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pyzor_server_packets'($*)) dnl
')
########################################
##
## Send and receive pyzor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_pyzor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pyzor_server_packets'($*)) dnl
corenet_send_pyzor_server_packets($1)
corenet_receive_pyzor_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pyzor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive pyzor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_pyzor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pyzor_server_packets'($*)) dnl
corenet_dontaudit_send_pyzor_server_packets($1)
corenet_dontaudit_receive_pyzor_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pyzor_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to pyzor_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_pyzor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pyzor_server_packets'($*)) dnl
gen_require(`
type pyzor_server_packet_t;
')
allow $1 pyzor_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_pyzor_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the neutron port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
allow $1 neutron_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_neutron_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the neutron port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
allow $1 neutron_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_neutron_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the neutron port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
dontaudit $1 neutron_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_neutron_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the neutron port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
allow $1 neutron_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_neutron_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the neutron port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
dontaudit $1 neutron_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_neutron_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the neutron port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_neutron_port'($*)) dnl
corenet_udp_send_neutron_port($1)
corenet_udp_receive_neutron_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_neutron_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the neutron port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_neutron_port'($*)) dnl
corenet_dontaudit_udp_send_neutron_port($1)
corenet_dontaudit_udp_receive_neutron_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_neutron_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the neutron port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
allow $1 neutron_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_neutron_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the neutron port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
allow $1 neutron_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_neutron_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to neutron port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
dontaudit $1 neutron_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_neutron_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the neutron port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
allow $1 neutron_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_neutron_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to neutron port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_neutron_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_neutron_port'($*)) dnl
gen_require(`
type neutron_port_t;
')
dontaudit $1 neutron_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_neutron_port'($*)) dnl
')
########################################
##
## Send neutron_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_neutron_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_neutron_client_packets'($*)) dnl
gen_require(`
type neutron_client_packet_t;
')
allow $1 neutron_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_neutron_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send neutron_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_neutron_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_neutron_client_packets'($*)) dnl
gen_require(`
type neutron_client_packet_t;
')
dontaudit $1 neutron_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_neutron_client_packets'($*)) dnl
')
########################################
##
## Receive neutron_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_neutron_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_neutron_client_packets'($*)) dnl
gen_require(`
type neutron_client_packet_t;
')
allow $1 neutron_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_neutron_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive neutron_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_neutron_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_neutron_client_packets'($*)) dnl
gen_require(`
type neutron_client_packet_t;
')
dontaudit $1 neutron_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_neutron_client_packets'($*)) dnl
')
########################################
##
## Send and receive neutron_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_neutron_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_neutron_client_packets'($*)) dnl
corenet_send_neutron_client_packets($1)
corenet_receive_neutron_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_neutron_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive neutron_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_neutron_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_neutron_client_packets'($*)) dnl
corenet_dontaudit_send_neutron_client_packets($1)
corenet_dontaudit_receive_neutron_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_neutron_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to neutron_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_neutron_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_neutron_client_packets'($*)) dnl
gen_require(`
type neutron_client_packet_t;
')
allow $1 neutron_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_neutron_client_packets'($*)) dnl
')
########################################
##
## Send neutron_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_neutron_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_neutron_server_packets'($*)) dnl
gen_require(`
type neutron_server_packet_t;
')
allow $1 neutron_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_neutron_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send neutron_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_neutron_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_neutron_server_packets'($*)) dnl
gen_require(`
type neutron_server_packet_t;
')
dontaudit $1 neutron_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_neutron_server_packets'($*)) dnl
')
########################################
##
## Receive neutron_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_neutron_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_neutron_server_packets'($*)) dnl
gen_require(`
type neutron_server_packet_t;
')
allow $1 neutron_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_neutron_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive neutron_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_neutron_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_neutron_server_packets'($*)) dnl
gen_require(`
type neutron_server_packet_t;
')
dontaudit $1 neutron_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_neutron_server_packets'($*)) dnl
')
########################################
##
## Send and receive neutron_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_neutron_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_neutron_server_packets'($*)) dnl
corenet_send_neutron_server_packets($1)
corenet_receive_neutron_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_neutron_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive neutron_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_neutron_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_neutron_server_packets'($*)) dnl
corenet_dontaudit_send_neutron_server_packets($1)
corenet_dontaudit_receive_neutron_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_neutron_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to neutron_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_neutron_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_neutron_server_packets'($*)) dnl
gen_require(`
type neutron_server_packet_t;
')
allow $1 neutron_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_neutron_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the nsd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
allow $1 nsd_control_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nsd_control_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the nsd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
allow $1 nsd_control_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_nsd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the nsd_control port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
dontaudit $1 nsd_control_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nsd_control_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the nsd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
allow $1 nsd_control_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nsd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the nsd_control port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
dontaudit $1 nsd_control_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nsd_control_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the nsd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nsd_control_port'($*)) dnl
corenet_udp_send_nsd_control_port($1)
corenet_udp_receive_nsd_control_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nsd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the nsd_control port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nsd_control_port'($*)) dnl
corenet_dontaudit_udp_send_nsd_control_port($1)
corenet_dontaudit_udp_receive_nsd_control_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nsd_control_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the nsd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
allow $1 nsd_control_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nsd_control_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the nsd_control port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
allow $1 nsd_control_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nsd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to nsd_control port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
dontaudit $1 nsd_control_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nsd_control_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the nsd_control port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
allow $1 nsd_control_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nsd_control_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to nsd_control port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_nsd_control_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nsd_control_port'($*)) dnl
gen_require(`
type nsd_control_port_t;
')
dontaudit $1 nsd_control_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nsd_control_port'($*)) dnl
')
########################################
##
## Send nsd_control_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nsd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nsd_control_client_packets'($*)) dnl
gen_require(`
type nsd_control_client_packet_t;
')
allow $1 nsd_control_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nsd_control_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nsd_control_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nsd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nsd_control_client_packets'($*)) dnl
gen_require(`
type nsd_control_client_packet_t;
')
dontaudit $1 nsd_control_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nsd_control_client_packets'($*)) dnl
')
########################################
##
## Receive nsd_control_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nsd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nsd_control_client_packets'($*)) dnl
gen_require(`
type nsd_control_client_packet_t;
')
allow $1 nsd_control_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nsd_control_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nsd_control_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nsd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nsd_control_client_packets'($*)) dnl
gen_require(`
type nsd_control_client_packet_t;
')
dontaudit $1 nsd_control_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nsd_control_client_packets'($*)) dnl
')
########################################
##
## Send and receive nsd_control_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nsd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nsd_control_client_packets'($*)) dnl
corenet_send_nsd_control_client_packets($1)
corenet_receive_nsd_control_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nsd_control_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nsd_control_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nsd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nsd_control_client_packets'($*)) dnl
corenet_dontaudit_send_nsd_control_client_packets($1)
corenet_dontaudit_receive_nsd_control_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nsd_control_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to nsd_control_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nsd_control_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nsd_control_client_packets'($*)) dnl
gen_require(`
type nsd_control_client_packet_t;
')
allow $1 nsd_control_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nsd_control_client_packets'($*)) dnl
')
########################################
##
## Send nsd_control_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_nsd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_nsd_control_server_packets'($*)) dnl
gen_require(`
type nsd_control_server_packet_t;
')
allow $1 nsd_control_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_nsd_control_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send nsd_control_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_nsd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nsd_control_server_packets'($*)) dnl
gen_require(`
type nsd_control_server_packet_t;
')
dontaudit $1 nsd_control_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nsd_control_server_packets'($*)) dnl
')
########################################
##
## Receive nsd_control_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_nsd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_nsd_control_server_packets'($*)) dnl
gen_require(`
type nsd_control_server_packet_t;
')
allow $1 nsd_control_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_nsd_control_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive nsd_control_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_nsd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nsd_control_server_packets'($*)) dnl
gen_require(`
type nsd_control_server_packet_t;
')
dontaudit $1 nsd_control_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nsd_control_server_packets'($*)) dnl
')
########################################
##
## Send and receive nsd_control_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_nsd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nsd_control_server_packets'($*)) dnl
corenet_send_nsd_control_server_packets($1)
corenet_receive_nsd_control_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nsd_control_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive nsd_control_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_nsd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nsd_control_server_packets'($*)) dnl
corenet_dontaudit_send_nsd_control_server_packets($1)
corenet_dontaudit_receive_nsd_control_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nsd_control_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to nsd_control_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_nsd_control_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nsd_control_server_packets'($*)) dnl
gen_require(`
type nsd_control_server_packet_t;
')
allow $1 nsd_control_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_nsd_control_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radacct_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_radacct_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the radacct port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
dontaudit $1 radacct_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radacct_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radacct_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the radacct port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
dontaudit $1 radacct_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radacct_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radacct_port'($*)) dnl
corenet_udp_send_radacct_port($1)
corenet_udp_receive_radacct_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radacct_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the radacct port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radacct_port'($*)) dnl
corenet_dontaudit_udp_send_radacct_port($1)
corenet_dontaudit_udp_receive_radacct_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radacct_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radacct_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the radacct port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radacct_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to radacct port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
dontaudit $1 radacct_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_radacct_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the radacct port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
allow $1 radacct_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radacct_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to radacct port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_radacct_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_radacct_port'($*)) dnl
gen_require(`
type radacct_port_t;
')
dontaudit $1 radacct_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_radacct_port'($*)) dnl
')
########################################
##
## Send radacct_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radacct_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
allow $1 radacct_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radacct_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radacct_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radacct_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
dontaudit $1 radacct_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radacct_client_packets'($*)) dnl
')
########################################
##
## Receive radacct_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radacct_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
allow $1 radacct_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radacct_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radacct_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radacct_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
dontaudit $1 radacct_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radacct_client_packets'($*)) dnl
')
########################################
##
## Send and receive radacct_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radacct_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radacct_client_packets'($*)) dnl
corenet_send_radacct_client_packets($1)
corenet_receive_radacct_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radacct_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radacct_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radacct_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radacct_client_packets'($*)) dnl
corenet_dontaudit_send_radacct_client_packets($1)
corenet_dontaudit_receive_radacct_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radacct_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to radacct_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radacct_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radacct_client_packets'($*)) dnl
gen_require(`
type radacct_client_packet_t;
')
allow $1 radacct_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radacct_client_packets'($*)) dnl
')
########################################
##
## Send radacct_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radacct_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
allow $1 radacct_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radacct_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radacct_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radacct_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
dontaudit $1 radacct_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radacct_server_packets'($*)) dnl
')
########################################
##
## Receive radacct_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radacct_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
allow $1 radacct_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radacct_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radacct_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radacct_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
dontaudit $1 radacct_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radacct_server_packets'($*)) dnl
')
########################################
##
## Send and receive radacct_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radacct_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radacct_server_packets'($*)) dnl
corenet_send_radacct_server_packets($1)
corenet_receive_radacct_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radacct_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radacct_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radacct_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radacct_server_packets'($*)) dnl
corenet_dontaudit_send_radacct_server_packets($1)
corenet_dontaudit_receive_radacct_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radacct_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to radacct_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radacct_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radacct_server_packets'($*)) dnl
gen_require(`
type radacct_server_packet_t;
')
allow $1 radacct_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radacct_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radius_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_radius_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the radius port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
dontaudit $1 radius_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radius_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radius_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the radius port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
dontaudit $1 radius_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radius_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radius_port'($*)) dnl
corenet_udp_send_radius_port($1)
corenet_udp_receive_radius_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radius_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the radius port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radius_port'($*)) dnl
corenet_dontaudit_udp_send_radius_port($1)
corenet_dontaudit_udp_receive_radius_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radius_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radius_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the radius port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radius_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to radius port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
dontaudit $1 radius_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_radius_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the radius port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
allow $1 radius_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radius_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to radius port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_radius_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_radius_port'($*)) dnl
gen_require(`
type radius_port_t;
')
dontaudit $1 radius_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_radius_port'($*)) dnl
')
########################################
##
## Send radius_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radius_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
allow $1 radius_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radius_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radius_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radius_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
dontaudit $1 radius_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radius_client_packets'($*)) dnl
')
########################################
##
## Receive radius_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radius_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
allow $1 radius_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radius_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radius_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radius_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
dontaudit $1 radius_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radius_client_packets'($*)) dnl
')
########################################
##
## Send and receive radius_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radius_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radius_client_packets'($*)) dnl
corenet_send_radius_client_packets($1)
corenet_receive_radius_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radius_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radius_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radius_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radius_client_packets'($*)) dnl
corenet_dontaudit_send_radius_client_packets($1)
corenet_dontaudit_receive_radius_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radius_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to radius_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radius_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radius_client_packets'($*)) dnl
gen_require(`
type radius_client_packet_t;
')
allow $1 radius_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radius_client_packets'($*)) dnl
')
########################################
##
## Send radius_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radius_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
allow $1 radius_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radius_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radius_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radius_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
dontaudit $1 radius_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radius_server_packets'($*)) dnl
')
########################################
##
## Receive radius_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radius_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
allow $1 radius_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radius_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radius_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radius_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
dontaudit $1 radius_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radius_server_packets'($*)) dnl
')
########################################
##
## Send and receive radius_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radius_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radius_server_packets'($*)) dnl
corenet_send_radius_server_packets($1)
corenet_receive_radius_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radius_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radius_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radius_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radius_server_packets'($*)) dnl
corenet_dontaudit_send_radius_server_packets($1)
corenet_dontaudit_receive_radius_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radius_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to radius_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radius_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radius_server_packets'($*)) dnl
gen_require(`
type radius_server_packet_t;
')
allow $1 radius_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radius_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the radsec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
allow $1 radsec_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radsec_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the radsec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
allow $1 radsec_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_radsec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the radsec port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
dontaudit $1 radsec_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radsec_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the radsec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
allow $1 radsec_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radsec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the radsec port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
dontaudit $1 radsec_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radsec_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the radsec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radsec_port'($*)) dnl
corenet_udp_send_radsec_port($1)
corenet_udp_receive_radsec_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radsec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the radsec port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radsec_port'($*)) dnl
corenet_dontaudit_udp_send_radsec_port($1)
corenet_dontaudit_udp_receive_radsec_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radsec_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the radsec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
allow $1 radsec_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radsec_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the radsec port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
allow $1 radsec_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radsec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to radsec port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
dontaudit $1 radsec_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_radsec_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the radsec port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
allow $1 radsec_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radsec_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to radsec port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_radsec_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_radsec_port'($*)) dnl
gen_require(`
type radsec_port_t;
')
dontaudit $1 radsec_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_radsec_port'($*)) dnl
')
########################################
##
## Send radsec_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radsec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radsec_client_packets'($*)) dnl
gen_require(`
type radsec_client_packet_t;
')
allow $1 radsec_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radsec_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radsec_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radsec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radsec_client_packets'($*)) dnl
gen_require(`
type radsec_client_packet_t;
')
dontaudit $1 radsec_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radsec_client_packets'($*)) dnl
')
########################################
##
## Receive radsec_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radsec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radsec_client_packets'($*)) dnl
gen_require(`
type radsec_client_packet_t;
')
allow $1 radsec_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radsec_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radsec_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radsec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radsec_client_packets'($*)) dnl
gen_require(`
type radsec_client_packet_t;
')
dontaudit $1 radsec_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radsec_client_packets'($*)) dnl
')
########################################
##
## Send and receive radsec_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radsec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radsec_client_packets'($*)) dnl
corenet_send_radsec_client_packets($1)
corenet_receive_radsec_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radsec_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radsec_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radsec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radsec_client_packets'($*)) dnl
corenet_dontaudit_send_radsec_client_packets($1)
corenet_dontaudit_receive_radsec_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radsec_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to radsec_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radsec_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radsec_client_packets'($*)) dnl
gen_require(`
type radsec_client_packet_t;
')
allow $1 radsec_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radsec_client_packets'($*)) dnl
')
########################################
##
## Send radsec_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_radsec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_radsec_server_packets'($*)) dnl
gen_require(`
type radsec_server_packet_t;
')
allow $1 radsec_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_radsec_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send radsec_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_radsec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radsec_server_packets'($*)) dnl
gen_require(`
type radsec_server_packet_t;
')
dontaudit $1 radsec_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radsec_server_packets'($*)) dnl
')
########################################
##
## Receive radsec_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_radsec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_radsec_server_packets'($*)) dnl
gen_require(`
type radsec_server_packet_t;
')
allow $1 radsec_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_radsec_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive radsec_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_radsec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radsec_server_packets'($*)) dnl
gen_require(`
type radsec_server_packet_t;
')
dontaudit $1 radsec_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radsec_server_packets'($*)) dnl
')
########################################
##
## Send and receive radsec_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_radsec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radsec_server_packets'($*)) dnl
corenet_send_radsec_server_packets($1)
corenet_receive_radsec_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radsec_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive radsec_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_radsec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radsec_server_packets'($*)) dnl
corenet_dontaudit_send_radsec_server_packets($1)
corenet_dontaudit_receive_radsec_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radsec_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to radsec_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_radsec_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radsec_server_packets'($*)) dnl
gen_require(`
type radsec_server_packet_t;
')
allow $1 radsec_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_radsec_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_razor_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_razor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the razor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
dontaudit $1 razor_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_razor_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_razor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the razor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
dontaudit $1 razor_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_razor_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_razor_port'($*)) dnl
corenet_udp_send_razor_port($1)
corenet_udp_receive_razor_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_razor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the razor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_razor_port'($*)) dnl
corenet_dontaudit_udp_send_razor_port($1)
corenet_dontaudit_udp_receive_razor_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_razor_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_razor_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the razor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_razor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to razor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
dontaudit $1 razor_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_razor_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the razor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
allow $1 razor_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_razor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to razor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_razor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_razor_port'($*)) dnl
gen_require(`
type razor_port_t;
')
dontaudit $1 razor_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_razor_port'($*)) dnl
')
########################################
##
## Send razor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_razor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
allow $1 razor_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_razor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send razor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_razor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
dontaudit $1 razor_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_razor_client_packets'($*)) dnl
')
########################################
##
## Receive razor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_razor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
allow $1 razor_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_razor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive razor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_razor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
dontaudit $1 razor_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_razor_client_packets'($*)) dnl
')
########################################
##
## Send and receive razor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_razor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_razor_client_packets'($*)) dnl
corenet_send_razor_client_packets($1)
corenet_receive_razor_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_razor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive razor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_razor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_razor_client_packets'($*)) dnl
corenet_dontaudit_send_razor_client_packets($1)
corenet_dontaudit_receive_razor_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_razor_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to razor_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_razor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_razor_client_packets'($*)) dnl
gen_require(`
type razor_client_packet_t;
')
allow $1 razor_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_razor_client_packets'($*)) dnl
')
########################################
##
## Send razor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_razor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
allow $1 razor_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_razor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send razor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_razor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
dontaudit $1 razor_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_razor_server_packets'($*)) dnl
')
########################################
##
## Receive razor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_razor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
allow $1 razor_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_razor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive razor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_razor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
dontaudit $1 razor_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_razor_server_packets'($*)) dnl
')
########################################
##
## Send and receive razor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_razor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_razor_server_packets'($*)) dnl
corenet_send_razor_server_packets($1)
corenet_receive_razor_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_razor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive razor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_razor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_razor_server_packets'($*)) dnl
corenet_dontaudit_send_razor_server_packets($1)
corenet_dontaudit_receive_razor_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_razor_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to razor_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_razor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_razor_server_packets'($*)) dnl
gen_require(`
type razor_server_packet_t;
')
allow $1 razor_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_razor_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the time port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
allow $1 time_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_time_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the time port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
allow $1 time_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_time_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the time port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
dontaudit $1 time_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_time_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the time port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
allow $1 time_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_time_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the time port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
dontaudit $1 time_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_time_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the time port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_time_port'($*)) dnl
corenet_udp_send_time_port($1)
corenet_udp_receive_time_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_time_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the time port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_time_port'($*)) dnl
corenet_dontaudit_udp_send_time_port($1)
corenet_dontaudit_udp_receive_time_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_time_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the time port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
allow $1 time_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_time_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the time port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
allow $1 time_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_time_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to time port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
dontaudit $1 time_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_time_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the time port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
allow $1 time_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_time_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to time port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_time_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_time_port'($*)) dnl
gen_require(`
type time_port_t;
')
dontaudit $1 time_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_time_port'($*)) dnl
')
########################################
##
## Send time_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_time_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_time_client_packets'($*)) dnl
gen_require(`
type time_client_packet_t;
')
allow $1 time_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_time_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send time_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_time_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_time_client_packets'($*)) dnl
gen_require(`
type time_client_packet_t;
')
dontaudit $1 time_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_time_client_packets'($*)) dnl
')
########################################
##
## Receive time_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_time_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_time_client_packets'($*)) dnl
gen_require(`
type time_client_packet_t;
')
allow $1 time_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_time_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive time_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_time_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_time_client_packets'($*)) dnl
gen_require(`
type time_client_packet_t;
')
dontaudit $1 time_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_time_client_packets'($*)) dnl
')
########################################
##
## Send and receive time_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_time_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_time_client_packets'($*)) dnl
corenet_send_time_client_packets($1)
corenet_receive_time_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_time_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive time_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_time_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_time_client_packets'($*)) dnl
corenet_dontaudit_send_time_client_packets($1)
corenet_dontaudit_receive_time_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_time_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to time_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_time_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_time_client_packets'($*)) dnl
gen_require(`
type time_client_packet_t;
')
allow $1 time_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_time_client_packets'($*)) dnl
')
########################################
##
## Send time_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_time_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_time_server_packets'($*)) dnl
gen_require(`
type time_server_packet_t;
')
allow $1 time_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_time_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send time_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_time_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_time_server_packets'($*)) dnl
gen_require(`
type time_server_packet_t;
')
dontaudit $1 time_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_time_server_packets'($*)) dnl
')
########################################
##
## Receive time_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_time_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_time_server_packets'($*)) dnl
gen_require(`
type time_server_packet_t;
')
allow $1 time_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_time_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive time_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_time_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_time_server_packets'($*)) dnl
gen_require(`
type time_server_packet_t;
')
dontaudit $1 time_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_time_server_packets'($*)) dnl
')
########################################
##
## Send and receive time_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_time_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_time_server_packets'($*)) dnl
corenet_send_time_server_packets($1)
corenet_receive_time_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_time_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive time_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_time_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_time_server_packets'($*)) dnl
corenet_dontaudit_send_time_server_packets($1)
corenet_dontaudit_receive_time_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_time_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to time_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_time_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_time_server_packets'($*)) dnl
gen_require(`
type time_server_packet_t;
')
allow $1 time_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_time_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the redis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
allow $1 redis_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_redis_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the redis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
allow $1 redis_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_redis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the redis port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
dontaudit $1 redis_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_redis_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the redis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
allow $1 redis_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_redis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the redis port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
dontaudit $1 redis_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_redis_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the redis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_redis_port'($*)) dnl
corenet_udp_send_redis_port($1)
corenet_udp_receive_redis_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_redis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the redis port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_redis_port'($*)) dnl
corenet_dontaudit_udp_send_redis_port($1)
corenet_dontaudit_udp_receive_redis_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_redis_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the redis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
allow $1 redis_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_redis_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the redis port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
allow $1 redis_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_redis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to redis port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
dontaudit $1 redis_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_redis_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the redis port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
allow $1 redis_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_redis_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to redis port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_redis_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_redis_port'($*)) dnl
gen_require(`
type redis_port_t;
')
dontaudit $1 redis_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_redis_port'($*)) dnl
')
########################################
##
## Send redis_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_redis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_redis_client_packets'($*)) dnl
gen_require(`
type redis_client_packet_t;
')
allow $1 redis_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_redis_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send redis_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_redis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_redis_client_packets'($*)) dnl
gen_require(`
type redis_client_packet_t;
')
dontaudit $1 redis_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_redis_client_packets'($*)) dnl
')
########################################
##
## Receive redis_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_redis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_redis_client_packets'($*)) dnl
gen_require(`
type redis_client_packet_t;
')
allow $1 redis_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_redis_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive redis_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_redis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_redis_client_packets'($*)) dnl
gen_require(`
type redis_client_packet_t;
')
dontaudit $1 redis_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_redis_client_packets'($*)) dnl
')
########################################
##
## Send and receive redis_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_redis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_redis_client_packets'($*)) dnl
corenet_send_redis_client_packets($1)
corenet_receive_redis_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_redis_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive redis_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_redis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_redis_client_packets'($*)) dnl
corenet_dontaudit_send_redis_client_packets($1)
corenet_dontaudit_receive_redis_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_redis_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to redis_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_redis_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_redis_client_packets'($*)) dnl
gen_require(`
type redis_client_packet_t;
')
allow $1 redis_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_redis_client_packets'($*)) dnl
')
########################################
##
## Send redis_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_redis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_redis_server_packets'($*)) dnl
gen_require(`
type redis_server_packet_t;
')
allow $1 redis_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_redis_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send redis_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_redis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_redis_server_packets'($*)) dnl
gen_require(`
type redis_server_packet_t;
')
dontaudit $1 redis_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_redis_server_packets'($*)) dnl
')
########################################
##
## Receive redis_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_redis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_redis_server_packets'($*)) dnl
gen_require(`
type redis_server_packet_t;
')
allow $1 redis_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_redis_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive redis_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_redis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_redis_server_packets'($*)) dnl
gen_require(`
type redis_server_packet_t;
')
dontaudit $1 redis_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_redis_server_packets'($*)) dnl
')
########################################
##
## Send and receive redis_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_redis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_redis_server_packets'($*)) dnl
corenet_send_redis_server_packets($1)
corenet_receive_redis_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_redis_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive redis_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_redis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_redis_server_packets'($*)) dnl
corenet_dontaudit_send_redis_server_packets($1)
corenet_dontaudit_receive_redis_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_redis_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to redis_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_redis_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_redis_server_packets'($*)) dnl
gen_require(`
type redis_server_packet_t;
')
allow $1 redis_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_redis_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the repository port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
allow $1 repository_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_repository_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the repository port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
allow $1 repository_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_repository_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the repository port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
dontaudit $1 repository_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_repository_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the repository port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
allow $1 repository_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_repository_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the repository port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
dontaudit $1 repository_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_repository_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the repository port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_repository_port'($*)) dnl
corenet_udp_send_repository_port($1)
corenet_udp_receive_repository_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_repository_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the repository port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_repository_port'($*)) dnl
corenet_dontaudit_udp_send_repository_port($1)
corenet_dontaudit_udp_receive_repository_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_repository_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the repository port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
allow $1 repository_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_repository_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the repository port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
allow $1 repository_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_repository_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to repository port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
dontaudit $1 repository_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_repository_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the repository port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
allow $1 repository_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_repository_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to repository port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_repository_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_repository_port'($*)) dnl
gen_require(`
type repository_port_t;
')
dontaudit $1 repository_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_repository_port'($*)) dnl
')
########################################
##
## Send repository_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_repository_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_repository_client_packets'($*)) dnl
gen_require(`
type repository_client_packet_t;
')
allow $1 repository_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_repository_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send repository_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_repository_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_repository_client_packets'($*)) dnl
gen_require(`
type repository_client_packet_t;
')
dontaudit $1 repository_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_repository_client_packets'($*)) dnl
')
########################################
##
## Receive repository_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_repository_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_repository_client_packets'($*)) dnl
gen_require(`
type repository_client_packet_t;
')
allow $1 repository_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_repository_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive repository_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_repository_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_repository_client_packets'($*)) dnl
gen_require(`
type repository_client_packet_t;
')
dontaudit $1 repository_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_repository_client_packets'($*)) dnl
')
########################################
##
## Send and receive repository_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_repository_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_repository_client_packets'($*)) dnl
corenet_send_repository_client_packets($1)
corenet_receive_repository_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_repository_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive repository_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_repository_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_repository_client_packets'($*)) dnl
corenet_dontaudit_send_repository_client_packets($1)
corenet_dontaudit_receive_repository_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_repository_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to repository_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_repository_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_repository_client_packets'($*)) dnl
gen_require(`
type repository_client_packet_t;
')
allow $1 repository_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_repository_client_packets'($*)) dnl
')
########################################
##
## Send repository_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_repository_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_repository_server_packets'($*)) dnl
gen_require(`
type repository_server_packet_t;
')
allow $1 repository_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_repository_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send repository_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_repository_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_repository_server_packets'($*)) dnl
gen_require(`
type repository_server_packet_t;
')
dontaudit $1 repository_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_repository_server_packets'($*)) dnl
')
########################################
##
## Receive repository_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_repository_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_repository_server_packets'($*)) dnl
gen_require(`
type repository_server_packet_t;
')
allow $1 repository_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_repository_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive repository_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_repository_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_repository_server_packets'($*)) dnl
gen_require(`
type repository_server_packet_t;
')
dontaudit $1 repository_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_repository_server_packets'($*)) dnl
')
########################################
##
## Send and receive repository_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_repository_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_repository_server_packets'($*)) dnl
corenet_send_repository_server_packets($1)
corenet_receive_repository_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_repository_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive repository_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_repository_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_repository_server_packets'($*)) dnl
corenet_dontaudit_send_repository_server_packets($1)
corenet_dontaudit_receive_repository_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_repository_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to repository_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_repository_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_repository_server_packets'($*)) dnl
gen_require(`
type repository_server_packet_t;
')
allow $1 repository_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_repository_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ricci_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ricci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ricci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
dontaudit $1 ricci_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ricci_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ricci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ricci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
dontaudit $1 ricci_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ricci_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ricci_port'($*)) dnl
corenet_udp_send_ricci_port($1)
corenet_udp_receive_ricci_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ricci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ricci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ricci_port'($*)) dnl
corenet_dontaudit_udp_send_ricci_port($1)
corenet_dontaudit_udp_receive_ricci_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ricci_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ricci_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ricci port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ricci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ricci port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
dontaudit $1 ricci_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ricci_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ricci port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
allow $1 ricci_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ricci_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ricci port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ricci_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ricci_port'($*)) dnl
gen_require(`
type ricci_port_t;
')
dontaudit $1 ricci_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ricci_port'($*)) dnl
')
########################################
##
## Send ricci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ricci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
allow $1 ricci_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ricci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ricci_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ricci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
dontaudit $1 ricci_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_client_packets'($*)) dnl
')
########################################
##
## Receive ricci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ricci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
allow $1 ricci_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ricci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ricci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
dontaudit $1 ricci_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_client_packets'($*)) dnl
')
########################################
##
## Send and receive ricci_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ricci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_client_packets'($*)) dnl
corenet_send_ricci_client_packets($1)
corenet_receive_ricci_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ricci_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ricci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_client_packets'($*)) dnl
corenet_dontaudit_send_ricci_client_packets($1)
corenet_dontaudit_receive_ricci_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ricci_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ricci_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_client_packets'($*)) dnl
gen_require(`
type ricci_client_packet_t;
')
allow $1 ricci_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_client_packets'($*)) dnl
')
########################################
##
## Send ricci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ricci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
allow $1 ricci_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ricci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ricci_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ricci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
dontaudit $1 ricci_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_server_packets'($*)) dnl
')
########################################
##
## Receive ricci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ricci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
allow $1 ricci_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ricci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ricci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
dontaudit $1 ricci_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_server_packets'($*)) dnl
')
########################################
##
## Send and receive ricci_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ricci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_server_packets'($*)) dnl
corenet_send_ricci_server_packets($1)
corenet_receive_ricci_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ricci_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ricci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_server_packets'($*)) dnl
corenet_dontaudit_send_ricci_server_packets($1)
corenet_dontaudit_receive_ricci_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ricci_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ricci_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_server_packets'($*)) dnl
gen_require(`
type ricci_server_packet_t;
')
allow $1 ricci_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ricci_modcluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
dontaudit $1 ricci_modcluster_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ricci_modcluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
dontaudit $1 ricci_modcluster_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ricci_modcluster_port'($*)) dnl
corenet_udp_send_ricci_modcluster_port($1)
corenet_udp_receive_ricci_modcluster_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ricci_modcluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ricci_modcluster_port'($*)) dnl
corenet_dontaudit_udp_send_ricci_modcluster_port($1)
corenet_dontaudit_udp_receive_ricci_modcluster_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ricci_modcluster port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
dontaudit $1 ricci_modcluster_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
allow $1 ricci_modcluster_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ricci_modcluster port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ricci_modcluster_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ricci_modcluster_port'($*)) dnl
gen_require(`
type ricci_modcluster_port_t;
')
dontaudit $1 ricci_modcluster_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ricci_modcluster_port'($*)) dnl
')
########################################
##
## Send ricci_modcluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ricci_modcluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
allow $1 ricci_modcluster_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ricci_modcluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ricci_modcluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
dontaudit $1 ricci_modcluster_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Receive ricci_modcluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ricci_modcluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
allow $1 ricci_modcluster_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ricci_modcluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ricci_modcluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
dontaudit $1 ricci_modcluster_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Send and receive ricci_modcluster_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ricci_modcluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_modcluster_client_packets'($*)) dnl
corenet_send_ricci_modcluster_client_packets($1)
corenet_receive_ricci_modcluster_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ricci_modcluster_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ricci_modcluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_modcluster_client_packets'($*)) dnl
corenet_dontaudit_send_ricci_modcluster_client_packets($1)
corenet_dontaudit_receive_ricci_modcluster_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ricci_modcluster_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ricci_modcluster_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_modcluster_client_packets'($*)) dnl
gen_require(`
type ricci_modcluster_client_packet_t;
')
allow $1 ricci_modcluster_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_modcluster_client_packets'($*)) dnl
')
########################################
##
## Send ricci_modcluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ricci_modcluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
allow $1 ricci_modcluster_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ricci_modcluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ricci_modcluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
dontaudit $1 ricci_modcluster_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Receive ricci_modcluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ricci_modcluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
allow $1 ricci_modcluster_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ricci_modcluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ricci_modcluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
dontaudit $1 ricci_modcluster_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive ricci_modcluster_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ricci_modcluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_modcluster_server_packets'($*)) dnl
corenet_send_ricci_modcluster_server_packets($1)
corenet_receive_ricci_modcluster_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ricci_modcluster_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ricci_modcluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_modcluster_server_packets'($*)) dnl
corenet_dontaudit_send_ricci_modcluster_server_packets($1)
corenet_dontaudit_receive_ricci_modcluster_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ricci_modcluster_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ricci_modcluster_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_modcluster_server_packets'($*)) dnl
gen_require(`
type ricci_modcluster_server_packet_t;
')
allow $1 ricci_modcluster_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_modcluster_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rlogind_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rlogind_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rlogind port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
dontaudit $1 rlogind_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rlogind_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rlogind_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rlogind port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
dontaudit $1 rlogind_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rlogind_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rlogind_port'($*)) dnl
corenet_udp_send_rlogind_port($1)
corenet_udp_receive_rlogind_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rlogind_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rlogind port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rlogind_port'($*)) dnl
corenet_dontaudit_udp_send_rlogind_port($1)
corenet_dontaudit_udp_receive_rlogind_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rlogind_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rlogind_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rlogind port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rlogind_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rlogind port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
dontaudit $1 rlogind_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rlogind_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rlogind port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
allow $1 rlogind_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rlogind_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rlogind port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rlogind_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rlogind_port'($*)) dnl
gen_require(`
type rlogind_port_t;
')
dontaudit $1 rlogind_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rlogind_port'($*)) dnl
')
########################################
##
## Send rlogind_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rlogind_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
allow $1 rlogind_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rlogind_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rlogind_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rlogind_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
dontaudit $1 rlogind_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogind_client_packets'($*)) dnl
')
########################################
##
## Receive rlogind_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rlogind_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
allow $1 rlogind_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rlogind_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rlogind_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rlogind_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
dontaudit $1 rlogind_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogind_client_packets'($*)) dnl
')
########################################
##
## Send and receive rlogind_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rlogind_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogind_client_packets'($*)) dnl
corenet_send_rlogind_client_packets($1)
corenet_receive_rlogind_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogind_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rlogind_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rlogind_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogind_client_packets'($*)) dnl
corenet_dontaudit_send_rlogind_client_packets($1)
corenet_dontaudit_receive_rlogind_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogind_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rlogind_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rlogind_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogind_client_packets'($*)) dnl
gen_require(`
type rlogind_client_packet_t;
')
allow $1 rlogind_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogind_client_packets'($*)) dnl
')
########################################
##
## Send rlogind_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rlogind_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
allow $1 rlogind_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rlogind_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rlogind_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rlogind_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
dontaudit $1 rlogind_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogind_server_packets'($*)) dnl
')
########################################
##
## Receive rlogind_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rlogind_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
allow $1 rlogind_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rlogind_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rlogind_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rlogind_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
dontaudit $1 rlogind_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogind_server_packets'($*)) dnl
')
########################################
##
## Send and receive rlogind_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rlogind_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogind_server_packets'($*)) dnl
corenet_send_rlogind_server_packets($1)
corenet_receive_rlogind_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogind_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rlogind_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rlogind_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogind_server_packets'($*)) dnl
corenet_dontaudit_send_rlogind_server_packets($1)
corenet_dontaudit_receive_rlogind_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogind_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rlogind_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rlogind_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogind_server_packets'($*)) dnl
gen_require(`
type rlogind_server_packet_t;
')
allow $1 rlogind_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogind_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rndc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rndc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rndc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
dontaudit $1 rndc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rndc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rndc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rndc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
dontaudit $1 rndc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rndc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rndc_port'($*)) dnl
corenet_udp_send_rndc_port($1)
corenet_udp_receive_rndc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rndc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rndc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rndc_port'($*)) dnl
corenet_dontaudit_udp_send_rndc_port($1)
corenet_dontaudit_udp_receive_rndc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rndc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rndc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rndc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rndc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rndc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
dontaudit $1 rndc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rndc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rndc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
allow $1 rndc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rndc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rndc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rndc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rndc_port'($*)) dnl
gen_require(`
type rndc_port_t;
')
dontaudit $1 rndc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rndc_port'($*)) dnl
')
########################################
##
## Send rndc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rndc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
allow $1 rndc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rndc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rndc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rndc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
dontaudit $1 rndc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rndc_client_packets'($*)) dnl
')
########################################
##
## Receive rndc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rndc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
allow $1 rndc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rndc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rndc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rndc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
dontaudit $1 rndc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rndc_client_packets'($*)) dnl
')
########################################
##
## Send and receive rndc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rndc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rndc_client_packets'($*)) dnl
corenet_send_rndc_client_packets($1)
corenet_receive_rndc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rndc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rndc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rndc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rndc_client_packets'($*)) dnl
corenet_dontaudit_send_rndc_client_packets($1)
corenet_dontaudit_receive_rndc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rndc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rndc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rndc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rndc_client_packets'($*)) dnl
gen_require(`
type rndc_client_packet_t;
')
allow $1 rndc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rndc_client_packets'($*)) dnl
')
########################################
##
## Send rndc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rndc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
allow $1 rndc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rndc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rndc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rndc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
dontaudit $1 rndc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rndc_server_packets'($*)) dnl
')
########################################
##
## Receive rndc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rndc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
allow $1 rndc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rndc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rndc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rndc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
dontaudit $1 rndc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rndc_server_packets'($*)) dnl
')
########################################
##
## Send and receive rndc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rndc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rndc_server_packets'($*)) dnl
corenet_send_rndc_server_packets($1)
corenet_receive_rndc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rndc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rndc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rndc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rndc_server_packets'($*)) dnl
corenet_dontaudit_send_rndc_server_packets($1)
corenet_dontaudit_receive_rndc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rndc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rndc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rndc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rndc_server_packets'($*)) dnl
gen_require(`
type rndc_server_packet_t;
')
allow $1 rndc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rndc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_router_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
dontaudit $1 router_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_router_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
dontaudit $1 router_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_router_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_router_port'($*)) dnl
corenet_udp_send_router_port($1)
corenet_udp_receive_router_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_router_port'($*)) dnl
corenet_dontaudit_udp_send_router_port($1)
corenet_dontaudit_udp_receive_router_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_router_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_router_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the router port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to router port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
dontaudit $1 router_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_router_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the router port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
allow $1 router_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_router_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to router port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_router_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_router_port'($*)) dnl
gen_require(`
type router_port_t;
')
dontaudit $1 router_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_router_port'($*)) dnl
')
########################################
##
## Send router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
allow $1 router_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send router_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
dontaudit $1 router_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_router_client_packets'($*)) dnl
')
########################################
##
## Receive router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
allow $1 router_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
dontaudit $1 router_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_router_client_packets'($*)) dnl
')
########################################
##
## Send and receive router_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_router_client_packets'($*)) dnl
corenet_send_router_client_packets($1)
corenet_receive_router_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_router_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive router_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_router_client_packets'($*)) dnl
corenet_dontaudit_send_router_client_packets($1)
corenet_dontaudit_receive_router_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_router_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to router_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_router_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_router_client_packets'($*)) dnl
gen_require(`
type router_client_packet_t;
')
allow $1 router_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_router_client_packets'($*)) dnl
')
########################################
##
## Send router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
allow $1 router_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send router_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
dontaudit $1 router_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_router_server_packets'($*)) dnl
')
########################################
##
## Receive router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
allow $1 router_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
dontaudit $1 router_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_router_server_packets'($*)) dnl
')
########################################
##
## Send and receive router_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_router_server_packets'($*)) dnl
corenet_send_router_server_packets($1)
corenet_receive_router_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_router_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive router_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_router_server_packets'($*)) dnl
corenet_dontaudit_send_router_server_packets($1)
corenet_dontaudit_receive_router_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_router_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to router_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_router_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_router_server_packets'($*)) dnl
gen_require(`
type router_server_packet_t;
')
allow $1 router_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_router_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rsh_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rsh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rsh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
dontaudit $1 rsh_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rsh_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rsh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rsh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
dontaudit $1 rsh_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rsh_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rsh_port'($*)) dnl
corenet_udp_send_rsh_port($1)
corenet_udp_receive_rsh_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rsh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rsh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rsh_port'($*)) dnl
corenet_dontaudit_udp_send_rsh_port($1)
corenet_dontaudit_udp_receive_rsh_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rsh_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rsh_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rsh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rsh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rsh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
dontaudit $1 rsh_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rsh_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rsh port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
allow $1 rsh_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rsh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rsh port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rsh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rsh_port'($*)) dnl
gen_require(`
type rsh_port_t;
')
dontaudit $1 rsh_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rsh_port'($*)) dnl
')
########################################
##
## Send rsh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rsh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
allow $1 rsh_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rsh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rsh_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rsh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
dontaudit $1 rsh_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsh_client_packets'($*)) dnl
')
########################################
##
## Receive rsh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rsh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
allow $1 rsh_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rsh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rsh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rsh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
dontaudit $1 rsh_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsh_client_packets'($*)) dnl
')
########################################
##
## Send and receive rsh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rsh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsh_client_packets'($*)) dnl
corenet_send_rsh_client_packets($1)
corenet_receive_rsh_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rsh_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rsh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsh_client_packets'($*)) dnl
corenet_dontaudit_send_rsh_client_packets($1)
corenet_dontaudit_receive_rsh_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsh_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rsh_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rsh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsh_client_packets'($*)) dnl
gen_require(`
type rsh_client_packet_t;
')
allow $1 rsh_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsh_client_packets'($*)) dnl
')
########################################
##
## Send rsh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rsh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
allow $1 rsh_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rsh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rsh_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rsh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
dontaudit $1 rsh_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsh_server_packets'($*)) dnl
')
########################################
##
## Receive rsh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rsh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
allow $1 rsh_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rsh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rsh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rsh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
dontaudit $1 rsh_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsh_server_packets'($*)) dnl
')
########################################
##
## Send and receive rsh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rsh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsh_server_packets'($*)) dnl
corenet_send_rsh_server_packets($1)
corenet_receive_rsh_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rsh_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rsh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsh_server_packets'($*)) dnl
corenet_dontaudit_send_rsh_server_packets($1)
corenet_dontaudit_receive_rsh_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsh_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rsh_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rsh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsh_server_packets'($*)) dnl
gen_require(`
type rsh_server_packet_t;
')
allow $1 rsh_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsh_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rsync_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rsync_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rsync port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
dontaudit $1 rsync_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rsync_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rsync_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rsync port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
dontaudit $1 rsync_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rsync_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rsync_port'($*)) dnl
corenet_udp_send_rsync_port($1)
corenet_udp_receive_rsync_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rsync_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rsync port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rsync_port'($*)) dnl
corenet_dontaudit_udp_send_rsync_port($1)
corenet_dontaudit_udp_receive_rsync_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rsync_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rsync_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rsync port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rsync_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rsync port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
dontaudit $1 rsync_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rsync_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rsync port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
allow $1 rsync_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rsync_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rsync port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rsync_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rsync_port'($*)) dnl
gen_require(`
type rsync_port_t;
')
dontaudit $1 rsync_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rsync_port'($*)) dnl
')
########################################
##
## Send rsync_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rsync_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
allow $1 rsync_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rsync_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rsync_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rsync_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
dontaudit $1 rsync_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsync_client_packets'($*)) dnl
')
########################################
##
## Receive rsync_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rsync_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
allow $1 rsync_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rsync_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rsync_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rsync_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
dontaudit $1 rsync_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsync_client_packets'($*)) dnl
')
########################################
##
## Send and receive rsync_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rsync_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsync_client_packets'($*)) dnl
corenet_send_rsync_client_packets($1)
corenet_receive_rsync_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsync_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rsync_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rsync_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsync_client_packets'($*)) dnl
corenet_dontaudit_send_rsync_client_packets($1)
corenet_dontaudit_receive_rsync_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsync_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rsync_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rsync_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsync_client_packets'($*)) dnl
gen_require(`
type rsync_client_packet_t;
')
allow $1 rsync_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsync_client_packets'($*)) dnl
')
########################################
##
## Send rsync_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rsync_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
allow $1 rsync_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rsync_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rsync_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rsync_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
dontaudit $1 rsync_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsync_server_packets'($*)) dnl
')
########################################
##
## Receive rsync_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rsync_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
allow $1 rsync_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rsync_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rsync_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rsync_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
dontaudit $1 rsync_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsync_server_packets'($*)) dnl
')
########################################
##
## Send and receive rsync_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rsync_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsync_server_packets'($*)) dnl
corenet_send_rsync_server_packets($1)
corenet_receive_rsync_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsync_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rsync_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rsync_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsync_server_packets'($*)) dnl
corenet_dontaudit_send_rsync_server_packets($1)
corenet_dontaudit_receive_rsync_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsync_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rsync_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rsync_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsync_server_packets'($*)) dnl
gen_require(`
type rsync_server_packet_t;
')
allow $1 rsync_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsync_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rtp_media port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
allow $1 rtp_media_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rtp_media_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rtp_media port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
allow $1 rtp_media_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rtp_media_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rtp_media port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
dontaudit $1 rtp_media_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rtp_media_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rtp_media port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
allow $1 rtp_media_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rtp_media_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rtp_media port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
dontaudit $1 rtp_media_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rtp_media_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rtp_media port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rtp_media_port'($*)) dnl
corenet_udp_send_rtp_media_port($1)
corenet_udp_receive_rtp_media_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rtp_media_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rtp_media port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rtp_media_port'($*)) dnl
corenet_dontaudit_udp_send_rtp_media_port($1)
corenet_dontaudit_udp_receive_rtp_media_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rtp_media_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rtp_media port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
allow $1 rtp_media_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rtp_media_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rtp_media port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
allow $1 rtp_media_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rtp_media_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rtp_media port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
dontaudit $1 rtp_media_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rtp_media_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rtp_media port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
allow $1 rtp_media_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rtp_media_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rtp_media port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rtp_media_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rtp_media_port'($*)) dnl
gen_require(`
type rtp_media_port_t;
')
dontaudit $1 rtp_media_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rtp_media_port'($*)) dnl
')
########################################
##
## Send rtp_media_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rtp_media_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rtp_media_client_packets'($*)) dnl
gen_require(`
type rtp_media_client_packet_t;
')
allow $1 rtp_media_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rtp_media_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rtp_media_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rtp_media_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtp_media_client_packets'($*)) dnl
gen_require(`
type rtp_media_client_packet_t;
')
dontaudit $1 rtp_media_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtp_media_client_packets'($*)) dnl
')
########################################
##
## Receive rtp_media_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rtp_media_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rtp_media_client_packets'($*)) dnl
gen_require(`
type rtp_media_client_packet_t;
')
allow $1 rtp_media_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rtp_media_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rtp_media_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rtp_media_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtp_media_client_packets'($*)) dnl
gen_require(`
type rtp_media_client_packet_t;
')
dontaudit $1 rtp_media_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtp_media_client_packets'($*)) dnl
')
########################################
##
## Send and receive rtp_media_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rtp_media_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtp_media_client_packets'($*)) dnl
corenet_send_rtp_media_client_packets($1)
corenet_receive_rtp_media_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtp_media_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rtp_media_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rtp_media_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtp_media_client_packets'($*)) dnl
corenet_dontaudit_send_rtp_media_client_packets($1)
corenet_dontaudit_receive_rtp_media_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtp_media_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rtp_media_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rtp_media_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtp_media_client_packets'($*)) dnl
gen_require(`
type rtp_media_client_packet_t;
')
allow $1 rtp_media_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtp_media_client_packets'($*)) dnl
')
########################################
##
## Send rtp_media_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rtp_media_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rtp_media_server_packets'($*)) dnl
gen_require(`
type rtp_media_server_packet_t;
')
allow $1 rtp_media_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rtp_media_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rtp_media_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rtp_media_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtp_media_server_packets'($*)) dnl
gen_require(`
type rtp_media_server_packet_t;
')
dontaudit $1 rtp_media_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtp_media_server_packets'($*)) dnl
')
########################################
##
## Receive rtp_media_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rtp_media_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rtp_media_server_packets'($*)) dnl
gen_require(`
type rtp_media_server_packet_t;
')
allow $1 rtp_media_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rtp_media_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rtp_media_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rtp_media_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtp_media_server_packets'($*)) dnl
gen_require(`
type rtp_media_server_packet_t;
')
dontaudit $1 rtp_media_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtp_media_server_packets'($*)) dnl
')
########################################
##
## Send and receive rtp_media_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rtp_media_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtp_media_server_packets'($*)) dnl
corenet_send_rtp_media_server_packets($1)
corenet_receive_rtp_media_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtp_media_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rtp_media_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rtp_media_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtp_media_server_packets'($*)) dnl
corenet_dontaudit_send_rtp_media_server_packets($1)
corenet_dontaudit_receive_rtp_media_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtp_media_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rtp_media_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rtp_media_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtp_media_server_packets'($*)) dnl
gen_require(`
type rtp_media_server_packet_t;
')
allow $1 rtp_media_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtp_media_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rtsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
allow $1 rtsp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rtsp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rtsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
allow $1 rtsp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rtsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rtsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
dontaudit $1 rtsp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rtsp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rtsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
allow $1 rtsp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rtsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rtsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
dontaudit $1 rtsp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rtsp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rtsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rtsp_port'($*)) dnl
corenet_udp_send_rtsp_port($1)
corenet_udp_receive_rtsp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rtsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rtsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rtsp_port'($*)) dnl
corenet_dontaudit_udp_send_rtsp_port($1)
corenet_dontaudit_udp_receive_rtsp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rtsp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rtsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
allow $1 rtsp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rtsp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rtsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
allow $1 rtsp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rtsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rtsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
dontaudit $1 rtsp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rtsp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rtsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
allow $1 rtsp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rtsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rtsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rtsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rtsp_port'($*)) dnl
gen_require(`
type rtsp_port_t;
')
dontaudit $1 rtsp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rtsp_port'($*)) dnl
')
########################################
##
## Send rtsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rtsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rtsp_client_packets'($*)) dnl
gen_require(`
type rtsp_client_packet_t;
')
allow $1 rtsp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rtsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rtsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rtsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsp_client_packets'($*)) dnl
gen_require(`
type rtsp_client_packet_t;
')
dontaudit $1 rtsp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsp_client_packets'($*)) dnl
')
########################################
##
## Receive rtsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rtsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsp_client_packets'($*)) dnl
gen_require(`
type rtsp_client_packet_t;
')
allow $1 rtsp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rtsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rtsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rtsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsp_client_packets'($*)) dnl
gen_require(`
type rtsp_client_packet_t;
')
dontaudit $1 rtsp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsp_client_packets'($*)) dnl
')
########################################
##
## Send and receive rtsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rtsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsp_client_packets'($*)) dnl
corenet_send_rtsp_client_packets($1)
corenet_receive_rtsp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rtsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rtsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsp_client_packets'($*)) dnl
corenet_dontaudit_send_rtsp_client_packets($1)
corenet_dontaudit_receive_rtsp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rtsp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rtsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsp_client_packets'($*)) dnl
gen_require(`
type rtsp_client_packet_t;
')
allow $1 rtsp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsp_client_packets'($*)) dnl
')
########################################
##
## Send rtsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rtsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rtsp_server_packets'($*)) dnl
gen_require(`
type rtsp_server_packet_t;
')
allow $1 rtsp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rtsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rtsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rtsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsp_server_packets'($*)) dnl
gen_require(`
type rtsp_server_packet_t;
')
dontaudit $1 rtsp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsp_server_packets'($*)) dnl
')
########################################
##
## Receive rtsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rtsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsp_server_packets'($*)) dnl
gen_require(`
type rtsp_server_packet_t;
')
allow $1 rtsp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rtsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rtsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rtsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsp_server_packets'($*)) dnl
gen_require(`
type rtsp_server_packet_t;
')
dontaudit $1 rtsp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive rtsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rtsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsp_server_packets'($*)) dnl
corenet_send_rtsp_server_packets($1)
corenet_receive_rtsp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rtsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rtsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsp_server_packets'($*)) dnl
corenet_dontaudit_send_rtsp_server_packets($1)
corenet_dontaudit_receive_rtsp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rtsp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rtsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsp_server_packets'($*)) dnl
gen_require(`
type rtsp_server_packet_t;
')
allow $1 rtsp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the rwho port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
allow $1 rwho_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rwho_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the rwho port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
allow $1 rwho_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_rwho_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the rwho port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
dontaudit $1 rwho_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rwho_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the rwho port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
allow $1 rwho_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rwho_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the rwho port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
dontaudit $1 rwho_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rwho_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the rwho port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rwho_port'($*)) dnl
corenet_udp_send_rwho_port($1)
corenet_udp_receive_rwho_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rwho_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the rwho port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rwho_port'($*)) dnl
corenet_dontaudit_udp_send_rwho_port($1)
corenet_dontaudit_udp_receive_rwho_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rwho_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the rwho port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
allow $1 rwho_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rwho_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the rwho port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
allow $1 rwho_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rwho_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to rwho port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
dontaudit $1 rwho_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rwho_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the rwho port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
allow $1 rwho_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rwho_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to rwho port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_rwho_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rwho_port'($*)) dnl
gen_require(`
type rwho_port_t;
')
dontaudit $1 rwho_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rwho_port'($*)) dnl
')
########################################
##
## Send rwho_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rwho_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rwho_client_packets'($*)) dnl
gen_require(`
type rwho_client_packet_t;
')
allow $1 rwho_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rwho_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rwho_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rwho_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rwho_client_packets'($*)) dnl
gen_require(`
type rwho_client_packet_t;
')
dontaudit $1 rwho_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rwho_client_packets'($*)) dnl
')
########################################
##
## Receive rwho_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rwho_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rwho_client_packets'($*)) dnl
gen_require(`
type rwho_client_packet_t;
')
allow $1 rwho_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rwho_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rwho_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rwho_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rwho_client_packets'($*)) dnl
gen_require(`
type rwho_client_packet_t;
')
dontaudit $1 rwho_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rwho_client_packets'($*)) dnl
')
########################################
##
## Send and receive rwho_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rwho_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rwho_client_packets'($*)) dnl
corenet_send_rwho_client_packets($1)
corenet_receive_rwho_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rwho_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rwho_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rwho_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rwho_client_packets'($*)) dnl
corenet_dontaudit_send_rwho_client_packets($1)
corenet_dontaudit_receive_rwho_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rwho_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to rwho_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rwho_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rwho_client_packets'($*)) dnl
gen_require(`
type rwho_client_packet_t;
')
allow $1 rwho_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rwho_client_packets'($*)) dnl
')
########################################
##
## Send rwho_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_rwho_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_rwho_server_packets'($*)) dnl
gen_require(`
type rwho_server_packet_t;
')
allow $1 rwho_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_rwho_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send rwho_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_rwho_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rwho_server_packets'($*)) dnl
gen_require(`
type rwho_server_packet_t;
')
dontaudit $1 rwho_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rwho_server_packets'($*)) dnl
')
########################################
##
## Receive rwho_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_rwho_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_rwho_server_packets'($*)) dnl
gen_require(`
type rwho_server_packet_t;
')
allow $1 rwho_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_rwho_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive rwho_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_rwho_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rwho_server_packets'($*)) dnl
gen_require(`
type rwho_server_packet_t;
')
dontaudit $1 rwho_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rwho_server_packets'($*)) dnl
')
########################################
##
## Send and receive rwho_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_rwho_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rwho_server_packets'($*)) dnl
corenet_send_rwho_server_packets($1)
corenet_receive_rwho_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rwho_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive rwho_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_rwho_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rwho_server_packets'($*)) dnl
corenet_dontaudit_send_rwho_server_packets($1)
corenet_dontaudit_receive_rwho_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rwho_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to rwho_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_rwho_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rwho_server_packets'($*)) dnl
gen_require(`
type rwho_server_packet_t;
')
allow $1 rwho_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_rwho_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the salt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
allow $1 salt_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_salt_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the salt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
allow $1 salt_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_salt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the salt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
dontaudit $1 salt_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_salt_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the salt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
allow $1 salt_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_salt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the salt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
dontaudit $1 salt_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_salt_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the salt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_salt_port'($*)) dnl
corenet_udp_send_salt_port($1)
corenet_udp_receive_salt_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_salt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the salt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_salt_port'($*)) dnl
corenet_dontaudit_udp_send_salt_port($1)
corenet_dontaudit_udp_receive_salt_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_salt_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the salt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
allow $1 salt_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_salt_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the salt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
allow $1 salt_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_salt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to salt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
dontaudit $1 salt_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_salt_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the salt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
allow $1 salt_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_salt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to salt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_salt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_salt_port'($*)) dnl
gen_require(`
type salt_port_t;
')
dontaudit $1 salt_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_salt_port'($*)) dnl
')
########################################
##
## Send salt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_salt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_salt_client_packets'($*)) dnl
gen_require(`
type salt_client_packet_t;
')
allow $1 salt_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_salt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send salt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_salt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_salt_client_packets'($*)) dnl
gen_require(`
type salt_client_packet_t;
')
dontaudit $1 salt_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_salt_client_packets'($*)) dnl
')
########################################
##
## Receive salt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_salt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_salt_client_packets'($*)) dnl
gen_require(`
type salt_client_packet_t;
')
allow $1 salt_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_salt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive salt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_salt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_salt_client_packets'($*)) dnl
gen_require(`
type salt_client_packet_t;
')
dontaudit $1 salt_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_salt_client_packets'($*)) dnl
')
########################################
##
## Send and receive salt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_salt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_salt_client_packets'($*)) dnl
corenet_send_salt_client_packets($1)
corenet_receive_salt_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_salt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive salt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_salt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_salt_client_packets'($*)) dnl
corenet_dontaudit_send_salt_client_packets($1)
corenet_dontaudit_receive_salt_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_salt_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to salt_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_salt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_salt_client_packets'($*)) dnl
gen_require(`
type salt_client_packet_t;
')
allow $1 salt_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_salt_client_packets'($*)) dnl
')
########################################
##
## Send salt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_salt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_salt_server_packets'($*)) dnl
gen_require(`
type salt_server_packet_t;
')
allow $1 salt_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_salt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send salt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_salt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_salt_server_packets'($*)) dnl
gen_require(`
type salt_server_packet_t;
')
dontaudit $1 salt_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_salt_server_packets'($*)) dnl
')
########################################
##
## Receive salt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_salt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_salt_server_packets'($*)) dnl
gen_require(`
type salt_server_packet_t;
')
allow $1 salt_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_salt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive salt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_salt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_salt_server_packets'($*)) dnl
gen_require(`
type salt_server_packet_t;
')
dontaudit $1 salt_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_salt_server_packets'($*)) dnl
')
########################################
##
## Send and receive salt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_salt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_salt_server_packets'($*)) dnl
corenet_send_salt_server_packets($1)
corenet_receive_salt_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_salt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive salt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_salt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_salt_server_packets'($*)) dnl
corenet_dontaudit_send_salt_server_packets($1)
corenet_dontaudit_receive_salt_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_salt_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to salt_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_salt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_salt_server_packets'($*)) dnl
gen_require(`
type salt_server_packet_t;
')
allow $1 salt_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_salt_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the sap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
allow $1 sap_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the sap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
allow $1 sap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_sap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the sap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
dontaudit $1 sap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the sap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
allow $1 sap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the sap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
dontaudit $1 sap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the sap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sap_port'($*)) dnl
corenet_udp_send_sap_port($1)
corenet_udp_receive_sap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the sap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sap_port'($*)) dnl
corenet_dontaudit_udp_send_sap_port($1)
corenet_dontaudit_udp_receive_sap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the sap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
allow $1 sap_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the sap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
allow $1 sap_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to sap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
dontaudit $1 sap_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the sap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
allow $1 sap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to sap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_sap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sap_port'($*)) dnl
gen_require(`
type sap_port_t;
')
dontaudit $1 sap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sap_port'($*)) dnl
')
########################################
##
## Send sap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sap_client_packets'($*)) dnl
gen_require(`
type sap_client_packet_t;
')
allow $1 sap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sap_client_packets'($*)) dnl
gen_require(`
type sap_client_packet_t;
')
dontaudit $1 sap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sap_client_packets'($*)) dnl
')
########################################
##
## Receive sap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sap_client_packets'($*)) dnl
gen_require(`
type sap_client_packet_t;
')
allow $1 sap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sap_client_packets'($*)) dnl
gen_require(`
type sap_client_packet_t;
')
dontaudit $1 sap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sap_client_packets'($*)) dnl
')
########################################
##
## Send and receive sap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sap_client_packets'($*)) dnl
corenet_send_sap_client_packets($1)
corenet_receive_sap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sap_client_packets'($*)) dnl
corenet_dontaudit_send_sap_client_packets($1)
corenet_dontaudit_receive_sap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to sap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sap_client_packets'($*)) dnl
gen_require(`
type sap_client_packet_t;
')
allow $1 sap_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sap_client_packets'($*)) dnl
')
########################################
##
## Send sap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sap_server_packets'($*)) dnl
gen_require(`
type sap_server_packet_t;
')
allow $1 sap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sap_server_packets'($*)) dnl
gen_require(`
type sap_server_packet_t;
')
dontaudit $1 sap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sap_server_packets'($*)) dnl
')
########################################
##
## Receive sap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sap_server_packets'($*)) dnl
gen_require(`
type sap_server_packet_t;
')
allow $1 sap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sap_server_packets'($*)) dnl
gen_require(`
type sap_server_packet_t;
')
dontaudit $1 sap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sap_server_packets'($*)) dnl
')
########################################
##
## Send and receive sap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sap_server_packets'($*)) dnl
corenet_send_sap_server_packets($1)
corenet_receive_sap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sap_server_packets'($*)) dnl
corenet_dontaudit_send_sap_server_packets($1)
corenet_dontaudit_receive_sap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to sap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sap_server_packets'($*)) dnl
gen_require(`
type sap_server_packet_t;
')
allow $1 sap_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the saphostctrl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
allow $1 saphostctrl_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_saphostctrl_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the saphostctrl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
allow $1 saphostctrl_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_saphostctrl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the saphostctrl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
dontaudit $1 saphostctrl_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_saphostctrl_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the saphostctrl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
allow $1 saphostctrl_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_saphostctrl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the saphostctrl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
dontaudit $1 saphostctrl_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_saphostctrl_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the saphostctrl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_saphostctrl_port'($*)) dnl
corenet_udp_send_saphostctrl_port($1)
corenet_udp_receive_saphostctrl_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_saphostctrl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the saphostctrl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_saphostctrl_port'($*)) dnl
corenet_dontaudit_udp_send_saphostctrl_port($1)
corenet_dontaudit_udp_receive_saphostctrl_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_saphostctrl_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the saphostctrl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
allow $1 saphostctrl_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_saphostctrl_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the saphostctrl port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
allow $1 saphostctrl_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_saphostctrl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to saphostctrl port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
dontaudit $1 saphostctrl_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_saphostctrl_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the saphostctrl port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
allow $1 saphostctrl_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_saphostctrl_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to saphostctrl port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_saphostctrl_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_saphostctrl_port'($*)) dnl
gen_require(`
type saphostctrl_port_t;
')
dontaudit $1 saphostctrl_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_saphostctrl_port'($*)) dnl
')
########################################
##
## Send saphostctrl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_saphostctrl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_saphostctrl_client_packets'($*)) dnl
gen_require(`
type saphostctrl_client_packet_t;
')
allow $1 saphostctrl_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_saphostctrl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send saphostctrl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_saphostctrl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_saphostctrl_client_packets'($*)) dnl
gen_require(`
type saphostctrl_client_packet_t;
')
dontaudit $1 saphostctrl_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_saphostctrl_client_packets'($*)) dnl
')
########################################
##
## Receive saphostctrl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_saphostctrl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_saphostctrl_client_packets'($*)) dnl
gen_require(`
type saphostctrl_client_packet_t;
')
allow $1 saphostctrl_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_saphostctrl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive saphostctrl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_saphostctrl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_saphostctrl_client_packets'($*)) dnl
gen_require(`
type saphostctrl_client_packet_t;
')
dontaudit $1 saphostctrl_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_saphostctrl_client_packets'($*)) dnl
')
########################################
##
## Send and receive saphostctrl_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_saphostctrl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_saphostctrl_client_packets'($*)) dnl
corenet_send_saphostctrl_client_packets($1)
corenet_receive_saphostctrl_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_saphostctrl_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive saphostctrl_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_saphostctrl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_saphostctrl_client_packets'($*)) dnl
corenet_dontaudit_send_saphostctrl_client_packets($1)
corenet_dontaudit_receive_saphostctrl_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_saphostctrl_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to saphostctrl_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_saphostctrl_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_saphostctrl_client_packets'($*)) dnl
gen_require(`
type saphostctrl_client_packet_t;
')
allow $1 saphostctrl_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_saphostctrl_client_packets'($*)) dnl
')
########################################
##
## Send saphostctrl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_saphostctrl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_saphostctrl_server_packets'($*)) dnl
gen_require(`
type saphostctrl_server_packet_t;
')
allow $1 saphostctrl_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_saphostctrl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send saphostctrl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_saphostctrl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_saphostctrl_server_packets'($*)) dnl
gen_require(`
type saphostctrl_server_packet_t;
')
dontaudit $1 saphostctrl_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_saphostctrl_server_packets'($*)) dnl
')
########################################
##
## Receive saphostctrl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_saphostctrl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_saphostctrl_server_packets'($*)) dnl
gen_require(`
type saphostctrl_server_packet_t;
')
allow $1 saphostctrl_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_saphostctrl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive saphostctrl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_saphostctrl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_saphostctrl_server_packets'($*)) dnl
gen_require(`
type saphostctrl_server_packet_t;
')
dontaudit $1 saphostctrl_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_saphostctrl_server_packets'($*)) dnl
')
########################################
##
## Send and receive saphostctrl_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_saphostctrl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_saphostctrl_server_packets'($*)) dnl
corenet_send_saphostctrl_server_packets($1)
corenet_receive_saphostctrl_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_saphostctrl_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive saphostctrl_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_saphostctrl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_saphostctrl_server_packets'($*)) dnl
corenet_dontaudit_send_saphostctrl_server_packets($1)
corenet_dontaudit_receive_saphostctrl_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_saphostctrl_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to saphostctrl_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_saphostctrl_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_saphostctrl_server_packets'($*)) dnl
gen_require(`
type saphostctrl_server_packet_t;
')
allow $1 saphostctrl_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_saphostctrl_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the servistaitsm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
allow $1 servistaitsm_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_servistaitsm_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the servistaitsm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
allow $1 servistaitsm_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_servistaitsm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the servistaitsm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
dontaudit $1 servistaitsm_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_servistaitsm_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the servistaitsm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
allow $1 servistaitsm_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_servistaitsm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the servistaitsm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
dontaudit $1 servistaitsm_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_servistaitsm_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the servistaitsm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_servistaitsm_port'($*)) dnl
corenet_udp_send_servistaitsm_port($1)
corenet_udp_receive_servistaitsm_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_servistaitsm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the servistaitsm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_servistaitsm_port'($*)) dnl
corenet_dontaudit_udp_send_servistaitsm_port($1)
corenet_dontaudit_udp_receive_servistaitsm_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_servistaitsm_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the servistaitsm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
allow $1 servistaitsm_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_servistaitsm_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the servistaitsm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
allow $1 servistaitsm_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_servistaitsm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to servistaitsm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
dontaudit $1 servistaitsm_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_servistaitsm_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the servistaitsm port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
allow $1 servistaitsm_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_servistaitsm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to servistaitsm port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_servistaitsm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_servistaitsm_port'($*)) dnl
gen_require(`
type servistaitsm_port_t;
')
dontaudit $1 servistaitsm_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_servistaitsm_port'($*)) dnl
')
########################################
##
## Send servistaitsm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_servistaitsm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_servistaitsm_client_packets'($*)) dnl
gen_require(`
type servistaitsm_client_packet_t;
')
allow $1 servistaitsm_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_servistaitsm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send servistaitsm_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_servistaitsm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_servistaitsm_client_packets'($*)) dnl
gen_require(`
type servistaitsm_client_packet_t;
')
dontaudit $1 servistaitsm_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_servistaitsm_client_packets'($*)) dnl
')
########################################
##
## Receive servistaitsm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_servistaitsm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_servistaitsm_client_packets'($*)) dnl
gen_require(`
type servistaitsm_client_packet_t;
')
allow $1 servistaitsm_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_servistaitsm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive servistaitsm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_servistaitsm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_servistaitsm_client_packets'($*)) dnl
gen_require(`
type servistaitsm_client_packet_t;
')
dontaudit $1 servistaitsm_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_servistaitsm_client_packets'($*)) dnl
')
########################################
##
## Send and receive servistaitsm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_servistaitsm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_servistaitsm_client_packets'($*)) dnl
corenet_send_servistaitsm_client_packets($1)
corenet_receive_servistaitsm_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_servistaitsm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive servistaitsm_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_servistaitsm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_servistaitsm_client_packets'($*)) dnl
corenet_dontaudit_send_servistaitsm_client_packets($1)
corenet_dontaudit_receive_servistaitsm_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_servistaitsm_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to servistaitsm_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_servistaitsm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_servistaitsm_client_packets'($*)) dnl
gen_require(`
type servistaitsm_client_packet_t;
')
allow $1 servistaitsm_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_servistaitsm_client_packets'($*)) dnl
')
########################################
##
## Send servistaitsm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_servistaitsm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_servistaitsm_server_packets'($*)) dnl
gen_require(`
type servistaitsm_server_packet_t;
')
allow $1 servistaitsm_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_servistaitsm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send servistaitsm_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_servistaitsm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_servistaitsm_server_packets'($*)) dnl
gen_require(`
type servistaitsm_server_packet_t;
')
dontaudit $1 servistaitsm_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_servistaitsm_server_packets'($*)) dnl
')
########################################
##
## Receive servistaitsm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_servistaitsm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_servistaitsm_server_packets'($*)) dnl
gen_require(`
type servistaitsm_server_packet_t;
')
allow $1 servistaitsm_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_servistaitsm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive servistaitsm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_servistaitsm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_servistaitsm_server_packets'($*)) dnl
gen_require(`
type servistaitsm_server_packet_t;
')
dontaudit $1 servistaitsm_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_servistaitsm_server_packets'($*)) dnl
')
########################################
##
## Send and receive servistaitsm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_servistaitsm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_servistaitsm_server_packets'($*)) dnl
corenet_send_servistaitsm_server_packets($1)
corenet_receive_servistaitsm_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_servistaitsm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive servistaitsm_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_servistaitsm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_servistaitsm_server_packets'($*)) dnl
corenet_dontaudit_send_servistaitsm_server_packets($1)
corenet_dontaudit_receive_servistaitsm_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_servistaitsm_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to servistaitsm_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_servistaitsm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_servistaitsm_server_packets'($*)) dnl
gen_require(`
type servistaitsm_server_packet_t;
')
allow $1 servistaitsm_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_servistaitsm_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the sge port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
allow $1 sge_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sge_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the sge port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
allow $1 sge_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_sge_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the sge port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
dontaudit $1 sge_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sge_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the sge port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
allow $1 sge_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sge_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the sge port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
dontaudit $1 sge_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sge_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the sge port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sge_port'($*)) dnl
corenet_udp_send_sge_port($1)
corenet_udp_receive_sge_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sge_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the sge port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sge_port'($*)) dnl
corenet_dontaudit_udp_send_sge_port($1)
corenet_dontaudit_udp_receive_sge_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sge_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the sge port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
allow $1 sge_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sge_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the sge port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
allow $1 sge_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sge_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to sge port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
dontaudit $1 sge_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sge_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the sge port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
allow $1 sge_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sge_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to sge port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_sge_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sge_port'($*)) dnl
gen_require(`
type sge_port_t;
')
dontaudit $1 sge_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sge_port'($*)) dnl
')
########################################
##
## Send sge_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sge_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sge_client_packets'($*)) dnl
gen_require(`
type sge_client_packet_t;
')
allow $1 sge_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sge_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sge_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sge_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sge_client_packets'($*)) dnl
gen_require(`
type sge_client_packet_t;
')
dontaudit $1 sge_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sge_client_packets'($*)) dnl
')
########################################
##
## Receive sge_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sge_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sge_client_packets'($*)) dnl
gen_require(`
type sge_client_packet_t;
')
allow $1 sge_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sge_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sge_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sge_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sge_client_packets'($*)) dnl
gen_require(`
type sge_client_packet_t;
')
dontaudit $1 sge_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sge_client_packets'($*)) dnl
')
########################################
##
## Send and receive sge_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sge_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sge_client_packets'($*)) dnl
corenet_send_sge_client_packets($1)
corenet_receive_sge_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sge_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sge_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sge_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sge_client_packets'($*)) dnl
corenet_dontaudit_send_sge_client_packets($1)
corenet_dontaudit_receive_sge_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sge_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to sge_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sge_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sge_client_packets'($*)) dnl
gen_require(`
type sge_client_packet_t;
')
allow $1 sge_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sge_client_packets'($*)) dnl
')
########################################
##
## Send sge_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sge_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sge_server_packets'($*)) dnl
gen_require(`
type sge_server_packet_t;
')
allow $1 sge_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sge_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sge_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sge_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sge_server_packets'($*)) dnl
gen_require(`
type sge_server_packet_t;
')
dontaudit $1 sge_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sge_server_packets'($*)) dnl
')
########################################
##
## Receive sge_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sge_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sge_server_packets'($*)) dnl
gen_require(`
type sge_server_packet_t;
')
allow $1 sge_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sge_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sge_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sge_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sge_server_packets'($*)) dnl
gen_require(`
type sge_server_packet_t;
')
dontaudit $1 sge_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sge_server_packets'($*)) dnl
')
########################################
##
## Send and receive sge_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sge_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sge_server_packets'($*)) dnl
corenet_send_sge_server_packets($1)
corenet_receive_sge_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sge_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sge_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sge_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sge_server_packets'($*)) dnl
corenet_dontaudit_send_sge_server_packets($1)
corenet_dontaudit_receive_sge_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sge_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to sge_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sge_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sge_server_packets'($*)) dnl
gen_require(`
type sge_server_packet_t;
')
allow $1 sge_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sge_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the shellinaboxd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
allow $1 shellinaboxd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_shellinaboxd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the shellinaboxd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
allow $1 shellinaboxd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_shellinaboxd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the shellinaboxd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
dontaudit $1 shellinaboxd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_shellinaboxd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the shellinaboxd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
allow $1 shellinaboxd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_shellinaboxd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the shellinaboxd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
dontaudit $1 shellinaboxd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_shellinaboxd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the shellinaboxd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_shellinaboxd_port'($*)) dnl
corenet_udp_send_shellinaboxd_port($1)
corenet_udp_receive_shellinaboxd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_shellinaboxd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the shellinaboxd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_shellinaboxd_port'($*)) dnl
corenet_dontaudit_udp_send_shellinaboxd_port($1)
corenet_dontaudit_udp_receive_shellinaboxd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_shellinaboxd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the shellinaboxd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
allow $1 shellinaboxd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_shellinaboxd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the shellinaboxd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
allow $1 shellinaboxd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_shellinaboxd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to shellinaboxd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
dontaudit $1 shellinaboxd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_shellinaboxd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the shellinaboxd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
allow $1 shellinaboxd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_shellinaboxd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to shellinaboxd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_shellinaboxd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_shellinaboxd_port'($*)) dnl
gen_require(`
type shellinaboxd_port_t;
')
dontaudit $1 shellinaboxd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_shellinaboxd_port'($*)) dnl
')
########################################
##
## Send shellinaboxd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_shellinaboxd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_shellinaboxd_client_packets'($*)) dnl
gen_require(`
type shellinaboxd_client_packet_t;
')
allow $1 shellinaboxd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_shellinaboxd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send shellinaboxd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_shellinaboxd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_shellinaboxd_client_packets'($*)) dnl
gen_require(`
type shellinaboxd_client_packet_t;
')
dontaudit $1 shellinaboxd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_shellinaboxd_client_packets'($*)) dnl
')
########################################
##
## Receive shellinaboxd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_shellinaboxd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_shellinaboxd_client_packets'($*)) dnl
gen_require(`
type shellinaboxd_client_packet_t;
')
allow $1 shellinaboxd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_shellinaboxd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive shellinaboxd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_shellinaboxd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_shellinaboxd_client_packets'($*)) dnl
gen_require(`
type shellinaboxd_client_packet_t;
')
dontaudit $1 shellinaboxd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_shellinaboxd_client_packets'($*)) dnl
')
########################################
##
## Send and receive shellinaboxd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_shellinaboxd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_shellinaboxd_client_packets'($*)) dnl
corenet_send_shellinaboxd_client_packets($1)
corenet_receive_shellinaboxd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_shellinaboxd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive shellinaboxd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_shellinaboxd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_shellinaboxd_client_packets'($*)) dnl
corenet_dontaudit_send_shellinaboxd_client_packets($1)
corenet_dontaudit_receive_shellinaboxd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_shellinaboxd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to shellinaboxd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_shellinaboxd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_shellinaboxd_client_packets'($*)) dnl
gen_require(`
type shellinaboxd_client_packet_t;
')
allow $1 shellinaboxd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_shellinaboxd_client_packets'($*)) dnl
')
########################################
##
## Send shellinaboxd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_shellinaboxd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_shellinaboxd_server_packets'($*)) dnl
gen_require(`
type shellinaboxd_server_packet_t;
')
allow $1 shellinaboxd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_shellinaboxd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send shellinaboxd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_shellinaboxd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_shellinaboxd_server_packets'($*)) dnl
gen_require(`
type shellinaboxd_server_packet_t;
')
dontaudit $1 shellinaboxd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_shellinaboxd_server_packets'($*)) dnl
')
########################################
##
## Receive shellinaboxd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_shellinaboxd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_shellinaboxd_server_packets'($*)) dnl
gen_require(`
type shellinaboxd_server_packet_t;
')
allow $1 shellinaboxd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_shellinaboxd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive shellinaboxd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_shellinaboxd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_shellinaboxd_server_packets'($*)) dnl
gen_require(`
type shellinaboxd_server_packet_t;
')
dontaudit $1 shellinaboxd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_shellinaboxd_server_packets'($*)) dnl
')
########################################
##
## Send and receive shellinaboxd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_shellinaboxd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_shellinaboxd_server_packets'($*)) dnl
corenet_send_shellinaboxd_server_packets($1)
corenet_receive_shellinaboxd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_shellinaboxd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive shellinaboxd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_shellinaboxd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_shellinaboxd_server_packets'($*)) dnl
corenet_dontaudit_send_shellinaboxd_server_packets($1)
corenet_dontaudit_receive_shellinaboxd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_shellinaboxd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to shellinaboxd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_shellinaboxd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_shellinaboxd_server_packets'($*)) dnl
gen_require(`
type shellinaboxd_server_packet_t;
')
allow $1 shellinaboxd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_shellinaboxd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the sieve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
allow $1 sieve_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sieve_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the sieve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
allow $1 sieve_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_sieve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the sieve port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
dontaudit $1 sieve_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sieve_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the sieve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
allow $1 sieve_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sieve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the sieve port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
dontaudit $1 sieve_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sieve_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the sieve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sieve_port'($*)) dnl
corenet_udp_send_sieve_port($1)
corenet_udp_receive_sieve_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sieve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the sieve port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sieve_port'($*)) dnl
corenet_dontaudit_udp_send_sieve_port($1)
corenet_dontaudit_udp_receive_sieve_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sieve_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the sieve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
allow $1 sieve_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sieve_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the sieve port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
allow $1 sieve_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sieve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to sieve port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
dontaudit $1 sieve_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sieve_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the sieve port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
allow $1 sieve_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sieve_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to sieve port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_sieve_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sieve_port'($*)) dnl
gen_require(`
type sieve_port_t;
')
dontaudit $1 sieve_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sieve_port'($*)) dnl
')
########################################
##
## Send sieve_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sieve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sieve_client_packets'($*)) dnl
gen_require(`
type sieve_client_packet_t;
')
allow $1 sieve_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sieve_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sieve_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sieve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sieve_client_packets'($*)) dnl
gen_require(`
type sieve_client_packet_t;
')
dontaudit $1 sieve_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sieve_client_packets'($*)) dnl
')
########################################
##
## Receive sieve_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sieve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sieve_client_packets'($*)) dnl
gen_require(`
type sieve_client_packet_t;
')
allow $1 sieve_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sieve_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sieve_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sieve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sieve_client_packets'($*)) dnl
gen_require(`
type sieve_client_packet_t;
')
dontaudit $1 sieve_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sieve_client_packets'($*)) dnl
')
########################################
##
## Send and receive sieve_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sieve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sieve_client_packets'($*)) dnl
corenet_send_sieve_client_packets($1)
corenet_receive_sieve_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sieve_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sieve_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sieve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sieve_client_packets'($*)) dnl
corenet_dontaudit_send_sieve_client_packets($1)
corenet_dontaudit_receive_sieve_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sieve_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to sieve_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sieve_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sieve_client_packets'($*)) dnl
gen_require(`
type sieve_client_packet_t;
')
allow $1 sieve_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sieve_client_packets'($*)) dnl
')
########################################
##
## Send sieve_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sieve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sieve_server_packets'($*)) dnl
gen_require(`
type sieve_server_packet_t;
')
allow $1 sieve_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sieve_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sieve_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sieve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sieve_server_packets'($*)) dnl
gen_require(`
type sieve_server_packet_t;
')
dontaudit $1 sieve_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sieve_server_packets'($*)) dnl
')
########################################
##
## Receive sieve_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sieve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sieve_server_packets'($*)) dnl
gen_require(`
type sieve_server_packet_t;
')
allow $1 sieve_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sieve_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sieve_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sieve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sieve_server_packets'($*)) dnl
gen_require(`
type sieve_server_packet_t;
')
dontaudit $1 sieve_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sieve_server_packets'($*)) dnl
')
########################################
##
## Send and receive sieve_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sieve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sieve_server_packets'($*)) dnl
corenet_send_sieve_server_packets($1)
corenet_receive_sieve_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sieve_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sieve_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sieve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sieve_server_packets'($*)) dnl
corenet_dontaudit_send_sieve_server_packets($1)
corenet_dontaudit_receive_sieve_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sieve_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to sieve_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sieve_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sieve_server_packets'($*)) dnl
gen_require(`
type sieve_server_packet_t;
')
allow $1 sieve_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sieve_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the sip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
allow $1 sip_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sip_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the sip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
allow $1 sip_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_sip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the sip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
dontaudit $1 sip_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sip_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the sip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
allow $1 sip_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the sip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
dontaudit $1 sip_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sip_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the sip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sip_port'($*)) dnl
corenet_udp_send_sip_port($1)
corenet_udp_receive_sip_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the sip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sip_port'($*)) dnl
corenet_dontaudit_udp_send_sip_port($1)
corenet_dontaudit_udp_receive_sip_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sip_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the sip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
allow $1 sip_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sip_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the sip port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
allow $1 sip_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to sip port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
dontaudit $1 sip_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sip_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the sip port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
allow $1 sip_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sip_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to sip port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_sip_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sip_port'($*)) dnl
gen_require(`
type sip_port_t;
')
dontaudit $1 sip_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sip_port'($*)) dnl
')
########################################
##
## Send sip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sip_client_packets'($*)) dnl
gen_require(`
type sip_client_packet_t;
')
allow $1 sip_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sip_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sip_client_packets'($*)) dnl
gen_require(`
type sip_client_packet_t;
')
dontaudit $1 sip_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sip_client_packets'($*)) dnl
')
########################################
##
## Receive sip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sip_client_packets'($*)) dnl
gen_require(`
type sip_client_packet_t;
')
allow $1 sip_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sip_client_packets'($*)) dnl
gen_require(`
type sip_client_packet_t;
')
dontaudit $1 sip_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sip_client_packets'($*)) dnl
')
########################################
##
## Send and receive sip_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sip_client_packets'($*)) dnl
corenet_send_sip_client_packets($1)
corenet_receive_sip_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sip_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sip_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sip_client_packets'($*)) dnl
corenet_dontaudit_send_sip_client_packets($1)
corenet_dontaudit_receive_sip_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sip_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to sip_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sip_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sip_client_packets'($*)) dnl
gen_require(`
type sip_client_packet_t;
')
allow $1 sip_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sip_client_packets'($*)) dnl
')
########################################
##
## Send sip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sip_server_packets'($*)) dnl
gen_require(`
type sip_server_packet_t;
')
allow $1 sip_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sip_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sip_server_packets'($*)) dnl
gen_require(`
type sip_server_packet_t;
')
dontaudit $1 sip_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sip_server_packets'($*)) dnl
')
########################################
##
## Receive sip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sip_server_packets'($*)) dnl
gen_require(`
type sip_server_packet_t;
')
allow $1 sip_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sip_server_packets'($*)) dnl
gen_require(`
type sip_server_packet_t;
')
dontaudit $1 sip_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sip_server_packets'($*)) dnl
')
########################################
##
## Send and receive sip_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sip_server_packets'($*)) dnl
corenet_send_sip_server_packets($1)
corenet_receive_sip_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sip_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sip_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sip_server_packets'($*)) dnl
corenet_dontaudit_send_sip_server_packets($1)
corenet_dontaudit_receive_sip_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sip_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to sip_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sip_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sip_server_packets'($*)) dnl
gen_require(`
type sip_server_packet_t;
')
allow $1 sip_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sip_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the sixxsconfig port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
allow $1 sixxsconfig_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sixxsconfig_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the sixxsconfig port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
allow $1 sixxsconfig_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_sixxsconfig_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the sixxsconfig port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
dontaudit $1 sixxsconfig_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sixxsconfig_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the sixxsconfig port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
allow $1 sixxsconfig_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sixxsconfig_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the sixxsconfig port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
dontaudit $1 sixxsconfig_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sixxsconfig_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the sixxsconfig port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sixxsconfig_port'($*)) dnl
corenet_udp_send_sixxsconfig_port($1)
corenet_udp_receive_sixxsconfig_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sixxsconfig_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the sixxsconfig port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sixxsconfig_port'($*)) dnl
corenet_dontaudit_udp_send_sixxsconfig_port($1)
corenet_dontaudit_udp_receive_sixxsconfig_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sixxsconfig_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the sixxsconfig port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
allow $1 sixxsconfig_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sixxsconfig_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the sixxsconfig port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
allow $1 sixxsconfig_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sixxsconfig_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to sixxsconfig port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
dontaudit $1 sixxsconfig_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sixxsconfig_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the sixxsconfig port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
allow $1 sixxsconfig_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sixxsconfig_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to sixxsconfig port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_sixxsconfig_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sixxsconfig_port'($*)) dnl
gen_require(`
type sixxsconfig_port_t;
')
dontaudit $1 sixxsconfig_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sixxsconfig_port'($*)) dnl
')
########################################
##
## Send sixxsconfig_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sixxsconfig_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sixxsconfig_client_packets'($*)) dnl
gen_require(`
type sixxsconfig_client_packet_t;
')
allow $1 sixxsconfig_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sixxsconfig_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sixxsconfig_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sixxsconfig_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sixxsconfig_client_packets'($*)) dnl
gen_require(`
type sixxsconfig_client_packet_t;
')
dontaudit $1 sixxsconfig_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sixxsconfig_client_packets'($*)) dnl
')
########################################
##
## Receive sixxsconfig_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sixxsconfig_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sixxsconfig_client_packets'($*)) dnl
gen_require(`
type sixxsconfig_client_packet_t;
')
allow $1 sixxsconfig_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sixxsconfig_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sixxsconfig_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sixxsconfig_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sixxsconfig_client_packets'($*)) dnl
gen_require(`
type sixxsconfig_client_packet_t;
')
dontaudit $1 sixxsconfig_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sixxsconfig_client_packets'($*)) dnl
')
########################################
##
## Send and receive sixxsconfig_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sixxsconfig_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sixxsconfig_client_packets'($*)) dnl
corenet_send_sixxsconfig_client_packets($1)
corenet_receive_sixxsconfig_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sixxsconfig_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sixxsconfig_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sixxsconfig_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sixxsconfig_client_packets'($*)) dnl
corenet_dontaudit_send_sixxsconfig_client_packets($1)
corenet_dontaudit_receive_sixxsconfig_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sixxsconfig_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to sixxsconfig_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sixxsconfig_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sixxsconfig_client_packets'($*)) dnl
gen_require(`
type sixxsconfig_client_packet_t;
')
allow $1 sixxsconfig_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sixxsconfig_client_packets'($*)) dnl
')
########################################
##
## Send sixxsconfig_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sixxsconfig_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sixxsconfig_server_packets'($*)) dnl
gen_require(`
type sixxsconfig_server_packet_t;
')
allow $1 sixxsconfig_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sixxsconfig_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sixxsconfig_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sixxsconfig_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sixxsconfig_server_packets'($*)) dnl
gen_require(`
type sixxsconfig_server_packet_t;
')
dontaudit $1 sixxsconfig_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sixxsconfig_server_packets'($*)) dnl
')
########################################
##
## Receive sixxsconfig_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sixxsconfig_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sixxsconfig_server_packets'($*)) dnl
gen_require(`
type sixxsconfig_server_packet_t;
')
allow $1 sixxsconfig_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sixxsconfig_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sixxsconfig_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sixxsconfig_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sixxsconfig_server_packets'($*)) dnl
gen_require(`
type sixxsconfig_server_packet_t;
')
dontaudit $1 sixxsconfig_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sixxsconfig_server_packets'($*)) dnl
')
########################################
##
## Send and receive sixxsconfig_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sixxsconfig_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sixxsconfig_server_packets'($*)) dnl
corenet_send_sixxsconfig_server_packets($1)
corenet_receive_sixxsconfig_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sixxsconfig_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sixxsconfig_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sixxsconfig_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sixxsconfig_server_packets'($*)) dnl
corenet_dontaudit_send_sixxsconfig_server_packets($1)
corenet_dontaudit_receive_sixxsconfig_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sixxsconfig_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to sixxsconfig_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sixxsconfig_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sixxsconfig_server_packets'($*)) dnl
gen_require(`
type sixxsconfig_server_packet_t;
')
allow $1 sixxsconfig_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sixxsconfig_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smbd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_smbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the smbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
dontaudit $1 smbd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smbd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the smbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
dontaudit $1 smbd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smbd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smbd_port'($*)) dnl
corenet_udp_send_smbd_port($1)
corenet_udp_receive_smbd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the smbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smbd_port'($*)) dnl
corenet_dontaudit_udp_send_smbd_port($1)
corenet_dontaudit_udp_receive_smbd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smbd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smbd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the smbd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to smbd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
dontaudit $1 smbd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_smbd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the smbd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
allow $1 smbd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smbd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to smbd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_smbd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_smbd_port'($*)) dnl
gen_require(`
type smbd_port_t;
')
dontaudit $1 smbd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_smbd_port'($*)) dnl
')
########################################
##
## Send smbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
allow $1 smbd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smbd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
dontaudit $1 smbd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smbd_client_packets'($*)) dnl
')
########################################
##
## Receive smbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
allow $1 smbd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
dontaudit $1 smbd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smbd_client_packets'($*)) dnl
')
########################################
##
## Send and receive smbd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smbd_client_packets'($*)) dnl
corenet_send_smbd_client_packets($1)
corenet_receive_smbd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smbd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smbd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smbd_client_packets'($*)) dnl
corenet_dontaudit_send_smbd_client_packets($1)
corenet_dontaudit_receive_smbd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smbd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to smbd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smbd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smbd_client_packets'($*)) dnl
gen_require(`
type smbd_client_packet_t;
')
allow $1 smbd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smbd_client_packets'($*)) dnl
')
########################################
##
## Send smbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
allow $1 smbd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smbd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
dontaudit $1 smbd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smbd_server_packets'($*)) dnl
')
########################################
##
## Receive smbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
allow $1 smbd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
dontaudit $1 smbd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smbd_server_packets'($*)) dnl
')
########################################
##
## Send and receive smbd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smbd_server_packets'($*)) dnl
corenet_send_smbd_server_packets($1)
corenet_receive_smbd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smbd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smbd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smbd_server_packets'($*)) dnl
corenet_dontaudit_send_smbd_server_packets($1)
corenet_dontaudit_receive_smbd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smbd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to smbd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smbd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smbd_server_packets'($*)) dnl
gen_require(`
type smbd_server_packet_t;
')
allow $1 smbd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smbd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smtp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_smtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the smtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
dontaudit $1 smtp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smtp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the smtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
dontaudit $1 smtp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smtp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smtp_port'($*)) dnl
corenet_udp_send_smtp_port($1)
corenet_udp_receive_smtp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the smtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smtp_port'($*)) dnl
corenet_dontaudit_udp_send_smtp_port($1)
corenet_dontaudit_udp_receive_smtp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smtp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smtp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the smtp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to smtp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
dontaudit $1 smtp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_smtp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the smtp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
allow $1 smtp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smtp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to smtp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_smtp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_smtp_port'($*)) dnl
gen_require(`
type smtp_port_t;
')
dontaudit $1 smtp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_smtp_port'($*)) dnl
')
########################################
##
## Send smtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
allow $1 smtp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smtp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
dontaudit $1 smtp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smtp_client_packets'($*)) dnl
')
########################################
##
## Receive smtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
allow $1 smtp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
dontaudit $1 smtp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smtp_client_packets'($*)) dnl
')
########################################
##
## Send and receive smtp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smtp_client_packets'($*)) dnl
corenet_send_smtp_client_packets($1)
corenet_receive_smtp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smtp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smtp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smtp_client_packets'($*)) dnl
corenet_dontaudit_send_smtp_client_packets($1)
corenet_dontaudit_receive_smtp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smtp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to smtp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smtp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smtp_client_packets'($*)) dnl
gen_require(`
type smtp_client_packet_t;
')
allow $1 smtp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smtp_client_packets'($*)) dnl
')
########################################
##
## Send smtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
allow $1 smtp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smtp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
dontaudit $1 smtp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smtp_server_packets'($*)) dnl
')
########################################
##
## Receive smtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
allow $1 smtp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
dontaudit $1 smtp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smtp_server_packets'($*)) dnl
')
########################################
##
## Send and receive smtp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smtp_server_packets'($*)) dnl
corenet_send_smtp_server_packets($1)
corenet_receive_smtp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smtp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smtp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smtp_server_packets'($*)) dnl
corenet_dontaudit_send_smtp_server_packets($1)
corenet_dontaudit_receive_smtp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smtp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to smtp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smtp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smtp_server_packets'($*)) dnl
gen_require(`
type smtp_server_packet_t;
')
allow $1 smtp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smtp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_snmp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_snmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the snmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
dontaudit $1 snmp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_snmp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_snmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the snmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
dontaudit $1 snmp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_snmp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_snmp_port'($*)) dnl
corenet_udp_send_snmp_port($1)
corenet_udp_receive_snmp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_snmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the snmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_snmp_port'($*)) dnl
corenet_dontaudit_udp_send_snmp_port($1)
corenet_dontaudit_udp_receive_snmp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_snmp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_snmp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the snmp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_snmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to snmp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
dontaudit $1 snmp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_snmp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the snmp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
allow $1 snmp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_snmp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to snmp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_snmp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_snmp_port'($*)) dnl
gen_require(`
type snmp_port_t;
')
dontaudit $1 snmp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_snmp_port'($*)) dnl
')
########################################
##
## Send snmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_snmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
allow $1 snmp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_snmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send snmp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_snmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
dontaudit $1 snmp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_snmp_client_packets'($*)) dnl
')
########################################
##
## Receive snmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_snmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
allow $1 snmp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_snmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive snmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_snmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
dontaudit $1 snmp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_snmp_client_packets'($*)) dnl
')
########################################
##
## Send and receive snmp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_snmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_snmp_client_packets'($*)) dnl
corenet_send_snmp_client_packets($1)
corenet_receive_snmp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_snmp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive snmp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_snmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_snmp_client_packets'($*)) dnl
corenet_dontaudit_send_snmp_client_packets($1)
corenet_dontaudit_receive_snmp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_snmp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to snmp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_snmp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_snmp_client_packets'($*)) dnl
gen_require(`
type snmp_client_packet_t;
')
allow $1 snmp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_snmp_client_packets'($*)) dnl
')
########################################
##
## Send snmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_snmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
allow $1 snmp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_snmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send snmp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_snmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
dontaudit $1 snmp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_snmp_server_packets'($*)) dnl
')
########################################
##
## Receive snmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_snmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
allow $1 snmp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_snmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive snmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_snmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
dontaudit $1 snmp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_snmp_server_packets'($*)) dnl
')
########################################
##
## Send and receive snmp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_snmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_snmp_server_packets'($*)) dnl
corenet_send_snmp_server_packets($1)
corenet_receive_snmp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_snmp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive snmp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_snmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_snmp_server_packets'($*)) dnl
corenet_dontaudit_send_snmp_server_packets($1)
corenet_dontaudit_receive_snmp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_snmp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to snmp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_snmp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_snmp_server_packets'($*)) dnl
gen_require(`
type snmp_server_packet_t;
')
allow $1 snmp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_snmp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the smntubootstrap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
allow $1 smntubootstrap_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smntubootstrap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the smntubootstrap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
allow $1 smntubootstrap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_smntubootstrap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the smntubootstrap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
dontaudit $1 smntubootstrap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smntubootstrap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the smntubootstrap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
allow $1 smntubootstrap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smntubootstrap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the smntubootstrap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
dontaudit $1 smntubootstrap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smntubootstrap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the smntubootstrap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smntubootstrap_port'($*)) dnl
corenet_udp_send_smntubootstrap_port($1)
corenet_udp_receive_smntubootstrap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smntubootstrap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the smntubootstrap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smntubootstrap_port'($*)) dnl
corenet_dontaudit_udp_send_smntubootstrap_port($1)
corenet_dontaudit_udp_receive_smntubootstrap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smntubootstrap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the smntubootstrap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
allow $1 smntubootstrap_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smntubootstrap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the smntubootstrap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
allow $1 smntubootstrap_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smntubootstrap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to smntubootstrap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
dontaudit $1 smntubootstrap_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_smntubootstrap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the smntubootstrap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
allow $1 smntubootstrap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smntubootstrap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to smntubootstrap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_smntubootstrap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_smntubootstrap_port'($*)) dnl
gen_require(`
type smntubootstrap_port_t;
')
dontaudit $1 smntubootstrap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_smntubootstrap_port'($*)) dnl
')
########################################
##
## Send smntubootstrap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smntubootstrap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smntubootstrap_client_packets'($*)) dnl
gen_require(`
type smntubootstrap_client_packet_t;
')
allow $1 smntubootstrap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smntubootstrap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smntubootstrap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smntubootstrap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smntubootstrap_client_packets'($*)) dnl
gen_require(`
type smntubootstrap_client_packet_t;
')
dontaudit $1 smntubootstrap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smntubootstrap_client_packets'($*)) dnl
')
########################################
##
## Receive smntubootstrap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smntubootstrap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smntubootstrap_client_packets'($*)) dnl
gen_require(`
type smntubootstrap_client_packet_t;
')
allow $1 smntubootstrap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smntubootstrap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smntubootstrap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smntubootstrap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smntubootstrap_client_packets'($*)) dnl
gen_require(`
type smntubootstrap_client_packet_t;
')
dontaudit $1 smntubootstrap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smntubootstrap_client_packets'($*)) dnl
')
########################################
##
## Send and receive smntubootstrap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smntubootstrap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smntubootstrap_client_packets'($*)) dnl
corenet_send_smntubootstrap_client_packets($1)
corenet_receive_smntubootstrap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smntubootstrap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smntubootstrap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smntubootstrap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smntubootstrap_client_packets'($*)) dnl
corenet_dontaudit_send_smntubootstrap_client_packets($1)
corenet_dontaudit_receive_smntubootstrap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smntubootstrap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to smntubootstrap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smntubootstrap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smntubootstrap_client_packets'($*)) dnl
gen_require(`
type smntubootstrap_client_packet_t;
')
allow $1 smntubootstrap_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smntubootstrap_client_packets'($*)) dnl
')
########################################
##
## Send smntubootstrap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_smntubootstrap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_smntubootstrap_server_packets'($*)) dnl
gen_require(`
type smntubootstrap_server_packet_t;
')
allow $1 smntubootstrap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_smntubootstrap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send smntubootstrap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_smntubootstrap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smntubootstrap_server_packets'($*)) dnl
gen_require(`
type smntubootstrap_server_packet_t;
')
dontaudit $1 smntubootstrap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smntubootstrap_server_packets'($*)) dnl
')
########################################
##
## Receive smntubootstrap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_smntubootstrap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_smntubootstrap_server_packets'($*)) dnl
gen_require(`
type smntubootstrap_server_packet_t;
')
allow $1 smntubootstrap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_smntubootstrap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive smntubootstrap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_smntubootstrap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smntubootstrap_server_packets'($*)) dnl
gen_require(`
type smntubootstrap_server_packet_t;
')
dontaudit $1 smntubootstrap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smntubootstrap_server_packets'($*)) dnl
')
########################################
##
## Send and receive smntubootstrap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_smntubootstrap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smntubootstrap_server_packets'($*)) dnl
corenet_send_smntubootstrap_server_packets($1)
corenet_receive_smntubootstrap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smntubootstrap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive smntubootstrap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_smntubootstrap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smntubootstrap_server_packets'($*)) dnl
corenet_dontaudit_send_smntubootstrap_server_packets($1)
corenet_dontaudit_receive_smntubootstrap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smntubootstrap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to smntubootstrap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_smntubootstrap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smntubootstrap_server_packets'($*)) dnl
gen_require(`
type smntubootstrap_server_packet_t;
')
allow $1 smntubootstrap_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_smntubootstrap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the socks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
allow $1 socks_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_socks_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the socks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
allow $1 socks_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_socks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the socks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
dontaudit $1 socks_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_socks_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the socks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
allow $1 socks_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_socks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the socks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
dontaudit $1 socks_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_socks_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the socks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_socks_port'($*)) dnl
corenet_udp_send_socks_port($1)
corenet_udp_receive_socks_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_socks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the socks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_socks_port'($*)) dnl
corenet_dontaudit_udp_send_socks_port($1)
corenet_dontaudit_udp_receive_socks_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_socks_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the socks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
allow $1 socks_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_socks_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the socks port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
allow $1 socks_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_socks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to socks port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
dontaudit $1 socks_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_socks_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the socks port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
allow $1 socks_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_socks_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to socks port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_socks_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_socks_port'($*)) dnl
gen_require(`
type socks_port_t;
')
dontaudit $1 socks_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_socks_port'($*)) dnl
')
########################################
##
## Send socks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_socks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_socks_client_packets'($*)) dnl
gen_require(`
type socks_client_packet_t;
')
allow $1 socks_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_socks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send socks_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_socks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_socks_client_packets'($*)) dnl
gen_require(`
type socks_client_packet_t;
')
dontaudit $1 socks_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_socks_client_packets'($*)) dnl
')
########################################
##
## Receive socks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_socks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_socks_client_packets'($*)) dnl
gen_require(`
type socks_client_packet_t;
')
allow $1 socks_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_socks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive socks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_socks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_socks_client_packets'($*)) dnl
gen_require(`
type socks_client_packet_t;
')
dontaudit $1 socks_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_socks_client_packets'($*)) dnl
')
########################################
##
## Send and receive socks_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_socks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_socks_client_packets'($*)) dnl
corenet_send_socks_client_packets($1)
corenet_receive_socks_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_socks_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive socks_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_socks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_socks_client_packets'($*)) dnl
corenet_dontaudit_send_socks_client_packets($1)
corenet_dontaudit_receive_socks_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_socks_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to socks_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_socks_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_socks_client_packets'($*)) dnl
gen_require(`
type socks_client_packet_t;
')
allow $1 socks_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_socks_client_packets'($*)) dnl
')
########################################
##
## Send socks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_socks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_socks_server_packets'($*)) dnl
gen_require(`
type socks_server_packet_t;
')
allow $1 socks_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_socks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send socks_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_socks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_socks_server_packets'($*)) dnl
gen_require(`
type socks_server_packet_t;
')
dontaudit $1 socks_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_socks_server_packets'($*)) dnl
')
########################################
##
## Receive socks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_socks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_socks_server_packets'($*)) dnl
gen_require(`
type socks_server_packet_t;
')
allow $1 socks_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_socks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive socks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_socks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_socks_server_packets'($*)) dnl
gen_require(`
type socks_server_packet_t;
')
dontaudit $1 socks_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_socks_server_packets'($*)) dnl
')
########################################
##
## Send and receive socks_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_socks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_socks_server_packets'($*)) dnl
corenet_send_socks_server_packets($1)
corenet_receive_socks_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_socks_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive socks_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_socks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_socks_server_packets'($*)) dnl
corenet_dontaudit_send_socks_server_packets($1)
corenet_dontaudit_receive_socks_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_socks_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to socks_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_socks_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_socks_server_packets'($*)) dnl
gen_require(`
type socks_server_packet_t;
')
allow $1 socks_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_socks_server_packets'($*)) dnl
')
# no defined portcon
########################################
##
## Send and receive TCP traffic on the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_soundd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_soundd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the soundd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
dontaudit $1 soundd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_soundd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_soundd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the soundd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
dontaudit $1 soundd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_soundd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_soundd_port'($*)) dnl
corenet_udp_send_soundd_port($1)
corenet_udp_receive_soundd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_soundd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the soundd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_soundd_port'($*)) dnl
corenet_dontaudit_udp_send_soundd_port($1)
corenet_dontaudit_udp_receive_soundd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_soundd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_soundd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the soundd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_soundd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to soundd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
dontaudit $1 soundd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_soundd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the soundd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
allow $1 soundd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_soundd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to soundd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_soundd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_soundd_port'($*)) dnl
gen_require(`
type soundd_port_t;
')
dontaudit $1 soundd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_soundd_port'($*)) dnl
')
########################################
##
## Send soundd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_soundd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
allow $1 soundd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_soundd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send soundd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_soundd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
dontaudit $1 soundd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_soundd_client_packets'($*)) dnl
')
########################################
##
## Receive soundd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_soundd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
allow $1 soundd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_soundd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive soundd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_soundd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
dontaudit $1 soundd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_soundd_client_packets'($*)) dnl
')
########################################
##
## Send and receive soundd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_soundd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_soundd_client_packets'($*)) dnl
corenet_send_soundd_client_packets($1)
corenet_receive_soundd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_soundd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive soundd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_soundd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_soundd_client_packets'($*)) dnl
corenet_dontaudit_send_soundd_client_packets($1)
corenet_dontaudit_receive_soundd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_soundd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to soundd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_soundd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_soundd_client_packets'($*)) dnl
gen_require(`
type soundd_client_packet_t;
')
allow $1 soundd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_soundd_client_packets'($*)) dnl
')
########################################
##
## Send soundd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_soundd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
allow $1 soundd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_soundd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send soundd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_soundd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
dontaudit $1 soundd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_soundd_server_packets'($*)) dnl
')
########################################
##
## Receive soundd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_soundd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
allow $1 soundd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_soundd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive soundd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_soundd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
dontaudit $1 soundd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_soundd_server_packets'($*)) dnl
')
########################################
##
## Send and receive soundd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_soundd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_soundd_server_packets'($*)) dnl
corenet_send_soundd_server_packets($1)
corenet_receive_soundd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_soundd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive soundd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_soundd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_soundd_server_packets'($*)) dnl
corenet_dontaudit_send_soundd_server_packets($1)
corenet_dontaudit_receive_soundd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_soundd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to soundd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_soundd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_soundd_server_packets'($*)) dnl
gen_require(`
type soundd_server_packet_t;
')
allow $1 soundd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_soundd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_spamd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_spamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the spamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
dontaudit $1 spamd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_spamd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_spamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the spamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
dontaudit $1 spamd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_spamd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_spamd_port'($*)) dnl
corenet_udp_send_spamd_port($1)
corenet_udp_receive_spamd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_spamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the spamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_spamd_port'($*)) dnl
corenet_dontaudit_udp_send_spamd_port($1)
corenet_dontaudit_udp_receive_spamd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_spamd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_spamd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the spamd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_spamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to spamd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
dontaudit $1 spamd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_spamd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the spamd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
allow $1 spamd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_spamd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to spamd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_spamd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_spamd_port'($*)) dnl
gen_require(`
type spamd_port_t;
')
dontaudit $1 spamd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_spamd_port'($*)) dnl
')
########################################
##
## Send spamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_spamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
allow $1 spamd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_spamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send spamd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_spamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
dontaudit $1 spamd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_spamd_client_packets'($*)) dnl
')
########################################
##
## Receive spamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_spamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
allow $1 spamd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_spamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive spamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_spamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
dontaudit $1 spamd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_spamd_client_packets'($*)) dnl
')
########################################
##
## Send and receive spamd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_spamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_spamd_client_packets'($*)) dnl
corenet_send_spamd_client_packets($1)
corenet_receive_spamd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_spamd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive spamd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_spamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_spamd_client_packets'($*)) dnl
corenet_dontaudit_send_spamd_client_packets($1)
corenet_dontaudit_receive_spamd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_spamd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to spamd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_spamd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_spamd_client_packets'($*)) dnl
gen_require(`
type spamd_client_packet_t;
')
allow $1 spamd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_spamd_client_packets'($*)) dnl
')
########################################
##
## Send spamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_spamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
allow $1 spamd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_spamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send spamd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_spamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
dontaudit $1 spamd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_spamd_server_packets'($*)) dnl
')
########################################
##
## Receive spamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_spamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
allow $1 spamd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_spamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive spamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_spamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
dontaudit $1 spamd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_spamd_server_packets'($*)) dnl
')
########################################
##
## Send and receive spamd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_spamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_spamd_server_packets'($*)) dnl
corenet_send_spamd_server_packets($1)
corenet_receive_spamd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_spamd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive spamd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_spamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_spamd_server_packets'($*)) dnl
corenet_dontaudit_send_spamd_server_packets($1)
corenet_dontaudit_receive_spamd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_spamd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to spamd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_spamd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_spamd_server_packets'($*)) dnl
gen_require(`
type spamd_server_packet_t;
')
allow $1 spamd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_spamd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the speech port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
allow $1 speech_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_speech_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the speech port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
allow $1 speech_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_speech_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the speech port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
dontaudit $1 speech_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_speech_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the speech port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
allow $1 speech_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_speech_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the speech port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
dontaudit $1 speech_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_speech_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the speech port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_speech_port'($*)) dnl
corenet_udp_send_speech_port($1)
corenet_udp_receive_speech_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_speech_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the speech port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_speech_port'($*)) dnl
corenet_dontaudit_udp_send_speech_port($1)
corenet_dontaudit_udp_receive_speech_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_speech_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the speech port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
allow $1 speech_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_speech_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the speech port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
allow $1 speech_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_speech_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to speech port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
dontaudit $1 speech_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_speech_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the speech port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
allow $1 speech_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_speech_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to speech port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_speech_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_speech_port'($*)) dnl
gen_require(`
type speech_port_t;
')
dontaudit $1 speech_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_speech_port'($*)) dnl
')
########################################
##
## Send speech_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_speech_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_speech_client_packets'($*)) dnl
gen_require(`
type speech_client_packet_t;
')
allow $1 speech_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_speech_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send speech_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_speech_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_speech_client_packets'($*)) dnl
gen_require(`
type speech_client_packet_t;
')
dontaudit $1 speech_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_speech_client_packets'($*)) dnl
')
########################################
##
## Receive speech_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_speech_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_speech_client_packets'($*)) dnl
gen_require(`
type speech_client_packet_t;
')
allow $1 speech_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_speech_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive speech_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_speech_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_speech_client_packets'($*)) dnl
gen_require(`
type speech_client_packet_t;
')
dontaudit $1 speech_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_speech_client_packets'($*)) dnl
')
########################################
##
## Send and receive speech_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_speech_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_speech_client_packets'($*)) dnl
corenet_send_speech_client_packets($1)
corenet_receive_speech_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_speech_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive speech_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_speech_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_speech_client_packets'($*)) dnl
corenet_dontaudit_send_speech_client_packets($1)
corenet_dontaudit_receive_speech_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_speech_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to speech_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_speech_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_speech_client_packets'($*)) dnl
gen_require(`
type speech_client_packet_t;
')
allow $1 speech_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_speech_client_packets'($*)) dnl
')
########################################
##
## Send speech_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_speech_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_speech_server_packets'($*)) dnl
gen_require(`
type speech_server_packet_t;
')
allow $1 speech_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_speech_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send speech_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_speech_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_speech_server_packets'($*)) dnl
gen_require(`
type speech_server_packet_t;
')
dontaudit $1 speech_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_speech_server_packets'($*)) dnl
')
########################################
##
## Receive speech_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_speech_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_speech_server_packets'($*)) dnl
gen_require(`
type speech_server_packet_t;
')
allow $1 speech_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_speech_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive speech_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_speech_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_speech_server_packets'($*)) dnl
gen_require(`
type speech_server_packet_t;
')
dontaudit $1 speech_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_speech_server_packets'($*)) dnl
')
########################################
##
## Send and receive speech_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_speech_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_speech_server_packets'($*)) dnl
corenet_send_speech_server_packets($1)
corenet_receive_speech_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_speech_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive speech_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_speech_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_speech_server_packets'($*)) dnl
corenet_dontaudit_send_speech_server_packets($1)
corenet_dontaudit_receive_speech_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_speech_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to speech_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_speech_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_speech_server_packets'($*)) dnl
gen_require(`
type speech_server_packet_t;
')
allow $1 speech_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_speech_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_squid_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_squid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the squid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
dontaudit $1 squid_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_squid_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_squid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the squid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
dontaudit $1 squid_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_squid_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_squid_port'($*)) dnl
corenet_udp_send_squid_port($1)
corenet_udp_receive_squid_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_squid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the squid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_squid_port'($*)) dnl
corenet_dontaudit_udp_send_squid_port($1)
corenet_dontaudit_udp_receive_squid_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_squid_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_squid_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the squid port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_squid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to squid port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
dontaudit $1 squid_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_squid_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the squid port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
allow $1 squid_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_squid_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to squid port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_squid_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_squid_port'($*)) dnl
gen_require(`
type squid_port_t;
')
dontaudit $1 squid_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_squid_port'($*)) dnl
')
########################################
##
## Send squid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_squid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
allow $1 squid_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_squid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send squid_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_squid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
dontaudit $1 squid_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_squid_client_packets'($*)) dnl
')
########################################
##
## Receive squid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_squid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
allow $1 squid_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_squid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive squid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_squid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
dontaudit $1 squid_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_squid_client_packets'($*)) dnl
')
########################################
##
## Send and receive squid_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_squid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_squid_client_packets'($*)) dnl
corenet_send_squid_client_packets($1)
corenet_receive_squid_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_squid_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive squid_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_squid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_squid_client_packets'($*)) dnl
corenet_dontaudit_send_squid_client_packets($1)
corenet_dontaudit_receive_squid_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_squid_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to squid_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_squid_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_squid_client_packets'($*)) dnl
gen_require(`
type squid_client_packet_t;
')
allow $1 squid_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_squid_client_packets'($*)) dnl
')
########################################
##
## Send squid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_squid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
allow $1 squid_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_squid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send squid_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_squid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
dontaudit $1 squid_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_squid_server_packets'($*)) dnl
')
########################################
##
## Receive squid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_squid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
allow $1 squid_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_squid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive squid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_squid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
dontaudit $1 squid_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_squid_server_packets'($*)) dnl
')
########################################
##
## Send and receive squid_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_squid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_squid_server_packets'($*)) dnl
corenet_send_squid_server_packets($1)
corenet_receive_squid_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_squid_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive squid_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_squid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_squid_server_packets'($*)) dnl
corenet_dontaudit_send_squid_server_packets($1)
corenet_dontaudit_receive_squid_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_squid_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to squid_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_squid_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_squid_server_packets'($*)) dnl
gen_require(`
type squid_server_packet_t;
')
allow $1 squid_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_squid_server_packets'($*)) dnl
')
# snmp and htcp
########################################
##
## Send and receive TCP traffic on the ssdp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
allow $1 ssdp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ssdp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ssdp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
allow $1 ssdp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ssdp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ssdp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
dontaudit $1 ssdp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ssdp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ssdp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
allow $1 ssdp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ssdp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ssdp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
dontaudit $1 ssdp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ssdp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ssdp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ssdp_port'($*)) dnl
corenet_udp_send_ssdp_port($1)
corenet_udp_receive_ssdp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ssdp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ssdp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ssdp_port'($*)) dnl
corenet_dontaudit_udp_send_ssdp_port($1)
corenet_dontaudit_udp_receive_ssdp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ssdp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ssdp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
allow $1 ssdp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ssdp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ssdp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
allow $1 ssdp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ssdp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ssdp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
dontaudit $1 ssdp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ssdp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ssdp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
allow $1 ssdp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ssdp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ssdp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ssdp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ssdp_port'($*)) dnl
gen_require(`
type ssdp_port_t;
')
dontaudit $1 ssdp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ssdp_port'($*)) dnl
')
########################################
##
## Send ssdp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ssdp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ssdp_client_packets'($*)) dnl
gen_require(`
type ssdp_client_packet_t;
')
allow $1 ssdp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ssdp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ssdp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ssdp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssdp_client_packets'($*)) dnl
gen_require(`
type ssdp_client_packet_t;
')
dontaudit $1 ssdp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssdp_client_packets'($*)) dnl
')
########################################
##
## Receive ssdp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ssdp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ssdp_client_packets'($*)) dnl
gen_require(`
type ssdp_client_packet_t;
')
allow $1 ssdp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ssdp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ssdp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ssdp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssdp_client_packets'($*)) dnl
gen_require(`
type ssdp_client_packet_t;
')
dontaudit $1 ssdp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssdp_client_packets'($*)) dnl
')
########################################
##
## Send and receive ssdp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ssdp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssdp_client_packets'($*)) dnl
corenet_send_ssdp_client_packets($1)
corenet_receive_ssdp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssdp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ssdp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ssdp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssdp_client_packets'($*)) dnl
corenet_dontaudit_send_ssdp_client_packets($1)
corenet_dontaudit_receive_ssdp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssdp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ssdp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ssdp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssdp_client_packets'($*)) dnl
gen_require(`
type ssdp_client_packet_t;
')
allow $1 ssdp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssdp_client_packets'($*)) dnl
')
########################################
##
## Send ssdp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ssdp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ssdp_server_packets'($*)) dnl
gen_require(`
type ssdp_server_packet_t;
')
allow $1 ssdp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ssdp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ssdp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ssdp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssdp_server_packets'($*)) dnl
gen_require(`
type ssdp_server_packet_t;
')
dontaudit $1 ssdp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssdp_server_packets'($*)) dnl
')
########################################
##
## Receive ssdp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ssdp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ssdp_server_packets'($*)) dnl
gen_require(`
type ssdp_server_packet_t;
')
allow $1 ssdp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ssdp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ssdp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ssdp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssdp_server_packets'($*)) dnl
gen_require(`
type ssdp_server_packet_t;
')
dontaudit $1 ssdp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssdp_server_packets'($*)) dnl
')
########################################
##
## Send and receive ssdp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ssdp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssdp_server_packets'($*)) dnl
corenet_send_ssdp_server_packets($1)
corenet_receive_ssdp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssdp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ssdp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ssdp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssdp_server_packets'($*)) dnl
corenet_dontaudit_send_ssdp_server_packets($1)
corenet_dontaudit_receive_ssdp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssdp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ssdp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ssdp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssdp_server_packets'($*)) dnl
gen_require(`
type ssdp_server_packet_t;
')
allow $1 ssdp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssdp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ssh_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ssh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ssh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
dontaudit $1 ssh_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ssh_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ssh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ssh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
dontaudit $1 ssh_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ssh_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ssh_port'($*)) dnl
corenet_udp_send_ssh_port($1)
corenet_udp_receive_ssh_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ssh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ssh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ssh_port'($*)) dnl
corenet_dontaudit_udp_send_ssh_port($1)
corenet_dontaudit_udp_receive_ssh_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ssh_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ssh_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ssh port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ssh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ssh port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
dontaudit $1 ssh_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ssh_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ssh port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
allow $1 ssh_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ssh_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ssh port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ssh_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ssh_port'($*)) dnl
gen_require(`
type ssh_port_t;
')
dontaudit $1 ssh_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ssh_port'($*)) dnl
')
########################################
##
## Send ssh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ssh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
allow $1 ssh_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ssh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ssh_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ssh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
dontaudit $1 ssh_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssh_client_packets'($*)) dnl
')
########################################
##
## Receive ssh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ssh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
allow $1 ssh_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ssh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ssh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ssh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
dontaudit $1 ssh_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssh_client_packets'($*)) dnl
')
########################################
##
## Send and receive ssh_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ssh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssh_client_packets'($*)) dnl
corenet_send_ssh_client_packets($1)
corenet_receive_ssh_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssh_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ssh_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ssh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssh_client_packets'($*)) dnl
corenet_dontaudit_send_ssh_client_packets($1)
corenet_dontaudit_receive_ssh_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssh_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ssh_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ssh_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssh_client_packets'($*)) dnl
gen_require(`
type ssh_client_packet_t;
')
allow $1 ssh_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssh_client_packets'($*)) dnl
')
########################################
##
## Send ssh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ssh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
allow $1 ssh_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ssh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ssh_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ssh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
dontaudit $1 ssh_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssh_server_packets'($*)) dnl
')
########################################
##
## Receive ssh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ssh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
allow $1 ssh_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ssh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ssh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ssh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
dontaudit $1 ssh_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssh_server_packets'($*)) dnl
')
########################################
##
## Send and receive ssh_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ssh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssh_server_packets'($*)) dnl
corenet_send_ssh_server_packets($1)
corenet_receive_ssh_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssh_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ssh_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ssh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssh_server_packets'($*)) dnl
corenet_dontaudit_send_ssh_server_packets($1)
corenet_dontaudit_receive_ssh_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssh_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ssh_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ssh_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssh_server_packets'($*)) dnl
gen_require(`
type ssh_server_packet_t;
')
allow $1 ssh_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssh_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the stunnel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
allow $1 stunnel_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_stunnel_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the stunnel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
allow $1 stunnel_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_stunnel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the stunnel port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
dontaudit $1 stunnel_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_stunnel_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the stunnel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
allow $1 stunnel_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_stunnel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the stunnel port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
dontaudit $1 stunnel_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_stunnel_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the stunnel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_stunnel_port'($*)) dnl
corenet_udp_send_stunnel_port($1)
corenet_udp_receive_stunnel_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_stunnel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the stunnel port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_stunnel_port'($*)) dnl
corenet_dontaudit_udp_send_stunnel_port($1)
corenet_dontaudit_udp_receive_stunnel_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_stunnel_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the stunnel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
allow $1 stunnel_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_stunnel_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the stunnel port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
allow $1 stunnel_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_stunnel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to stunnel port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
dontaudit $1 stunnel_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_stunnel_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the stunnel port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
allow $1 stunnel_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_stunnel_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to stunnel port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_stunnel_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_stunnel_port'($*)) dnl
gen_require(`
type stunnel_port_t;
')
dontaudit $1 stunnel_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_stunnel_port'($*)) dnl
')
########################################
##
## Send stunnel_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_stunnel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_stunnel_client_packets'($*)) dnl
gen_require(`
type stunnel_client_packet_t;
')
allow $1 stunnel_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_stunnel_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send stunnel_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_stunnel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_stunnel_client_packets'($*)) dnl
gen_require(`
type stunnel_client_packet_t;
')
dontaudit $1 stunnel_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_stunnel_client_packets'($*)) dnl
')
########################################
##
## Receive stunnel_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_stunnel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_stunnel_client_packets'($*)) dnl
gen_require(`
type stunnel_client_packet_t;
')
allow $1 stunnel_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_stunnel_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive stunnel_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_stunnel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_stunnel_client_packets'($*)) dnl
gen_require(`
type stunnel_client_packet_t;
')
dontaudit $1 stunnel_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_stunnel_client_packets'($*)) dnl
')
########################################
##
## Send and receive stunnel_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_stunnel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_stunnel_client_packets'($*)) dnl
corenet_send_stunnel_client_packets($1)
corenet_receive_stunnel_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_stunnel_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive stunnel_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_stunnel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_stunnel_client_packets'($*)) dnl
corenet_dontaudit_send_stunnel_client_packets($1)
corenet_dontaudit_receive_stunnel_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_stunnel_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to stunnel_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_stunnel_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_stunnel_client_packets'($*)) dnl
gen_require(`
type stunnel_client_packet_t;
')
allow $1 stunnel_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_stunnel_client_packets'($*)) dnl
')
########################################
##
## Send stunnel_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_stunnel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_stunnel_server_packets'($*)) dnl
gen_require(`
type stunnel_server_packet_t;
')
allow $1 stunnel_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_stunnel_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send stunnel_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_stunnel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_stunnel_server_packets'($*)) dnl
gen_require(`
type stunnel_server_packet_t;
')
dontaudit $1 stunnel_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_stunnel_server_packets'($*)) dnl
')
########################################
##
## Receive stunnel_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_stunnel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_stunnel_server_packets'($*)) dnl
gen_require(`
type stunnel_server_packet_t;
')
allow $1 stunnel_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_stunnel_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive stunnel_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_stunnel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_stunnel_server_packets'($*)) dnl
gen_require(`
type stunnel_server_packet_t;
')
dontaudit $1 stunnel_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_stunnel_server_packets'($*)) dnl
')
########################################
##
## Send and receive stunnel_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_stunnel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_stunnel_server_packets'($*)) dnl
corenet_send_stunnel_server_packets($1)
corenet_receive_stunnel_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_stunnel_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive stunnel_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_stunnel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_stunnel_server_packets'($*)) dnl
corenet_dontaudit_send_stunnel_server_packets($1)
corenet_dontaudit_receive_stunnel_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_stunnel_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to stunnel_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_stunnel_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_stunnel_server_packets'($*)) dnl
gen_require(`
type stunnel_server_packet_t;
')
allow $1 stunnel_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_stunnel_server_packets'($*)) dnl
')
# no defined portcon
########################################
##
## Send and receive TCP traffic on the svn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
allow $1 svn_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_svn_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the svn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
allow $1 svn_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_svn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the svn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
dontaudit $1 svn_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_svn_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the svn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
allow $1 svn_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_svn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the svn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
dontaudit $1 svn_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_svn_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the svn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_svn_port'($*)) dnl
corenet_udp_send_svn_port($1)
corenet_udp_receive_svn_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_svn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the svn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_svn_port'($*)) dnl
corenet_dontaudit_udp_send_svn_port($1)
corenet_dontaudit_udp_receive_svn_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_svn_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the svn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
allow $1 svn_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_svn_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the svn port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
allow $1 svn_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_svn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to svn port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
dontaudit $1 svn_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_svn_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the svn port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
allow $1 svn_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_svn_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to svn port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_svn_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_svn_port'($*)) dnl
gen_require(`
type svn_port_t;
')
dontaudit $1 svn_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_svn_port'($*)) dnl
')
########################################
##
## Send svn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_svn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_svn_client_packets'($*)) dnl
gen_require(`
type svn_client_packet_t;
')
allow $1 svn_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_svn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send svn_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_svn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svn_client_packets'($*)) dnl
gen_require(`
type svn_client_packet_t;
')
dontaudit $1 svn_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svn_client_packets'($*)) dnl
')
########################################
##
## Receive svn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_svn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_svn_client_packets'($*)) dnl
gen_require(`
type svn_client_packet_t;
')
allow $1 svn_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_svn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive svn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_svn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svn_client_packets'($*)) dnl
gen_require(`
type svn_client_packet_t;
')
dontaudit $1 svn_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svn_client_packets'($*)) dnl
')
########################################
##
## Send and receive svn_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_svn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svn_client_packets'($*)) dnl
corenet_send_svn_client_packets($1)
corenet_receive_svn_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svn_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive svn_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_svn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svn_client_packets'($*)) dnl
corenet_dontaudit_send_svn_client_packets($1)
corenet_dontaudit_receive_svn_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svn_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to svn_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_svn_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svn_client_packets'($*)) dnl
gen_require(`
type svn_client_packet_t;
')
allow $1 svn_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_svn_client_packets'($*)) dnl
')
########################################
##
## Send svn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_svn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_svn_server_packets'($*)) dnl
gen_require(`
type svn_server_packet_t;
')
allow $1 svn_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_svn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send svn_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_svn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svn_server_packets'($*)) dnl
gen_require(`
type svn_server_packet_t;
')
dontaudit $1 svn_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svn_server_packets'($*)) dnl
')
########################################
##
## Receive svn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_svn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_svn_server_packets'($*)) dnl
gen_require(`
type svn_server_packet_t;
')
allow $1 svn_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_svn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive svn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_svn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svn_server_packets'($*)) dnl
gen_require(`
type svn_server_packet_t;
')
dontaudit $1 svn_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svn_server_packets'($*)) dnl
')
########################################
##
## Send and receive svn_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_svn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svn_server_packets'($*)) dnl
corenet_send_svn_server_packets($1)
corenet_receive_svn_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svn_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive svn_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_svn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svn_server_packets'($*)) dnl
corenet_dontaudit_send_svn_server_packets($1)
corenet_dontaudit_receive_svn_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svn_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to svn_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_svn_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svn_server_packets'($*)) dnl
gen_require(`
type svn_server_packet_t;
')
allow $1 svn_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_svn_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the svrloc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
allow $1 svrloc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_svrloc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the svrloc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
allow $1 svrloc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_svrloc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the svrloc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
dontaudit $1 svrloc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_svrloc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the svrloc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
allow $1 svrloc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_svrloc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the svrloc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
dontaudit $1 svrloc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_svrloc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the svrloc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_svrloc_port'($*)) dnl
corenet_udp_send_svrloc_port($1)
corenet_udp_receive_svrloc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_svrloc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the svrloc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_svrloc_port'($*)) dnl
corenet_dontaudit_udp_send_svrloc_port($1)
corenet_dontaudit_udp_receive_svrloc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_svrloc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the svrloc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
allow $1 svrloc_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_svrloc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the svrloc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
allow $1 svrloc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_svrloc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to svrloc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
dontaudit $1 svrloc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_svrloc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the svrloc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
allow $1 svrloc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_svrloc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to svrloc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_svrloc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_svrloc_port'($*)) dnl
gen_require(`
type svrloc_port_t;
')
dontaudit $1 svrloc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_svrloc_port'($*)) dnl
')
########################################
##
## Send svrloc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_svrloc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_svrloc_client_packets'($*)) dnl
gen_require(`
type svrloc_client_packet_t;
')
allow $1 svrloc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_svrloc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send svrloc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_svrloc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svrloc_client_packets'($*)) dnl
gen_require(`
type svrloc_client_packet_t;
')
dontaudit $1 svrloc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svrloc_client_packets'($*)) dnl
')
########################################
##
## Receive svrloc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_svrloc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_svrloc_client_packets'($*)) dnl
gen_require(`
type svrloc_client_packet_t;
')
allow $1 svrloc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_svrloc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive svrloc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_svrloc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svrloc_client_packets'($*)) dnl
gen_require(`
type svrloc_client_packet_t;
')
dontaudit $1 svrloc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svrloc_client_packets'($*)) dnl
')
########################################
##
## Send and receive svrloc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_svrloc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svrloc_client_packets'($*)) dnl
corenet_send_svrloc_client_packets($1)
corenet_receive_svrloc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svrloc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive svrloc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_svrloc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svrloc_client_packets'($*)) dnl
corenet_dontaudit_send_svrloc_client_packets($1)
corenet_dontaudit_receive_svrloc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svrloc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to svrloc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_svrloc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svrloc_client_packets'($*)) dnl
gen_require(`
type svrloc_client_packet_t;
')
allow $1 svrloc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_svrloc_client_packets'($*)) dnl
')
########################################
##
## Send svrloc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_svrloc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_svrloc_server_packets'($*)) dnl
gen_require(`
type svrloc_server_packet_t;
')
allow $1 svrloc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_svrloc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send svrloc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_svrloc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svrloc_server_packets'($*)) dnl
gen_require(`
type svrloc_server_packet_t;
')
dontaudit $1 svrloc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svrloc_server_packets'($*)) dnl
')
########################################
##
## Receive svrloc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_svrloc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_svrloc_server_packets'($*)) dnl
gen_require(`
type svrloc_server_packet_t;
')
allow $1 svrloc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_svrloc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive svrloc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_svrloc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svrloc_server_packets'($*)) dnl
gen_require(`
type svrloc_server_packet_t;
')
dontaudit $1 svrloc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svrloc_server_packets'($*)) dnl
')
########################################
##
## Send and receive svrloc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_svrloc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svrloc_server_packets'($*)) dnl
corenet_send_svrloc_server_packets($1)
corenet_receive_svrloc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svrloc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive svrloc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_svrloc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svrloc_server_packets'($*)) dnl
corenet_dontaudit_send_svrloc_server_packets($1)
corenet_dontaudit_receive_svrloc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svrloc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to svrloc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_svrloc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svrloc_server_packets'($*)) dnl
gen_require(`
type svrloc_server_packet_t;
')
allow $1 svrloc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_svrloc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_swat_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_swat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the swat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
dontaudit $1 swat_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_swat_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_swat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the swat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
dontaudit $1 swat_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_swat_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_swat_port'($*)) dnl
corenet_udp_send_swat_port($1)
corenet_udp_receive_swat_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_swat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the swat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_swat_port'($*)) dnl
corenet_dontaudit_udp_send_swat_port($1)
corenet_dontaudit_udp_receive_swat_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_swat_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_swat_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the swat port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_swat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to swat port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
dontaudit $1 swat_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_swat_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the swat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
allow $1 swat_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_swat_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to swat port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_swat_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_swat_port'($*)) dnl
gen_require(`
type swat_port_t;
')
dontaudit $1 swat_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_swat_port'($*)) dnl
')
########################################
##
## Send swat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_swat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
allow $1 swat_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_swat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send swat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_swat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
dontaudit $1 swat_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swat_client_packets'($*)) dnl
')
########################################
##
## Receive swat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_swat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
allow $1 swat_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_swat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive swat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_swat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
dontaudit $1 swat_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swat_client_packets'($*)) dnl
')
########################################
##
## Send and receive swat_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_swat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swat_client_packets'($*)) dnl
corenet_send_swat_client_packets($1)
corenet_receive_swat_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swat_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive swat_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_swat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swat_client_packets'($*)) dnl
corenet_dontaudit_send_swat_client_packets($1)
corenet_dontaudit_receive_swat_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swat_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to swat_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_swat_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swat_client_packets'($*)) dnl
gen_require(`
type swat_client_packet_t;
')
allow $1 swat_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_swat_client_packets'($*)) dnl
')
########################################
##
## Send swat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_swat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
allow $1 swat_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_swat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send swat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_swat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
dontaudit $1 swat_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swat_server_packets'($*)) dnl
')
########################################
##
## Receive swat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_swat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
allow $1 swat_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_swat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive swat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_swat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
dontaudit $1 swat_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swat_server_packets'($*)) dnl
')
########################################
##
## Send and receive swat_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_swat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swat_server_packets'($*)) dnl
corenet_send_swat_server_packets($1)
corenet_receive_swat_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swat_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive swat_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_swat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swat_server_packets'($*)) dnl
corenet_dontaudit_send_swat_server_packets($1)
corenet_dontaudit_receive_swat_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swat_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to swat_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_swat_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swat_server_packets'($*)) dnl
gen_require(`
type swat_server_packet_t;
')
allow $1 swat_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_swat_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the swift port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
allow $1 swift_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_swift_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the swift port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
allow $1 swift_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_swift_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the swift port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
dontaudit $1 swift_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_swift_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the swift port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
allow $1 swift_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_swift_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the swift port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
dontaudit $1 swift_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_swift_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the swift port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_swift_port'($*)) dnl
corenet_udp_send_swift_port($1)
corenet_udp_receive_swift_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_swift_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the swift port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_swift_port'($*)) dnl
corenet_dontaudit_udp_send_swift_port($1)
corenet_dontaudit_udp_receive_swift_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_swift_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the swift port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
allow $1 swift_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_swift_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the swift port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
allow $1 swift_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_swift_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to swift port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
dontaudit $1 swift_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_swift_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the swift port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
allow $1 swift_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_swift_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to swift port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_swift_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_swift_port'($*)) dnl
gen_require(`
type swift_port_t;
')
dontaudit $1 swift_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_swift_port'($*)) dnl
')
########################################
##
## Send swift_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_swift_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_swift_client_packets'($*)) dnl
gen_require(`
type swift_client_packet_t;
')
allow $1 swift_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_swift_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send swift_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_swift_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swift_client_packets'($*)) dnl
gen_require(`
type swift_client_packet_t;
')
dontaudit $1 swift_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swift_client_packets'($*)) dnl
')
########################################
##
## Receive swift_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_swift_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_swift_client_packets'($*)) dnl
gen_require(`
type swift_client_packet_t;
')
allow $1 swift_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_swift_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive swift_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_swift_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swift_client_packets'($*)) dnl
gen_require(`
type swift_client_packet_t;
')
dontaudit $1 swift_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swift_client_packets'($*)) dnl
')
########################################
##
## Send and receive swift_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_swift_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swift_client_packets'($*)) dnl
corenet_send_swift_client_packets($1)
corenet_receive_swift_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swift_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive swift_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_swift_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swift_client_packets'($*)) dnl
corenet_dontaudit_send_swift_client_packets($1)
corenet_dontaudit_receive_swift_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swift_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to swift_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_swift_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swift_client_packets'($*)) dnl
gen_require(`
type swift_client_packet_t;
')
allow $1 swift_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_swift_client_packets'($*)) dnl
')
########################################
##
## Send swift_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_swift_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_swift_server_packets'($*)) dnl
gen_require(`
type swift_server_packet_t;
')
allow $1 swift_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_swift_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send swift_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_swift_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swift_server_packets'($*)) dnl
gen_require(`
type swift_server_packet_t;
')
dontaudit $1 swift_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swift_server_packets'($*)) dnl
')
########################################
##
## Receive swift_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_swift_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_swift_server_packets'($*)) dnl
gen_require(`
type swift_server_packet_t;
')
allow $1 swift_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_swift_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive swift_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_swift_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swift_server_packets'($*)) dnl
gen_require(`
type swift_server_packet_t;
')
dontaudit $1 swift_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swift_server_packets'($*)) dnl
')
########################################
##
## Send and receive swift_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_swift_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swift_server_packets'($*)) dnl
corenet_send_swift_server_packets($1)
corenet_receive_swift_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swift_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive swift_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_swift_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swift_server_packets'($*)) dnl
corenet_dontaudit_send_swift_server_packets($1)
corenet_dontaudit_receive_swift_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swift_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to swift_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_swift_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swift_server_packets'($*)) dnl
gen_require(`
type swift_server_packet_t;
')
allow $1 swift_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_swift_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the sype_transport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
allow $1 sype_transport_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sype_transport_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the sype_transport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
allow $1 sype_transport_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_sype_transport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the sype_transport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
dontaudit $1 sype_transport_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sype_transport_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the sype_transport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
allow $1 sype_transport_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sype_transport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the sype_transport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
dontaudit $1 sype_transport_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sype_transport_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the sype_transport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sype_transport_port'($*)) dnl
corenet_udp_send_sype_transport_port($1)
corenet_udp_receive_sype_transport_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sype_transport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the sype_transport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sype_transport_port'($*)) dnl
corenet_dontaudit_udp_send_sype_transport_port($1)
corenet_dontaudit_udp_receive_sype_transport_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sype_transport_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the sype_transport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
allow $1 sype_transport_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sype_transport_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the sype_transport port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
allow $1 sype_transport_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sype_transport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to sype_transport port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
dontaudit $1 sype_transport_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sype_transport_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the sype_transport port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
allow $1 sype_transport_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sype_transport_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to sype_transport port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_sype_transport_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sype_transport_port'($*)) dnl
gen_require(`
type sype_transport_port_t;
')
dontaudit $1 sype_transport_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sype_transport_port'($*)) dnl
')
########################################
##
## Send sype_transport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sype_transport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sype_transport_client_packets'($*)) dnl
gen_require(`
type sype_transport_client_packet_t;
')
allow $1 sype_transport_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sype_transport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sype_transport_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sype_transport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sype_transport_client_packets'($*)) dnl
gen_require(`
type sype_transport_client_packet_t;
')
dontaudit $1 sype_transport_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sype_transport_client_packets'($*)) dnl
')
########################################
##
## Receive sype_transport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sype_transport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sype_transport_client_packets'($*)) dnl
gen_require(`
type sype_transport_client_packet_t;
')
allow $1 sype_transport_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sype_transport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sype_transport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sype_transport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sype_transport_client_packets'($*)) dnl
gen_require(`
type sype_transport_client_packet_t;
')
dontaudit $1 sype_transport_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sype_transport_client_packets'($*)) dnl
')
########################################
##
## Send and receive sype_transport_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sype_transport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sype_transport_client_packets'($*)) dnl
corenet_send_sype_transport_client_packets($1)
corenet_receive_sype_transport_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sype_transport_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sype_transport_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sype_transport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sype_transport_client_packets'($*)) dnl
corenet_dontaudit_send_sype_transport_client_packets($1)
corenet_dontaudit_receive_sype_transport_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sype_transport_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to sype_transport_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sype_transport_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sype_transport_client_packets'($*)) dnl
gen_require(`
type sype_transport_client_packet_t;
')
allow $1 sype_transport_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sype_transport_client_packets'($*)) dnl
')
########################################
##
## Send sype_transport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_sype_transport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_sype_transport_server_packets'($*)) dnl
gen_require(`
type sype_transport_server_packet_t;
')
allow $1 sype_transport_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_sype_transport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send sype_transport_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_sype_transport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sype_transport_server_packets'($*)) dnl
gen_require(`
type sype_transport_server_packet_t;
')
dontaudit $1 sype_transport_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sype_transport_server_packets'($*)) dnl
')
########################################
##
## Receive sype_transport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_sype_transport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_sype_transport_server_packets'($*)) dnl
gen_require(`
type sype_transport_server_packet_t;
')
allow $1 sype_transport_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_sype_transport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive sype_transport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_sype_transport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sype_transport_server_packets'($*)) dnl
gen_require(`
type sype_transport_server_packet_t;
')
dontaudit $1 sype_transport_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sype_transport_server_packets'($*)) dnl
')
########################################
##
## Send and receive sype_transport_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_sype_transport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sype_transport_server_packets'($*)) dnl
corenet_send_sype_transport_server_packets($1)
corenet_receive_sype_transport_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sype_transport_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive sype_transport_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_sype_transport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sype_transport_server_packets'($*)) dnl
corenet_dontaudit_send_sype_transport_server_packets($1)
corenet_dontaudit_receive_sype_transport_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sype_transport_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to sype_transport_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_sype_transport_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sype_transport_server_packets'($*)) dnl
gen_require(`
type sype_transport_server_packet_t;
')
allow $1 sype_transport_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_sype_transport_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syslogd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_syslogd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the syslogd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
dontaudit $1 syslogd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syslogd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syslogd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the syslogd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
dontaudit $1 syslogd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syslogd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syslogd_port'($*)) dnl
corenet_udp_send_syslogd_port($1)
corenet_udp_receive_syslogd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syslogd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the syslogd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syslogd_port'($*)) dnl
corenet_dontaudit_udp_send_syslogd_port($1)
corenet_dontaudit_udp_receive_syslogd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syslogd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syslogd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the syslogd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syslogd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to syslogd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
dontaudit $1 syslogd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_syslogd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the syslogd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
allow $1 syslogd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syslogd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to syslogd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_syslogd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_syslogd_port'($*)) dnl
gen_require(`
type syslogd_port_t;
')
dontaudit $1 syslogd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_syslogd_port'($*)) dnl
')
########################################
##
## Send syslogd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_syslogd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
allow $1 syslogd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_syslogd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send syslogd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_syslogd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
dontaudit $1 syslogd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslogd_client_packets'($*)) dnl
')
########################################
##
## Receive syslogd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_syslogd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
allow $1 syslogd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_syslogd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive syslogd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_syslogd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
dontaudit $1 syslogd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslogd_client_packets'($*)) dnl
')
########################################
##
## Send and receive syslogd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_syslogd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslogd_client_packets'($*)) dnl
corenet_send_syslogd_client_packets($1)
corenet_receive_syslogd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslogd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive syslogd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_syslogd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslogd_client_packets'($*)) dnl
corenet_dontaudit_send_syslogd_client_packets($1)
corenet_dontaudit_receive_syslogd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslogd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to syslogd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_syslogd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslogd_client_packets'($*)) dnl
gen_require(`
type syslogd_client_packet_t;
')
allow $1 syslogd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslogd_client_packets'($*)) dnl
')
########################################
##
## Send syslogd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_syslogd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
allow $1 syslogd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_syslogd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send syslogd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_syslogd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
dontaudit $1 syslogd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslogd_server_packets'($*)) dnl
')
########################################
##
## Receive syslogd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_syslogd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
allow $1 syslogd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_syslogd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive syslogd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_syslogd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
dontaudit $1 syslogd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslogd_server_packets'($*)) dnl
')
########################################
##
## Send and receive syslogd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_syslogd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslogd_server_packets'($*)) dnl
corenet_send_syslogd_server_packets($1)
corenet_receive_syslogd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslogd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive syslogd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_syslogd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslogd_server_packets'($*)) dnl
corenet_dontaudit_send_syslogd_server_packets($1)
corenet_dontaudit_receive_syslogd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslogd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to syslogd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_syslogd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslogd_server_packets'($*)) dnl
gen_require(`
type syslogd_server_packet_t;
')
allow $1 syslogd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslogd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the syslog_tls port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
allow $1 syslog_tls_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syslog_tls_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the syslog_tls port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
allow $1 syslog_tls_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_syslog_tls_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the syslog_tls port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
dontaudit $1 syslog_tls_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syslog_tls_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the syslog_tls port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
allow $1 syslog_tls_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syslog_tls_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the syslog_tls port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
dontaudit $1 syslog_tls_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syslog_tls_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the syslog_tls port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syslog_tls_port'($*)) dnl
corenet_udp_send_syslog_tls_port($1)
corenet_udp_receive_syslog_tls_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syslog_tls_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the syslog_tls port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syslog_tls_port'($*)) dnl
corenet_dontaudit_udp_send_syslog_tls_port($1)
corenet_dontaudit_udp_receive_syslog_tls_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syslog_tls_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the syslog_tls port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
allow $1 syslog_tls_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syslog_tls_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the syslog_tls port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
allow $1 syslog_tls_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syslog_tls_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to syslog_tls port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
dontaudit $1 syslog_tls_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_syslog_tls_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the syslog_tls port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
allow $1 syslog_tls_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syslog_tls_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to syslog_tls port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_syslog_tls_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_syslog_tls_port'($*)) dnl
gen_require(`
type syslog_tls_port_t;
')
dontaudit $1 syslog_tls_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_syslog_tls_port'($*)) dnl
')
########################################
##
## Send syslog_tls_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_syslog_tls_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_syslog_tls_client_packets'($*)) dnl
gen_require(`
type syslog_tls_client_packet_t;
')
allow $1 syslog_tls_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_syslog_tls_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send syslog_tls_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_syslog_tls_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslog_tls_client_packets'($*)) dnl
gen_require(`
type syslog_tls_client_packet_t;
')
dontaudit $1 syslog_tls_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslog_tls_client_packets'($*)) dnl
')
########################################
##
## Receive syslog_tls_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_syslog_tls_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_syslog_tls_client_packets'($*)) dnl
gen_require(`
type syslog_tls_client_packet_t;
')
allow $1 syslog_tls_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_syslog_tls_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive syslog_tls_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_syslog_tls_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslog_tls_client_packets'($*)) dnl
gen_require(`
type syslog_tls_client_packet_t;
')
dontaudit $1 syslog_tls_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslog_tls_client_packets'($*)) dnl
')
########################################
##
## Send and receive syslog_tls_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_syslog_tls_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslog_tls_client_packets'($*)) dnl
corenet_send_syslog_tls_client_packets($1)
corenet_receive_syslog_tls_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslog_tls_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive syslog_tls_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_syslog_tls_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslog_tls_client_packets'($*)) dnl
corenet_dontaudit_send_syslog_tls_client_packets($1)
corenet_dontaudit_receive_syslog_tls_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslog_tls_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to syslog_tls_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_syslog_tls_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslog_tls_client_packets'($*)) dnl
gen_require(`
type syslog_tls_client_packet_t;
')
allow $1 syslog_tls_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslog_tls_client_packets'($*)) dnl
')
########################################
##
## Send syslog_tls_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_syslog_tls_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_syslog_tls_server_packets'($*)) dnl
gen_require(`
type syslog_tls_server_packet_t;
')
allow $1 syslog_tls_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_syslog_tls_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send syslog_tls_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_syslog_tls_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslog_tls_server_packets'($*)) dnl
gen_require(`
type syslog_tls_server_packet_t;
')
dontaudit $1 syslog_tls_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslog_tls_server_packets'($*)) dnl
')
########################################
##
## Receive syslog_tls_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_syslog_tls_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_syslog_tls_server_packets'($*)) dnl
gen_require(`
type syslog_tls_server_packet_t;
')
allow $1 syslog_tls_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_syslog_tls_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive syslog_tls_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_syslog_tls_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslog_tls_server_packets'($*)) dnl
gen_require(`
type syslog_tls_server_packet_t;
')
dontaudit $1 syslog_tls_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslog_tls_server_packets'($*)) dnl
')
########################################
##
## Send and receive syslog_tls_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_syslog_tls_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslog_tls_server_packets'($*)) dnl
corenet_send_syslog_tls_server_packets($1)
corenet_receive_syslog_tls_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslog_tls_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive syslog_tls_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_syslog_tls_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslog_tls_server_packets'($*)) dnl
corenet_dontaudit_send_syslog_tls_server_packets($1)
corenet_dontaudit_receive_syslog_tls_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslog_tls_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to syslog_tls_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_syslog_tls_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslog_tls_server_packets'($*)) dnl
gen_require(`
type syslog_tls_server_packet_t;
')
allow $1 syslog_tls_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslog_tls_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the statsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
allow $1 statsd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_statsd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the statsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
allow $1 statsd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_statsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the statsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
dontaudit $1 statsd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_statsd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the statsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
allow $1 statsd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_statsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the statsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
dontaudit $1 statsd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_statsd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the statsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_statsd_port'($*)) dnl
corenet_udp_send_statsd_port($1)
corenet_udp_receive_statsd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_statsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the statsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_statsd_port'($*)) dnl
corenet_dontaudit_udp_send_statsd_port($1)
corenet_dontaudit_udp_receive_statsd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_statsd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the statsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
allow $1 statsd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_statsd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the statsd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
allow $1 statsd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_statsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to statsd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
dontaudit $1 statsd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_statsd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the statsd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
allow $1 statsd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_statsd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to statsd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_statsd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_statsd_port'($*)) dnl
gen_require(`
type statsd_port_t;
')
dontaudit $1 statsd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_statsd_port'($*)) dnl
')
########################################
##
## Send statsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_statsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_statsd_client_packets'($*)) dnl
gen_require(`
type statsd_client_packet_t;
')
allow $1 statsd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_statsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send statsd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_statsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_statsd_client_packets'($*)) dnl
gen_require(`
type statsd_client_packet_t;
')
dontaudit $1 statsd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_statsd_client_packets'($*)) dnl
')
########################################
##
## Receive statsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_statsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_statsd_client_packets'($*)) dnl
gen_require(`
type statsd_client_packet_t;
')
allow $1 statsd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_statsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive statsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_statsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_statsd_client_packets'($*)) dnl
gen_require(`
type statsd_client_packet_t;
')
dontaudit $1 statsd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_statsd_client_packets'($*)) dnl
')
########################################
##
## Send and receive statsd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_statsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_statsd_client_packets'($*)) dnl
corenet_send_statsd_client_packets($1)
corenet_receive_statsd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_statsd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive statsd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_statsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_statsd_client_packets'($*)) dnl
corenet_dontaudit_send_statsd_client_packets($1)
corenet_dontaudit_receive_statsd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_statsd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to statsd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_statsd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_statsd_client_packets'($*)) dnl
gen_require(`
type statsd_client_packet_t;
')
allow $1 statsd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_statsd_client_packets'($*)) dnl
')
########################################
##
## Send statsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_statsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_statsd_server_packets'($*)) dnl
gen_require(`
type statsd_server_packet_t;
')
allow $1 statsd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_statsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send statsd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_statsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_statsd_server_packets'($*)) dnl
gen_require(`
type statsd_server_packet_t;
')
dontaudit $1 statsd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_statsd_server_packets'($*)) dnl
')
########################################
##
## Receive statsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_statsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_statsd_server_packets'($*)) dnl
gen_require(`
type statsd_server_packet_t;
')
allow $1 statsd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_statsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive statsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_statsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_statsd_server_packets'($*)) dnl
gen_require(`
type statsd_server_packet_t;
')
dontaudit $1 statsd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_statsd_server_packets'($*)) dnl
')
########################################
##
## Send and receive statsd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_statsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_statsd_server_packets'($*)) dnl
corenet_send_statsd_server_packets($1)
corenet_receive_statsd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_statsd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive statsd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_statsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_statsd_server_packets'($*)) dnl
corenet_dontaudit_send_statsd_server_packets($1)
corenet_dontaudit_receive_statsd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_statsd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to statsd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_statsd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_statsd_server_packets'($*)) dnl
gen_require(`
type statsd_server_packet_t;
')
allow $1 statsd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_statsd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the tangd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
allow $1 tangd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tangd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the tangd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
allow $1 tangd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_tangd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the tangd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
dontaudit $1 tangd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tangd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the tangd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
allow $1 tangd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tangd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the tangd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
dontaudit $1 tangd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tangd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the tangd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tangd_port'($*)) dnl
corenet_udp_send_tangd_port($1)
corenet_udp_receive_tangd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tangd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the tangd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tangd_port'($*)) dnl
corenet_dontaudit_udp_send_tangd_port($1)
corenet_dontaudit_udp_receive_tangd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tangd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the tangd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
allow $1 tangd_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tangd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the tangd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
allow $1 tangd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tangd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to tangd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
dontaudit $1 tangd_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tangd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the tangd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
allow $1 tangd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tangd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to tangd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_tangd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tangd_port'($*)) dnl
gen_require(`
type tangd_port_t;
')
dontaudit $1 tangd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tangd_port'($*)) dnl
')
########################################
##
## Send tangd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tangd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tangd_client_packets'($*)) dnl
gen_require(`
type tangd_client_packet_t;
')
allow $1 tangd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tangd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tangd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tangd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tangd_client_packets'($*)) dnl
gen_require(`
type tangd_client_packet_t;
')
dontaudit $1 tangd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tangd_client_packets'($*)) dnl
')
########################################
##
## Receive tangd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tangd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tangd_client_packets'($*)) dnl
gen_require(`
type tangd_client_packet_t;
')
allow $1 tangd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tangd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tangd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tangd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tangd_client_packets'($*)) dnl
gen_require(`
type tangd_client_packet_t;
')
dontaudit $1 tangd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tangd_client_packets'($*)) dnl
')
########################################
##
## Send and receive tangd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tangd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tangd_client_packets'($*)) dnl
corenet_send_tangd_client_packets($1)
corenet_receive_tangd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tangd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tangd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tangd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tangd_client_packets'($*)) dnl
corenet_dontaudit_send_tangd_client_packets($1)
corenet_dontaudit_receive_tangd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tangd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to tangd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tangd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tangd_client_packets'($*)) dnl
gen_require(`
type tangd_client_packet_t;
')
allow $1 tangd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tangd_client_packets'($*)) dnl
')
########################################
##
## Send tangd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tangd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tangd_server_packets'($*)) dnl
gen_require(`
type tangd_server_packet_t;
')
allow $1 tangd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tangd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tangd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tangd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tangd_server_packets'($*)) dnl
gen_require(`
type tangd_server_packet_t;
')
dontaudit $1 tangd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tangd_server_packets'($*)) dnl
')
########################################
##
## Receive tangd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tangd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tangd_server_packets'($*)) dnl
gen_require(`
type tangd_server_packet_t;
')
allow $1 tangd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tangd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tangd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tangd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tangd_server_packets'($*)) dnl
gen_require(`
type tangd_server_packet_t;
')
dontaudit $1 tangd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tangd_server_packets'($*)) dnl
')
########################################
##
## Send and receive tangd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tangd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tangd_server_packets'($*)) dnl
corenet_send_tangd_server_packets($1)
corenet_receive_tangd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tangd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tangd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tangd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tangd_server_packets'($*)) dnl
corenet_dontaudit_send_tangd_server_packets($1)
corenet_dontaudit_receive_tangd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tangd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to tangd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tangd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tangd_server_packets'($*)) dnl
gen_require(`
type tangd_server_packet_t;
')
allow $1 tangd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tangd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the tcs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
allow $1 tcs_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tcs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the tcs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
allow $1 tcs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_tcs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the tcs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
dontaudit $1 tcs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tcs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the tcs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
allow $1 tcs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tcs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the tcs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
dontaudit $1 tcs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tcs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the tcs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tcs_port'($*)) dnl
corenet_udp_send_tcs_port($1)
corenet_udp_receive_tcs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tcs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the tcs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tcs_port'($*)) dnl
corenet_dontaudit_udp_send_tcs_port($1)
corenet_dontaudit_udp_receive_tcs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tcs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the tcs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
allow $1 tcs_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tcs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the tcs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
allow $1 tcs_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tcs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to tcs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
dontaudit $1 tcs_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tcs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the tcs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
allow $1 tcs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tcs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to tcs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_tcs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tcs_port'($*)) dnl
gen_require(`
type tcs_port_t;
')
dontaudit $1 tcs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tcs_port'($*)) dnl
')
########################################
##
## Send tcs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tcs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tcs_client_packets'($*)) dnl
gen_require(`
type tcs_client_packet_t;
')
allow $1 tcs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tcs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tcs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tcs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tcs_client_packets'($*)) dnl
gen_require(`
type tcs_client_packet_t;
')
dontaudit $1 tcs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tcs_client_packets'($*)) dnl
')
########################################
##
## Receive tcs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tcs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tcs_client_packets'($*)) dnl
gen_require(`
type tcs_client_packet_t;
')
allow $1 tcs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tcs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tcs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tcs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tcs_client_packets'($*)) dnl
gen_require(`
type tcs_client_packet_t;
')
dontaudit $1 tcs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tcs_client_packets'($*)) dnl
')
########################################
##
## Send and receive tcs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tcs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tcs_client_packets'($*)) dnl
corenet_send_tcs_client_packets($1)
corenet_receive_tcs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tcs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tcs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tcs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tcs_client_packets'($*)) dnl
corenet_dontaudit_send_tcs_client_packets($1)
corenet_dontaudit_receive_tcs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tcs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to tcs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tcs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tcs_client_packets'($*)) dnl
gen_require(`
type tcs_client_packet_t;
')
allow $1 tcs_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tcs_client_packets'($*)) dnl
')
########################################
##
## Send tcs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tcs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tcs_server_packets'($*)) dnl
gen_require(`
type tcs_server_packet_t;
')
allow $1 tcs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tcs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tcs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tcs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tcs_server_packets'($*)) dnl
gen_require(`
type tcs_server_packet_t;
')
dontaudit $1 tcs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tcs_server_packets'($*)) dnl
')
########################################
##
## Receive tcs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tcs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tcs_server_packets'($*)) dnl
gen_require(`
type tcs_server_packet_t;
')
allow $1 tcs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tcs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tcs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tcs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tcs_server_packets'($*)) dnl
gen_require(`
type tcs_server_packet_t;
')
dontaudit $1 tcs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tcs_server_packets'($*)) dnl
')
########################################
##
## Send and receive tcs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tcs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tcs_server_packets'($*)) dnl
corenet_send_tcs_server_packets($1)
corenet_receive_tcs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tcs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tcs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tcs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tcs_server_packets'($*)) dnl
corenet_dontaudit_send_tcs_server_packets($1)
corenet_dontaudit_receive_tcs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tcs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to tcs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tcs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tcs_server_packets'($*)) dnl
gen_require(`
type tcs_server_packet_t;
')
allow $1 tcs_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tcs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_telnetd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_telnetd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the telnetd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
dontaudit $1 telnetd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_telnetd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_telnetd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the telnetd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
dontaudit $1 telnetd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_telnetd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_telnetd_port'($*)) dnl
corenet_udp_send_telnetd_port($1)
corenet_udp_receive_telnetd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_telnetd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the telnetd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_telnetd_port'($*)) dnl
corenet_dontaudit_udp_send_telnetd_port($1)
corenet_dontaudit_udp_receive_telnetd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_telnetd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_telnetd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the telnetd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_telnetd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to telnetd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
dontaudit $1 telnetd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_telnetd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the telnetd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
allow $1 telnetd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_telnetd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to telnetd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_telnetd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_telnetd_port'($*)) dnl
gen_require(`
type telnetd_port_t;
')
dontaudit $1 telnetd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_telnetd_port'($*)) dnl
')
########################################
##
## Send telnetd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_telnetd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
allow $1 telnetd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_telnetd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send telnetd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_telnetd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
dontaudit $1 telnetd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_telnetd_client_packets'($*)) dnl
')
########################################
##
## Receive telnetd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_telnetd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
allow $1 telnetd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_telnetd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive telnetd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_telnetd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
dontaudit $1 telnetd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_telnetd_client_packets'($*)) dnl
')
########################################
##
## Send and receive telnetd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_telnetd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_telnetd_client_packets'($*)) dnl
corenet_send_telnetd_client_packets($1)
corenet_receive_telnetd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_telnetd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive telnetd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_telnetd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_telnetd_client_packets'($*)) dnl
corenet_dontaudit_send_telnetd_client_packets($1)
corenet_dontaudit_receive_telnetd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_telnetd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to telnetd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_telnetd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_telnetd_client_packets'($*)) dnl
gen_require(`
type telnetd_client_packet_t;
')
allow $1 telnetd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_telnetd_client_packets'($*)) dnl
')
########################################
##
## Send telnetd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_telnetd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
allow $1 telnetd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_telnetd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send telnetd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_telnetd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
dontaudit $1 telnetd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_telnetd_server_packets'($*)) dnl
')
########################################
##
## Receive telnetd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_telnetd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
allow $1 telnetd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_telnetd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive telnetd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_telnetd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
dontaudit $1 telnetd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_telnetd_server_packets'($*)) dnl
')
########################################
##
## Send and receive telnetd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_telnetd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_telnetd_server_packets'($*)) dnl
corenet_send_telnetd_server_packets($1)
corenet_receive_telnetd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_telnetd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive telnetd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_telnetd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_telnetd_server_packets'($*)) dnl
corenet_dontaudit_send_telnetd_server_packets($1)
corenet_dontaudit_receive_telnetd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_telnetd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to telnetd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_telnetd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_telnetd_server_packets'($*)) dnl
gen_require(`
type telnetd_server_packet_t;
')
allow $1 telnetd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_telnetd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tftp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_tftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the tftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
dontaudit $1 tftp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tftp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the tftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
dontaudit $1 tftp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tftp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tftp_port'($*)) dnl
corenet_udp_send_tftp_port($1)
corenet_udp_receive_tftp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the tftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tftp_port'($*)) dnl
corenet_dontaudit_udp_send_tftp_port($1)
corenet_dontaudit_udp_receive_tftp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tftp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tftp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the tftp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to tftp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
dontaudit $1 tftp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tftp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the tftp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
allow $1 tftp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tftp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to tftp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_tftp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tftp_port'($*)) dnl
gen_require(`
type tftp_port_t;
')
dontaudit $1 tftp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tftp_port'($*)) dnl
')
########################################
##
## Send tftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
allow $1 tftp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tftp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
dontaudit $1 tftp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tftp_client_packets'($*)) dnl
')
########################################
##
## Receive tftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
allow $1 tftp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
dontaudit $1 tftp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tftp_client_packets'($*)) dnl
')
########################################
##
## Send and receive tftp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tftp_client_packets'($*)) dnl
corenet_send_tftp_client_packets($1)
corenet_receive_tftp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tftp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tftp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tftp_client_packets'($*)) dnl
corenet_dontaudit_send_tftp_client_packets($1)
corenet_dontaudit_receive_tftp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tftp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to tftp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tftp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tftp_client_packets'($*)) dnl
gen_require(`
type tftp_client_packet_t;
')
allow $1 tftp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tftp_client_packets'($*)) dnl
')
########################################
##
## Send tftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
allow $1 tftp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tftp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
dontaudit $1 tftp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tftp_server_packets'($*)) dnl
')
########################################
##
## Receive tftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
allow $1 tftp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
dontaudit $1 tftp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tftp_server_packets'($*)) dnl
')
########################################
##
## Send and receive tftp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tftp_server_packets'($*)) dnl
corenet_send_tftp_server_packets($1)
corenet_receive_tftp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tftp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tftp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tftp_server_packets'($*)) dnl
corenet_dontaudit_send_tftp_server_packets($1)
corenet_dontaudit_receive_tftp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tftp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to tftp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tftp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tftp_server_packets'($*)) dnl
gen_require(`
type tftp_server_packet_t;
')
allow $1 tftp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tftp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tor_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_tor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the tor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
dontaudit $1 tor_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tor_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the tor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
dontaudit $1 tor_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tor_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tor_port'($*)) dnl
corenet_udp_send_tor_port($1)
corenet_udp_receive_tor_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the tor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tor_port'($*)) dnl
corenet_dontaudit_udp_send_tor_port($1)
corenet_dontaudit_udp_receive_tor_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tor_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tor_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the tor port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to tor port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
dontaudit $1 tor_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tor_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the tor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
allow $1 tor_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tor_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to tor port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_tor_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tor_port'($*)) dnl
gen_require(`
type tor_port_t;
')
dontaudit $1 tor_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tor_port'($*)) dnl
')
########################################
##
## Send tor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
allow $1 tor_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
dontaudit $1 tor_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tor_client_packets'($*)) dnl
')
########################################
##
## Receive tor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
allow $1 tor_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
dontaudit $1 tor_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tor_client_packets'($*)) dnl
')
########################################
##
## Send and receive tor_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tor_client_packets'($*)) dnl
corenet_send_tor_client_packets($1)
corenet_receive_tor_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tor_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tor_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tor_client_packets'($*)) dnl
corenet_dontaudit_send_tor_client_packets($1)
corenet_dontaudit_receive_tor_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tor_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to tor_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tor_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tor_client_packets'($*)) dnl
gen_require(`
type tor_client_packet_t;
')
allow $1 tor_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tor_client_packets'($*)) dnl
')
########################################
##
## Send tor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
allow $1 tor_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
dontaudit $1 tor_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tor_server_packets'($*)) dnl
')
########################################
##
## Receive tor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
allow $1 tor_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
dontaudit $1 tor_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tor_server_packets'($*)) dnl
')
########################################
##
## Send and receive tor_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tor_server_packets'($*)) dnl
corenet_send_tor_server_packets($1)
corenet_receive_tor_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tor_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tor_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tor_server_packets'($*)) dnl
corenet_dontaudit_send_tor_server_packets($1)
corenet_dontaudit_receive_tor_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tor_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to tor_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tor_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tor_server_packets'($*)) dnl
gen_require(`
type tor_server_packet_t;
')
allow $1 tor_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tor_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_traceroute_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_traceroute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the traceroute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
dontaudit $1 traceroute_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_traceroute_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_traceroute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the traceroute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
dontaudit $1 traceroute_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_traceroute_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_traceroute_port'($*)) dnl
corenet_udp_send_traceroute_port($1)
corenet_udp_receive_traceroute_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_traceroute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the traceroute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_traceroute_port'($*)) dnl
corenet_dontaudit_udp_send_traceroute_port($1)
corenet_dontaudit_udp_receive_traceroute_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_traceroute_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_traceroute_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the traceroute port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_traceroute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to traceroute port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
dontaudit $1 traceroute_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_traceroute_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the traceroute port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
allow $1 traceroute_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_traceroute_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to traceroute port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_traceroute_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_traceroute_port'($*)) dnl
gen_require(`
type traceroute_port_t;
')
dontaudit $1 traceroute_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_traceroute_port'($*)) dnl
')
########################################
##
## Send traceroute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_traceroute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
allow $1 traceroute_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_traceroute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send traceroute_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_traceroute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
dontaudit $1 traceroute_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_traceroute_client_packets'($*)) dnl
')
########################################
##
## Receive traceroute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_traceroute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
allow $1 traceroute_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_traceroute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive traceroute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_traceroute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
dontaudit $1 traceroute_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_traceroute_client_packets'($*)) dnl
')
########################################
##
## Send and receive traceroute_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_traceroute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_traceroute_client_packets'($*)) dnl
corenet_send_traceroute_client_packets($1)
corenet_receive_traceroute_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_traceroute_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive traceroute_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_traceroute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_traceroute_client_packets'($*)) dnl
corenet_dontaudit_send_traceroute_client_packets($1)
corenet_dontaudit_receive_traceroute_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_traceroute_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to traceroute_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_traceroute_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_traceroute_client_packets'($*)) dnl
gen_require(`
type traceroute_client_packet_t;
')
allow $1 traceroute_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_traceroute_client_packets'($*)) dnl
')
########################################
##
## Send traceroute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_traceroute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
allow $1 traceroute_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_traceroute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send traceroute_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_traceroute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
dontaudit $1 traceroute_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_traceroute_server_packets'($*)) dnl
')
########################################
##
## Receive traceroute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_traceroute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
allow $1 traceroute_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_traceroute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive traceroute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_traceroute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
dontaudit $1 traceroute_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_traceroute_server_packets'($*)) dnl
')
########################################
##
## Send and receive traceroute_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_traceroute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_traceroute_server_packets'($*)) dnl
corenet_send_traceroute_server_packets($1)
corenet_receive_traceroute_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_traceroute_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive traceroute_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_traceroute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_traceroute_server_packets'($*)) dnl
corenet_dontaudit_send_traceroute_server_packets($1)
corenet_dontaudit_receive_traceroute_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_traceroute_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to traceroute_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_traceroute_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_traceroute_server_packets'($*)) dnl
gen_require(`
type traceroute_server_packet_t;
')
allow $1 traceroute_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_traceroute_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the tram port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
allow $1 tram_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tram_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the tram port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
allow $1 tram_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_tram_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the tram port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
dontaudit $1 tram_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tram_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the tram port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
allow $1 tram_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tram_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the tram port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
dontaudit $1 tram_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tram_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the tram port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tram_port'($*)) dnl
corenet_udp_send_tram_port($1)
corenet_udp_receive_tram_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tram_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the tram port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tram_port'($*)) dnl
corenet_dontaudit_udp_send_tram_port($1)
corenet_dontaudit_udp_receive_tram_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tram_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the tram port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
allow $1 tram_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tram_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the tram port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
allow $1 tram_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tram_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to tram port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
dontaudit $1 tram_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tram_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the tram port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
allow $1 tram_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tram_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to tram port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_tram_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tram_port'($*)) dnl
gen_require(`
type tram_port_t;
')
dontaudit $1 tram_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tram_port'($*)) dnl
')
########################################
##
## Send tram_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tram_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tram_client_packets'($*)) dnl
gen_require(`
type tram_client_packet_t;
')
allow $1 tram_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tram_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tram_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tram_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tram_client_packets'($*)) dnl
gen_require(`
type tram_client_packet_t;
')
dontaudit $1 tram_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tram_client_packets'($*)) dnl
')
########################################
##
## Receive tram_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tram_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tram_client_packets'($*)) dnl
gen_require(`
type tram_client_packet_t;
')
allow $1 tram_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tram_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tram_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tram_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tram_client_packets'($*)) dnl
gen_require(`
type tram_client_packet_t;
')
dontaudit $1 tram_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tram_client_packets'($*)) dnl
')
########################################
##
## Send and receive tram_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tram_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tram_client_packets'($*)) dnl
corenet_send_tram_client_packets($1)
corenet_receive_tram_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tram_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tram_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tram_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tram_client_packets'($*)) dnl
corenet_dontaudit_send_tram_client_packets($1)
corenet_dontaudit_receive_tram_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tram_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to tram_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tram_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tram_client_packets'($*)) dnl
gen_require(`
type tram_client_packet_t;
')
allow $1 tram_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tram_client_packets'($*)) dnl
')
########################################
##
## Send tram_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_tram_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_tram_server_packets'($*)) dnl
gen_require(`
type tram_server_packet_t;
')
allow $1 tram_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_tram_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send tram_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_tram_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tram_server_packets'($*)) dnl
gen_require(`
type tram_server_packet_t;
')
dontaudit $1 tram_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tram_server_packets'($*)) dnl
')
########################################
##
## Receive tram_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_tram_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_tram_server_packets'($*)) dnl
gen_require(`
type tram_server_packet_t;
')
allow $1 tram_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_tram_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive tram_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_tram_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tram_server_packets'($*)) dnl
gen_require(`
type tram_server_packet_t;
')
dontaudit $1 tram_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tram_server_packets'($*)) dnl
')
########################################
##
## Send and receive tram_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_tram_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tram_server_packets'($*)) dnl
corenet_send_tram_server_packets($1)
corenet_receive_tram_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tram_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive tram_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_tram_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tram_server_packets'($*)) dnl
corenet_dontaudit_send_tram_server_packets($1)
corenet_dontaudit_receive_tram_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tram_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to tram_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_tram_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tram_server_packets'($*)) dnl
gen_require(`
type tram_server_packet_t;
')
allow $1 tram_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_tram_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_transproxy_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_transproxy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the transproxy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
dontaudit $1 transproxy_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_transproxy_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_transproxy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the transproxy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
dontaudit $1 transproxy_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_transproxy_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_transproxy_port'($*)) dnl
corenet_udp_send_transproxy_port($1)
corenet_udp_receive_transproxy_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_transproxy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the transproxy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_transproxy_port'($*)) dnl
corenet_dontaudit_udp_send_transproxy_port($1)
corenet_dontaudit_udp_receive_transproxy_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_transproxy_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_transproxy_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the transproxy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_transproxy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to transproxy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
dontaudit $1 transproxy_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_transproxy_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the transproxy port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
allow $1 transproxy_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_transproxy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to transproxy port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_transproxy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_transproxy_port'($*)) dnl
gen_require(`
type transproxy_port_t;
')
dontaudit $1 transproxy_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_transproxy_port'($*)) dnl
')
########################################
##
## Send transproxy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_transproxy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
allow $1 transproxy_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_transproxy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send transproxy_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_transproxy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
dontaudit $1 transproxy_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_transproxy_client_packets'($*)) dnl
')
########################################
##
## Receive transproxy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_transproxy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
allow $1 transproxy_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_transproxy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive transproxy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_transproxy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
dontaudit $1 transproxy_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_transproxy_client_packets'($*)) dnl
')
########################################
##
## Send and receive transproxy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_transproxy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_transproxy_client_packets'($*)) dnl
corenet_send_transproxy_client_packets($1)
corenet_receive_transproxy_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_transproxy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive transproxy_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_transproxy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_transproxy_client_packets'($*)) dnl
corenet_dontaudit_send_transproxy_client_packets($1)
corenet_dontaudit_receive_transproxy_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_transproxy_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to transproxy_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_transproxy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_transproxy_client_packets'($*)) dnl
gen_require(`
type transproxy_client_packet_t;
')
allow $1 transproxy_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_transproxy_client_packets'($*)) dnl
')
########################################
##
## Send transproxy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_transproxy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
allow $1 transproxy_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_transproxy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send transproxy_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_transproxy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
dontaudit $1 transproxy_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_transproxy_server_packets'($*)) dnl
')
########################################
##
## Receive transproxy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_transproxy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
allow $1 transproxy_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_transproxy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive transproxy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_transproxy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
dontaudit $1 transproxy_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_transproxy_server_packets'($*)) dnl
')
########################################
##
## Send and receive transproxy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_transproxy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_transproxy_server_packets'($*)) dnl
corenet_send_transproxy_server_packets($1)
corenet_receive_transproxy_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_transproxy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive transproxy_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_transproxy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_transproxy_server_packets'($*)) dnl
corenet_dontaudit_send_transproxy_server_packets($1)
corenet_dontaudit_receive_transproxy_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_transproxy_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to transproxy_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_transproxy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_transproxy_server_packets'($*)) dnl
gen_require(`
type transproxy_server_packet_t;
')
allow $1 transproxy_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_transproxy_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the trisoap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
allow $1 trisoap_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_trisoap_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the trisoap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
allow $1 trisoap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_trisoap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the trisoap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
dontaudit $1 trisoap_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_trisoap_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the trisoap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
allow $1 trisoap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_trisoap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the trisoap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
dontaudit $1 trisoap_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_trisoap_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the trisoap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_trisoap_port'($*)) dnl
corenet_udp_send_trisoap_port($1)
corenet_udp_receive_trisoap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_trisoap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the trisoap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_trisoap_port'($*)) dnl
corenet_dontaudit_udp_send_trisoap_port($1)
corenet_dontaudit_udp_receive_trisoap_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_trisoap_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the trisoap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
allow $1 trisoap_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_trisoap_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the trisoap port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
allow $1 trisoap_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_trisoap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to trisoap port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
dontaudit $1 trisoap_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_trisoap_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the trisoap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
allow $1 trisoap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_trisoap_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to trisoap port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_trisoap_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_trisoap_port'($*)) dnl
gen_require(`
type trisoap_port_t;
')
dontaudit $1 trisoap_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_trisoap_port'($*)) dnl
')
########################################
##
## Send trisoap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_trisoap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_trisoap_client_packets'($*)) dnl
gen_require(`
type trisoap_client_packet_t;
')
allow $1 trisoap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_trisoap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send trisoap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_trisoap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trisoap_client_packets'($*)) dnl
gen_require(`
type trisoap_client_packet_t;
')
dontaudit $1 trisoap_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trisoap_client_packets'($*)) dnl
')
########################################
##
## Receive trisoap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_trisoap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_trisoap_client_packets'($*)) dnl
gen_require(`
type trisoap_client_packet_t;
')
allow $1 trisoap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_trisoap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive trisoap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_trisoap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trisoap_client_packets'($*)) dnl
gen_require(`
type trisoap_client_packet_t;
')
dontaudit $1 trisoap_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trisoap_client_packets'($*)) dnl
')
########################################
##
## Send and receive trisoap_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_trisoap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trisoap_client_packets'($*)) dnl
corenet_send_trisoap_client_packets($1)
corenet_receive_trisoap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trisoap_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive trisoap_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_trisoap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trisoap_client_packets'($*)) dnl
corenet_dontaudit_send_trisoap_client_packets($1)
corenet_dontaudit_receive_trisoap_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trisoap_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to trisoap_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_trisoap_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trisoap_client_packets'($*)) dnl
gen_require(`
type trisoap_client_packet_t;
')
allow $1 trisoap_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_trisoap_client_packets'($*)) dnl
')
########################################
##
## Send trisoap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_trisoap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_trisoap_server_packets'($*)) dnl
gen_require(`
type trisoap_server_packet_t;
')
allow $1 trisoap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_trisoap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send trisoap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_trisoap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trisoap_server_packets'($*)) dnl
gen_require(`
type trisoap_server_packet_t;
')
dontaudit $1 trisoap_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trisoap_server_packets'($*)) dnl
')
########################################
##
## Receive trisoap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_trisoap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_trisoap_server_packets'($*)) dnl
gen_require(`
type trisoap_server_packet_t;
')
allow $1 trisoap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_trisoap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive trisoap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_trisoap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trisoap_server_packets'($*)) dnl
gen_require(`
type trisoap_server_packet_t;
')
dontaudit $1 trisoap_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trisoap_server_packets'($*)) dnl
')
########################################
##
## Send and receive trisoap_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_trisoap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trisoap_server_packets'($*)) dnl
corenet_send_trisoap_server_packets($1)
corenet_receive_trisoap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trisoap_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive trisoap_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_trisoap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trisoap_server_packets'($*)) dnl
corenet_dontaudit_send_trisoap_server_packets($1)
corenet_dontaudit_receive_trisoap_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trisoap_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to trisoap_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_trisoap_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trisoap_server_packets'($*)) dnl
gen_require(`
type trisoap_server_packet_t;
')
allow $1 trisoap_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_trisoap_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the trivnet1 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
allow $1 trivnet1_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_trivnet1_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the trivnet1 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
allow $1 trivnet1_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_trivnet1_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the trivnet1 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
dontaudit $1 trivnet1_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_trivnet1_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the trivnet1 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
allow $1 trivnet1_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_trivnet1_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the trivnet1 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
dontaudit $1 trivnet1_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_trivnet1_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the trivnet1 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_trivnet1_port'($*)) dnl
corenet_udp_send_trivnet1_port($1)
corenet_udp_receive_trivnet1_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_trivnet1_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the trivnet1 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_trivnet1_port'($*)) dnl
corenet_dontaudit_udp_send_trivnet1_port($1)
corenet_dontaudit_udp_receive_trivnet1_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_trivnet1_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the trivnet1 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
allow $1 trivnet1_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_trivnet1_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the trivnet1 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
allow $1 trivnet1_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_trivnet1_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to trivnet1 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
dontaudit $1 trivnet1_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_trivnet1_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the trivnet1 port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
allow $1 trivnet1_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_trivnet1_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to trivnet1 port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_trivnet1_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_trivnet1_port'($*)) dnl
gen_require(`
type trivnet1_port_t;
')
dontaudit $1 trivnet1_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_trivnet1_port'($*)) dnl
')
########################################
##
## Send trivnet1_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_trivnet1_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_trivnet1_client_packets'($*)) dnl
gen_require(`
type trivnet1_client_packet_t;
')
allow $1 trivnet1_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_trivnet1_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send trivnet1_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_trivnet1_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trivnet1_client_packets'($*)) dnl
gen_require(`
type trivnet1_client_packet_t;
')
dontaudit $1 trivnet1_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trivnet1_client_packets'($*)) dnl
')
########################################
##
## Receive trivnet1_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_trivnet1_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_trivnet1_client_packets'($*)) dnl
gen_require(`
type trivnet1_client_packet_t;
')
allow $1 trivnet1_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_trivnet1_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive trivnet1_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_trivnet1_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trivnet1_client_packets'($*)) dnl
gen_require(`
type trivnet1_client_packet_t;
')
dontaudit $1 trivnet1_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trivnet1_client_packets'($*)) dnl
')
########################################
##
## Send and receive trivnet1_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_trivnet1_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trivnet1_client_packets'($*)) dnl
corenet_send_trivnet1_client_packets($1)
corenet_receive_trivnet1_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trivnet1_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive trivnet1_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_trivnet1_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trivnet1_client_packets'($*)) dnl
corenet_dontaudit_send_trivnet1_client_packets($1)
corenet_dontaudit_receive_trivnet1_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trivnet1_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to trivnet1_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_trivnet1_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trivnet1_client_packets'($*)) dnl
gen_require(`
type trivnet1_client_packet_t;
')
allow $1 trivnet1_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_trivnet1_client_packets'($*)) dnl
')
########################################
##
## Send trivnet1_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_trivnet1_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_trivnet1_server_packets'($*)) dnl
gen_require(`
type trivnet1_server_packet_t;
')
allow $1 trivnet1_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_trivnet1_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send trivnet1_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_trivnet1_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trivnet1_server_packets'($*)) dnl
gen_require(`
type trivnet1_server_packet_t;
')
dontaudit $1 trivnet1_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trivnet1_server_packets'($*)) dnl
')
########################################
##
## Receive trivnet1_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_trivnet1_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_trivnet1_server_packets'($*)) dnl
gen_require(`
type trivnet1_server_packet_t;
')
allow $1 trivnet1_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_trivnet1_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive trivnet1_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_trivnet1_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trivnet1_server_packets'($*)) dnl
gen_require(`
type trivnet1_server_packet_t;
')
dontaudit $1 trivnet1_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trivnet1_server_packets'($*)) dnl
')
########################################
##
## Send and receive trivnet1_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_trivnet1_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trivnet1_server_packets'($*)) dnl
corenet_send_trivnet1_server_packets($1)
corenet_receive_trivnet1_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trivnet1_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive trivnet1_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_trivnet1_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trivnet1_server_packets'($*)) dnl
corenet_dontaudit_send_trivnet1_server_packets($1)
corenet_dontaudit_receive_trivnet1_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trivnet1_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to trivnet1_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_trivnet1_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trivnet1_server_packets'($*)) dnl
gen_require(`
type trivnet1_server_packet_t;
')
allow $1 trivnet1_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_trivnet1_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the ups port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
allow $1 ups_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ups_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the ups port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
allow $1 ups_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_ups_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the ups port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
dontaudit $1 ups_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ups_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the ups port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
allow $1 ups_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ups_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the ups port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
dontaudit $1 ups_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ups_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the ups port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ups_port'($*)) dnl
corenet_udp_send_ups_port($1)
corenet_udp_receive_ups_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ups_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the ups port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ups_port'($*)) dnl
corenet_dontaudit_udp_send_ups_port($1)
corenet_dontaudit_udp_receive_ups_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ups_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the ups port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
allow $1 ups_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ups_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the ups port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
allow $1 ups_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ups_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to ups port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
dontaudit $1 ups_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ups_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the ups port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
allow $1 ups_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ups_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to ups port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_ups_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ups_port'($*)) dnl
gen_require(`
type ups_port_t;
')
dontaudit $1 ups_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ups_port'($*)) dnl
')
########################################
##
## Send ups_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ups_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ups_client_packets'($*)) dnl
gen_require(`
type ups_client_packet_t;
')
allow $1 ups_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ups_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ups_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ups_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ups_client_packets'($*)) dnl
gen_require(`
type ups_client_packet_t;
')
dontaudit $1 ups_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ups_client_packets'($*)) dnl
')
########################################
##
## Receive ups_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ups_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ups_client_packets'($*)) dnl
gen_require(`
type ups_client_packet_t;
')
allow $1 ups_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ups_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ups_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ups_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ups_client_packets'($*)) dnl
gen_require(`
type ups_client_packet_t;
')
dontaudit $1 ups_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ups_client_packets'($*)) dnl
')
########################################
##
## Send and receive ups_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ups_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ups_client_packets'($*)) dnl
corenet_send_ups_client_packets($1)
corenet_receive_ups_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ups_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ups_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ups_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ups_client_packets'($*)) dnl
corenet_dontaudit_send_ups_client_packets($1)
corenet_dontaudit_receive_ups_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ups_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to ups_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ups_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ups_client_packets'($*)) dnl
gen_require(`
type ups_client_packet_t;
')
allow $1 ups_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ups_client_packets'($*)) dnl
')
########################################
##
## Send ups_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_ups_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_ups_server_packets'($*)) dnl
gen_require(`
type ups_server_packet_t;
')
allow $1 ups_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_ups_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send ups_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_ups_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ups_server_packets'($*)) dnl
gen_require(`
type ups_server_packet_t;
')
dontaudit $1 ups_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ups_server_packets'($*)) dnl
')
########################################
##
## Receive ups_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_ups_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_ups_server_packets'($*)) dnl
gen_require(`
type ups_server_packet_t;
')
allow $1 ups_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_ups_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive ups_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_ups_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ups_server_packets'($*)) dnl
gen_require(`
type ups_server_packet_t;
')
dontaudit $1 ups_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ups_server_packets'($*)) dnl
')
########################################
##
## Send and receive ups_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_ups_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ups_server_packets'($*)) dnl
corenet_send_ups_server_packets($1)
corenet_receive_ups_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ups_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive ups_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_ups_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ups_server_packets'($*)) dnl
corenet_dontaudit_send_ups_server_packets($1)
corenet_dontaudit_receive_ups_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ups_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to ups_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_ups_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ups_server_packets'($*)) dnl
gen_require(`
type ups_server_packet_t;
')
allow $1 ups_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_ups_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the utcpserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
allow $1 utcpserver_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_utcpserver_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the utcpserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
allow $1 utcpserver_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_utcpserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the utcpserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
dontaudit $1 utcpserver_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_utcpserver_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the utcpserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
allow $1 utcpserver_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_utcpserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the utcpserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
dontaudit $1 utcpserver_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_utcpserver_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the utcpserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_utcpserver_port'($*)) dnl
corenet_udp_send_utcpserver_port($1)
corenet_udp_receive_utcpserver_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_utcpserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the utcpserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_utcpserver_port'($*)) dnl
corenet_dontaudit_udp_send_utcpserver_port($1)
corenet_dontaudit_udp_receive_utcpserver_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_utcpserver_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the utcpserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
allow $1 utcpserver_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_utcpserver_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the utcpserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
allow $1 utcpserver_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_utcpserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to utcpserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
dontaudit $1 utcpserver_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_utcpserver_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the utcpserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
allow $1 utcpserver_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_utcpserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to utcpserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_utcpserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_utcpserver_port'($*)) dnl
gen_require(`
type utcpserver_port_t;
')
dontaudit $1 utcpserver_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_utcpserver_port'($*)) dnl
')
########################################
##
## Send utcpserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_utcpserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_utcpserver_client_packets'($*)) dnl
gen_require(`
type utcpserver_client_packet_t;
')
allow $1 utcpserver_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_utcpserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send utcpserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_utcpserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_utcpserver_client_packets'($*)) dnl
gen_require(`
type utcpserver_client_packet_t;
')
dontaudit $1 utcpserver_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_utcpserver_client_packets'($*)) dnl
')
########################################
##
## Receive utcpserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_utcpserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_utcpserver_client_packets'($*)) dnl
gen_require(`
type utcpserver_client_packet_t;
')
allow $1 utcpserver_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_utcpserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive utcpserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_utcpserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_utcpserver_client_packets'($*)) dnl
gen_require(`
type utcpserver_client_packet_t;
')
dontaudit $1 utcpserver_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_utcpserver_client_packets'($*)) dnl
')
########################################
##
## Send and receive utcpserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_utcpserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_utcpserver_client_packets'($*)) dnl
corenet_send_utcpserver_client_packets($1)
corenet_receive_utcpserver_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_utcpserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive utcpserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_utcpserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_utcpserver_client_packets'($*)) dnl
corenet_dontaudit_send_utcpserver_client_packets($1)
corenet_dontaudit_receive_utcpserver_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_utcpserver_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to utcpserver_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_utcpserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_utcpserver_client_packets'($*)) dnl
gen_require(`
type utcpserver_client_packet_t;
')
allow $1 utcpserver_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_utcpserver_client_packets'($*)) dnl
')
########################################
##
## Send utcpserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_utcpserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_utcpserver_server_packets'($*)) dnl
gen_require(`
type utcpserver_server_packet_t;
')
allow $1 utcpserver_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_utcpserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send utcpserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_utcpserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_utcpserver_server_packets'($*)) dnl
gen_require(`
type utcpserver_server_packet_t;
')
dontaudit $1 utcpserver_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_utcpserver_server_packets'($*)) dnl
')
########################################
##
## Receive utcpserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_utcpserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_utcpserver_server_packets'($*)) dnl
gen_require(`
type utcpserver_server_packet_t;
')
allow $1 utcpserver_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_utcpserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive utcpserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_utcpserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_utcpserver_server_packets'($*)) dnl
gen_require(`
type utcpserver_server_packet_t;
')
dontaudit $1 utcpserver_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_utcpserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive utcpserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_utcpserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_utcpserver_server_packets'($*)) dnl
corenet_send_utcpserver_server_packets($1)
corenet_receive_utcpserver_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_utcpserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive utcpserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_utcpserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_utcpserver_server_packets'($*)) dnl
corenet_dontaudit_send_utcpserver_server_packets($1)
corenet_dontaudit_receive_utcpserver_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_utcpserver_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to utcpserver_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_utcpserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_utcpserver_server_packets'($*)) dnl
gen_require(`
type utcpserver_server_packet_t;
')
allow $1 utcpserver_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_utcpserver_server_packets'($*)) dnl
')
# no defined portcon
########################################
##
## Send and receive TCP traffic on the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_uucpd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_uucpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the uucpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
dontaudit $1 uucpd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_uucpd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_uucpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the uucpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
dontaudit $1 uucpd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_uucpd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_uucpd_port'($*)) dnl
corenet_udp_send_uucpd_port($1)
corenet_udp_receive_uucpd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_uucpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the uucpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_uucpd_port'($*)) dnl
corenet_dontaudit_udp_send_uucpd_port($1)
corenet_dontaudit_udp_receive_uucpd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_uucpd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_uucpd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the uucpd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_uucpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to uucpd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
dontaudit $1 uucpd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_uucpd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the uucpd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
allow $1 uucpd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_uucpd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to uucpd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_uucpd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_uucpd_port'($*)) dnl
gen_require(`
type uucpd_port_t;
')
dontaudit $1 uucpd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_uucpd_port'($*)) dnl
')
########################################
##
## Send uucpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_uucpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
allow $1 uucpd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_uucpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send uucpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_uucpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
dontaudit $1 uucpd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_uucpd_client_packets'($*)) dnl
')
########################################
##
## Receive uucpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_uucpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
allow $1 uucpd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_uucpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive uucpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_uucpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
dontaudit $1 uucpd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_uucpd_client_packets'($*)) dnl
')
########################################
##
## Send and receive uucpd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_uucpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_uucpd_client_packets'($*)) dnl
corenet_send_uucpd_client_packets($1)
corenet_receive_uucpd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_uucpd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive uucpd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_uucpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_uucpd_client_packets'($*)) dnl
corenet_dontaudit_send_uucpd_client_packets($1)
corenet_dontaudit_receive_uucpd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_uucpd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to uucpd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_uucpd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_uucpd_client_packets'($*)) dnl
gen_require(`
type uucpd_client_packet_t;
')
allow $1 uucpd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_uucpd_client_packets'($*)) dnl
')
########################################
##
## Send uucpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_uucpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
allow $1 uucpd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_uucpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send uucpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_uucpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
dontaudit $1 uucpd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_uucpd_server_packets'($*)) dnl
')
########################################
##
## Receive uucpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_uucpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
allow $1 uucpd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_uucpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive uucpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_uucpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
dontaudit $1 uucpd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_uucpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive uucpd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_uucpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_uucpd_server_packets'($*)) dnl
corenet_send_uucpd_server_packets($1)
corenet_receive_uucpd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_uucpd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive uucpd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_uucpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_uucpd_server_packets'($*)) dnl
corenet_dontaudit_send_uucpd_server_packets($1)
corenet_dontaudit_receive_uucpd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_uucpd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to uucpd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_uucpd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_uucpd_server_packets'($*)) dnl
gen_require(`
type uucpd_server_packet_t;
')
allow $1 uucpd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_uucpd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the us_cli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
allow $1 us_cli_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_us_cli_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the us_cli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
allow $1 us_cli_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_us_cli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the us_cli port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
dontaudit $1 us_cli_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_us_cli_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the us_cli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
allow $1 us_cli_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_us_cli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the us_cli port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
dontaudit $1 us_cli_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_us_cli_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the us_cli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_us_cli_port'($*)) dnl
corenet_udp_send_us_cli_port($1)
corenet_udp_receive_us_cli_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_us_cli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the us_cli port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_us_cli_port'($*)) dnl
corenet_dontaudit_udp_send_us_cli_port($1)
corenet_dontaudit_udp_receive_us_cli_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_us_cli_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the us_cli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
allow $1 us_cli_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_us_cli_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the us_cli port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
allow $1 us_cli_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_us_cli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to us_cli port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
dontaudit $1 us_cli_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_us_cli_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the us_cli port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
allow $1 us_cli_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_us_cli_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to us_cli port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_us_cli_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_us_cli_port'($*)) dnl
gen_require(`
type us_cli_port_t;
')
dontaudit $1 us_cli_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_us_cli_port'($*)) dnl
')
########################################
##
## Send us_cli_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_us_cli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_us_cli_client_packets'($*)) dnl
gen_require(`
type us_cli_client_packet_t;
')
allow $1 us_cli_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_us_cli_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send us_cli_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_us_cli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_us_cli_client_packets'($*)) dnl
gen_require(`
type us_cli_client_packet_t;
')
dontaudit $1 us_cli_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_us_cli_client_packets'($*)) dnl
')
########################################
##
## Receive us_cli_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_us_cli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_us_cli_client_packets'($*)) dnl
gen_require(`
type us_cli_client_packet_t;
')
allow $1 us_cli_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_us_cli_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive us_cli_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_us_cli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_us_cli_client_packets'($*)) dnl
gen_require(`
type us_cli_client_packet_t;
')
dontaudit $1 us_cli_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_us_cli_client_packets'($*)) dnl
')
########################################
##
## Send and receive us_cli_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_us_cli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_us_cli_client_packets'($*)) dnl
corenet_send_us_cli_client_packets($1)
corenet_receive_us_cli_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_us_cli_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive us_cli_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_us_cli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_us_cli_client_packets'($*)) dnl
corenet_dontaudit_send_us_cli_client_packets($1)
corenet_dontaudit_receive_us_cli_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_us_cli_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to us_cli_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_us_cli_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_us_cli_client_packets'($*)) dnl
gen_require(`
type us_cli_client_packet_t;
')
allow $1 us_cli_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_us_cli_client_packets'($*)) dnl
')
########################################
##
## Send us_cli_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_us_cli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_us_cli_server_packets'($*)) dnl
gen_require(`
type us_cli_server_packet_t;
')
allow $1 us_cli_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_us_cli_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send us_cli_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_us_cli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_us_cli_server_packets'($*)) dnl
gen_require(`
type us_cli_server_packet_t;
')
dontaudit $1 us_cli_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_us_cli_server_packets'($*)) dnl
')
########################################
##
## Receive us_cli_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_us_cli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_us_cli_server_packets'($*)) dnl
gen_require(`
type us_cli_server_packet_t;
')
allow $1 us_cli_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_us_cli_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive us_cli_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_us_cli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_us_cli_server_packets'($*)) dnl
gen_require(`
type us_cli_server_packet_t;
')
dontaudit $1 us_cli_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_us_cli_server_packets'($*)) dnl
')
########################################
##
## Send and receive us_cli_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_us_cli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_us_cli_server_packets'($*)) dnl
corenet_send_us_cli_server_packets($1)
corenet_receive_us_cli_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_us_cli_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive us_cli_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_us_cli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_us_cli_server_packets'($*)) dnl
corenet_dontaudit_send_us_cli_server_packets($1)
corenet_dontaudit_receive_us_cli_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_us_cli_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to us_cli_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_us_cli_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_us_cli_server_packets'($*)) dnl
gen_require(`
type us_cli_server_packet_t;
')
allow $1 us_cli_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_us_cli_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the varnishd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
allow $1 varnishd_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_varnishd_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the varnishd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
allow $1 varnishd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_varnishd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the varnishd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
dontaudit $1 varnishd_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_varnishd_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the varnishd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
allow $1 varnishd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_varnishd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the varnishd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
dontaudit $1 varnishd_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_varnishd_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the varnishd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_varnishd_port'($*)) dnl
corenet_udp_send_varnishd_port($1)
corenet_udp_receive_varnishd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_varnishd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the varnishd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_varnishd_port'($*)) dnl
corenet_dontaudit_udp_send_varnishd_port($1)
corenet_dontaudit_udp_receive_varnishd_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_varnishd_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the varnishd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
allow $1 varnishd_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_varnishd_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the varnishd port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
allow $1 varnishd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_varnishd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to varnishd port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
dontaudit $1 varnishd_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_varnishd_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the varnishd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
allow $1 varnishd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_varnishd_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to varnishd port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_varnishd_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_varnishd_port'($*)) dnl
gen_require(`
type varnishd_port_t;
')
dontaudit $1 varnishd_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_varnishd_port'($*)) dnl
')
########################################
##
## Send varnishd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_varnishd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_varnishd_client_packets'($*)) dnl
gen_require(`
type varnishd_client_packet_t;
')
allow $1 varnishd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_varnishd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send varnishd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_varnishd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_varnishd_client_packets'($*)) dnl
gen_require(`
type varnishd_client_packet_t;
')
dontaudit $1 varnishd_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_varnishd_client_packets'($*)) dnl
')
########################################
##
## Receive varnishd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_varnishd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_varnishd_client_packets'($*)) dnl
gen_require(`
type varnishd_client_packet_t;
')
allow $1 varnishd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_varnishd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive varnishd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_varnishd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_varnishd_client_packets'($*)) dnl
gen_require(`
type varnishd_client_packet_t;
')
dontaudit $1 varnishd_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_varnishd_client_packets'($*)) dnl
')
########################################
##
## Send and receive varnishd_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_varnishd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_varnishd_client_packets'($*)) dnl
corenet_send_varnishd_client_packets($1)
corenet_receive_varnishd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_varnishd_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive varnishd_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_varnishd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_varnishd_client_packets'($*)) dnl
corenet_dontaudit_send_varnishd_client_packets($1)
corenet_dontaudit_receive_varnishd_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_varnishd_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to varnishd_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_varnishd_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_varnishd_client_packets'($*)) dnl
gen_require(`
type varnishd_client_packet_t;
')
allow $1 varnishd_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_varnishd_client_packets'($*)) dnl
')
########################################
##
## Send varnishd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_varnishd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_varnishd_server_packets'($*)) dnl
gen_require(`
type varnishd_server_packet_t;
')
allow $1 varnishd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_varnishd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send varnishd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_varnishd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_varnishd_server_packets'($*)) dnl
gen_require(`
type varnishd_server_packet_t;
')
dontaudit $1 varnishd_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_varnishd_server_packets'($*)) dnl
')
########################################
##
## Receive varnishd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_varnishd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_varnishd_server_packets'($*)) dnl
gen_require(`
type varnishd_server_packet_t;
')
allow $1 varnishd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_varnishd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive varnishd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_varnishd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_varnishd_server_packets'($*)) dnl
gen_require(`
type varnishd_server_packet_t;
')
dontaudit $1 varnishd_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_varnishd_server_packets'($*)) dnl
')
########################################
##
## Send and receive varnishd_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_varnishd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_varnishd_server_packets'($*)) dnl
corenet_send_varnishd_server_packets($1)
corenet_receive_varnishd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_varnishd_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive varnishd_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_varnishd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_varnishd_server_packets'($*)) dnl
corenet_dontaudit_send_varnishd_server_packets($1)
corenet_dontaudit_receive_varnishd_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_varnishd_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to varnishd_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_varnishd_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_varnishd_server_packets'($*)) dnl
gen_require(`
type varnishd_server_packet_t;
')
allow $1 varnishd_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_varnishd_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the versa_tek port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
allow $1 versa_tek_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_versa_tek_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the versa_tek port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
allow $1 versa_tek_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_versa_tek_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the versa_tek port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
dontaudit $1 versa_tek_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_versa_tek_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the versa_tek port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
allow $1 versa_tek_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_versa_tek_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the versa_tek port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
dontaudit $1 versa_tek_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_versa_tek_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the versa_tek port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_versa_tek_port'($*)) dnl
corenet_udp_send_versa_tek_port($1)
corenet_udp_receive_versa_tek_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_versa_tek_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the versa_tek port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_versa_tek_port'($*)) dnl
corenet_dontaudit_udp_send_versa_tek_port($1)
corenet_dontaudit_udp_receive_versa_tek_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_versa_tek_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the versa_tek port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
allow $1 versa_tek_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_versa_tek_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the versa_tek port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
allow $1 versa_tek_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_versa_tek_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to versa_tek port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
dontaudit $1 versa_tek_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_versa_tek_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the versa_tek port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
allow $1 versa_tek_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_versa_tek_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to versa_tek port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_versa_tek_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_versa_tek_port'($*)) dnl
gen_require(`
type versa_tek_port_t;
')
dontaudit $1 versa_tek_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_versa_tek_port'($*)) dnl
')
########################################
##
## Send versa_tek_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_versa_tek_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_versa_tek_client_packets'($*)) dnl
gen_require(`
type versa_tek_client_packet_t;
')
allow $1 versa_tek_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_versa_tek_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send versa_tek_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_versa_tek_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_versa_tek_client_packets'($*)) dnl
gen_require(`
type versa_tek_client_packet_t;
')
dontaudit $1 versa_tek_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_versa_tek_client_packets'($*)) dnl
')
########################################
##
## Receive versa_tek_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_versa_tek_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_versa_tek_client_packets'($*)) dnl
gen_require(`
type versa_tek_client_packet_t;
')
allow $1 versa_tek_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_versa_tek_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive versa_tek_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_versa_tek_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_versa_tek_client_packets'($*)) dnl
gen_require(`
type versa_tek_client_packet_t;
')
dontaudit $1 versa_tek_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_versa_tek_client_packets'($*)) dnl
')
########################################
##
## Send and receive versa_tek_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_versa_tek_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_versa_tek_client_packets'($*)) dnl
corenet_send_versa_tek_client_packets($1)
corenet_receive_versa_tek_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_versa_tek_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive versa_tek_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_versa_tek_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_versa_tek_client_packets'($*)) dnl
corenet_dontaudit_send_versa_tek_client_packets($1)
corenet_dontaudit_receive_versa_tek_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_versa_tek_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to versa_tek_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_versa_tek_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_versa_tek_client_packets'($*)) dnl
gen_require(`
type versa_tek_client_packet_t;
')
allow $1 versa_tek_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_versa_tek_client_packets'($*)) dnl
')
########################################
##
## Send versa_tek_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_versa_tek_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_versa_tek_server_packets'($*)) dnl
gen_require(`
type versa_tek_server_packet_t;
')
allow $1 versa_tek_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_versa_tek_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send versa_tek_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_versa_tek_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_versa_tek_server_packets'($*)) dnl
gen_require(`
type versa_tek_server_packet_t;
')
dontaudit $1 versa_tek_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_versa_tek_server_packets'($*)) dnl
')
########################################
##
## Receive versa_tek_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_versa_tek_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_versa_tek_server_packets'($*)) dnl
gen_require(`
type versa_tek_server_packet_t;
')
allow $1 versa_tek_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_versa_tek_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive versa_tek_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_versa_tek_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_versa_tek_server_packets'($*)) dnl
gen_require(`
type versa_tek_server_packet_t;
')
dontaudit $1 versa_tek_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_versa_tek_server_packets'($*)) dnl
')
########################################
##
## Send and receive versa_tek_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_versa_tek_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_versa_tek_server_packets'($*)) dnl
corenet_send_versa_tek_server_packets($1)
corenet_receive_versa_tek_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_versa_tek_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive versa_tek_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_versa_tek_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_versa_tek_server_packets'($*)) dnl
corenet_dontaudit_send_versa_tek_server_packets($1)
corenet_dontaudit_receive_versa_tek_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_versa_tek_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to versa_tek_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_versa_tek_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_versa_tek_server_packets'($*)) dnl
gen_require(`
type versa_tek_server_packet_t;
')
allow $1 versa_tek_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_versa_tek_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virt_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_virt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the virt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
dontaudit $1 virt_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virt_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the virt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
dontaudit $1 virt_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virt_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virt_port'($*)) dnl
corenet_udp_send_virt_port($1)
corenet_udp_receive_virt_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the virt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virt_port'($*)) dnl
corenet_dontaudit_udp_send_virt_port($1)
corenet_dontaudit_udp_receive_virt_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virt_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virt_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the virt port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to virt port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
dontaudit $1 virt_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_virt_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the virt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
allow $1 virt_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virt_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to virt port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_virt_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_virt_port'($*)) dnl
gen_require(`
type virt_port_t;
')
dontaudit $1 virt_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_virt_port'($*)) dnl
')
########################################
##
## Send virt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_virt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
allow $1 virt_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_virt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send virt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_virt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
dontaudit $1 virt_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_client_packets'($*)) dnl
')
########################################
##
## Receive virt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_virt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
allow $1 virt_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_virt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive virt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_virt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
dontaudit $1 virt_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_client_packets'($*)) dnl
')
########################################
##
## Send and receive virt_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_virt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_client_packets'($*)) dnl
corenet_send_virt_client_packets($1)
corenet_receive_virt_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive virt_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_virt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_client_packets'($*)) dnl
corenet_dontaudit_send_virt_client_packets($1)
corenet_dontaudit_receive_virt_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to virt_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_virt_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_client_packets'($*)) dnl
gen_require(`
type virt_client_packet_t;
')
allow $1 virt_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_client_packets'($*)) dnl
')
########################################
##
## Send virt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_virt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
allow $1 virt_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_virt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send virt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_virt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
dontaudit $1 virt_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_server_packets'($*)) dnl
')
########################################
##
## Receive virt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_virt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
allow $1 virt_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_virt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive virt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_virt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
dontaudit $1 virt_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_server_packets'($*)) dnl
')
########################################
##
## Send and receive virt_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_virt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_server_packets'($*)) dnl
corenet_send_virt_server_packets($1)
corenet_receive_virt_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive virt_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_virt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_server_packets'($*)) dnl
corenet_dontaudit_send_virt_server_packets($1)
corenet_dontaudit_receive_virt_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to virt_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_virt_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_server_packets'($*)) dnl
gen_require(`
type virt_server_packet_t;
')
allow $1 virt_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the virtual_places port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
allow $1 virtual_places_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virtual_places_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the virtual_places port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
allow $1 virtual_places_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_virtual_places_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the virtual_places port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
dontaudit $1 virtual_places_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virtual_places_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the virtual_places port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
allow $1 virtual_places_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virtual_places_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the virtual_places port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
dontaudit $1 virtual_places_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virtual_places_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the virtual_places port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virtual_places_port'($*)) dnl
corenet_udp_send_virtual_places_port($1)
corenet_udp_receive_virtual_places_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virtual_places_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the virtual_places port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virtual_places_port'($*)) dnl
corenet_dontaudit_udp_send_virtual_places_port($1)
corenet_dontaudit_udp_receive_virtual_places_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virtual_places_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the virtual_places port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
allow $1 virtual_places_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virtual_places_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the virtual_places port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
allow $1 virtual_places_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virtual_places_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to virtual_places port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
dontaudit $1 virtual_places_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_virtual_places_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the virtual_places port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
allow $1 virtual_places_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virtual_places_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to virtual_places port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_virtual_places_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_virtual_places_port'($*)) dnl
gen_require(`
type virtual_places_port_t;
')
dontaudit $1 virtual_places_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_virtual_places_port'($*)) dnl
')
########################################
##
## Send virtual_places_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_virtual_places_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_virtual_places_client_packets'($*)) dnl
gen_require(`
type virtual_places_client_packet_t;
')
allow $1 virtual_places_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_virtual_places_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send virtual_places_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_virtual_places_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virtual_places_client_packets'($*)) dnl
gen_require(`
type virtual_places_client_packet_t;
')
dontaudit $1 virtual_places_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virtual_places_client_packets'($*)) dnl
')
########################################
##
## Receive virtual_places_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_virtual_places_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_virtual_places_client_packets'($*)) dnl
gen_require(`
type virtual_places_client_packet_t;
')
allow $1 virtual_places_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_virtual_places_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive virtual_places_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_virtual_places_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virtual_places_client_packets'($*)) dnl
gen_require(`
type virtual_places_client_packet_t;
')
dontaudit $1 virtual_places_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virtual_places_client_packets'($*)) dnl
')
########################################
##
## Send and receive virtual_places_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_virtual_places_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virtual_places_client_packets'($*)) dnl
corenet_send_virtual_places_client_packets($1)
corenet_receive_virtual_places_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virtual_places_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive virtual_places_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_virtual_places_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virtual_places_client_packets'($*)) dnl
corenet_dontaudit_send_virtual_places_client_packets($1)
corenet_dontaudit_receive_virtual_places_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virtual_places_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to virtual_places_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_virtual_places_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virtual_places_client_packets'($*)) dnl
gen_require(`
type virtual_places_client_packet_t;
')
allow $1 virtual_places_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_virtual_places_client_packets'($*)) dnl
')
########################################
##
## Send virtual_places_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_virtual_places_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_virtual_places_server_packets'($*)) dnl
gen_require(`
type virtual_places_server_packet_t;
')
allow $1 virtual_places_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_virtual_places_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send virtual_places_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_virtual_places_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virtual_places_server_packets'($*)) dnl
gen_require(`
type virtual_places_server_packet_t;
')
dontaudit $1 virtual_places_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virtual_places_server_packets'($*)) dnl
')
########################################
##
## Receive virtual_places_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_virtual_places_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_virtual_places_server_packets'($*)) dnl
gen_require(`
type virtual_places_server_packet_t;
')
allow $1 virtual_places_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_virtual_places_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive virtual_places_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_virtual_places_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virtual_places_server_packets'($*)) dnl
gen_require(`
type virtual_places_server_packet_t;
')
dontaudit $1 virtual_places_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virtual_places_server_packets'($*)) dnl
')
########################################
##
## Send and receive virtual_places_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_virtual_places_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virtual_places_server_packets'($*)) dnl
corenet_send_virtual_places_server_packets($1)
corenet_receive_virtual_places_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virtual_places_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive virtual_places_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_virtual_places_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virtual_places_server_packets'($*)) dnl
corenet_dontaudit_send_virtual_places_server_packets($1)
corenet_dontaudit_receive_virtual_places_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virtual_places_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to virtual_places_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_virtual_places_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virtual_places_server_packets'($*)) dnl
gen_require(`
type virtual_places_server_packet_t;
')
allow $1 virtual_places_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_virtual_places_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the virt_migration port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
allow $1 virt_migration_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virt_migration_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the virt_migration port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
allow $1 virt_migration_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_virt_migration_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the virt_migration port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
dontaudit $1 virt_migration_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virt_migration_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the virt_migration port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
allow $1 virt_migration_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virt_migration_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the virt_migration port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
dontaudit $1 virt_migration_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virt_migration_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the virt_migration port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virt_migration_port'($*)) dnl
corenet_udp_send_virt_migration_port($1)
corenet_udp_receive_virt_migration_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virt_migration_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the virt_migration port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virt_migration_port'($*)) dnl
corenet_dontaudit_udp_send_virt_migration_port($1)
corenet_dontaudit_udp_receive_virt_migration_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virt_migration_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the virt_migration port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
allow $1 virt_migration_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virt_migration_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the virt_migration port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
allow $1 virt_migration_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virt_migration_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to virt_migration port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
dontaudit $1 virt_migration_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_virt_migration_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the virt_migration port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
allow $1 virt_migration_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virt_migration_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to virt_migration port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_virt_migration_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_virt_migration_port'($*)) dnl
gen_require(`
type virt_migration_port_t;
')
dontaudit $1 virt_migration_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_virt_migration_port'($*)) dnl
')
########################################
##
## Send virt_migration_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_virt_migration_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_virt_migration_client_packets'($*)) dnl
gen_require(`
type virt_migration_client_packet_t;
')
allow $1 virt_migration_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_virt_migration_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send virt_migration_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_virt_migration_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_migration_client_packets'($*)) dnl
gen_require(`
type virt_migration_client_packet_t;
')
dontaudit $1 virt_migration_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_migration_client_packets'($*)) dnl
')
########################################
##
## Receive virt_migration_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_virt_migration_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_migration_client_packets'($*)) dnl
gen_require(`
type virt_migration_client_packet_t;
')
allow $1 virt_migration_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_virt_migration_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive virt_migration_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_virt_migration_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_migration_client_packets'($*)) dnl
gen_require(`
type virt_migration_client_packet_t;
')
dontaudit $1 virt_migration_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_migration_client_packets'($*)) dnl
')
########################################
##
## Send and receive virt_migration_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_virt_migration_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_migration_client_packets'($*)) dnl
corenet_send_virt_migration_client_packets($1)
corenet_receive_virt_migration_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_migration_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive virt_migration_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_virt_migration_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_migration_client_packets'($*)) dnl
corenet_dontaudit_send_virt_migration_client_packets($1)
corenet_dontaudit_receive_virt_migration_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_migration_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to virt_migration_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_virt_migration_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_migration_client_packets'($*)) dnl
gen_require(`
type virt_migration_client_packet_t;
')
allow $1 virt_migration_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_migration_client_packets'($*)) dnl
')
########################################
##
## Send virt_migration_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_virt_migration_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_virt_migration_server_packets'($*)) dnl
gen_require(`
type virt_migration_server_packet_t;
')
allow $1 virt_migration_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_virt_migration_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send virt_migration_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_virt_migration_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_migration_server_packets'($*)) dnl
gen_require(`
type virt_migration_server_packet_t;
')
dontaudit $1 virt_migration_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_migration_server_packets'($*)) dnl
')
########################################
##
## Receive virt_migration_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_virt_migration_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_migration_server_packets'($*)) dnl
gen_require(`
type virt_migration_server_packet_t;
')
allow $1 virt_migration_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_virt_migration_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive virt_migration_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_virt_migration_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_migration_server_packets'($*)) dnl
gen_require(`
type virt_migration_server_packet_t;
')
dontaudit $1 virt_migration_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_migration_server_packets'($*)) dnl
')
########################################
##
## Send and receive virt_migration_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_virt_migration_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_migration_server_packets'($*)) dnl
corenet_send_virt_migration_server_packets($1)
corenet_receive_virt_migration_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_migration_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive virt_migration_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_virt_migration_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_migration_server_packets'($*)) dnl
corenet_dontaudit_send_virt_migration_server_packets($1)
corenet_dontaudit_receive_virt_migration_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_migration_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to virt_migration_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_virt_migration_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_migration_server_packets'($*)) dnl
gen_require(`
type virt_migration_server_packet_t;
')
allow $1 virt_migration_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_migration_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_vnc_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_vnc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the vnc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
dontaudit $1 vnc_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_vnc_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_vnc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the vnc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
dontaudit $1 vnc_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_vnc_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_vnc_port'($*)) dnl
corenet_udp_send_vnc_port($1)
corenet_udp_receive_vnc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_vnc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the vnc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_vnc_port'($*)) dnl
corenet_dontaudit_udp_send_vnc_port($1)
corenet_dontaudit_udp_receive_vnc_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_vnc_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_vnc_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the vnc port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_vnc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to vnc port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
dontaudit $1 vnc_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_vnc_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the vnc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
allow $1 vnc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_vnc_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to vnc port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_vnc_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_vnc_port'($*)) dnl
gen_require(`
type vnc_port_t;
')
dontaudit $1 vnc_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_vnc_port'($*)) dnl
')
########################################
##
## Send vnc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_vnc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
allow $1 vnc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_vnc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send vnc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_vnc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
dontaudit $1 vnc_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vnc_client_packets'($*)) dnl
')
########################################
##
## Receive vnc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_vnc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
allow $1 vnc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_vnc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive vnc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_vnc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
dontaudit $1 vnc_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vnc_client_packets'($*)) dnl
')
########################################
##
## Send and receive vnc_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_vnc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vnc_client_packets'($*)) dnl
corenet_send_vnc_client_packets($1)
corenet_receive_vnc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vnc_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive vnc_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_vnc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vnc_client_packets'($*)) dnl
corenet_dontaudit_send_vnc_client_packets($1)
corenet_dontaudit_receive_vnc_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vnc_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to vnc_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_vnc_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vnc_client_packets'($*)) dnl
gen_require(`
type vnc_client_packet_t;
')
allow $1 vnc_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_vnc_client_packets'($*)) dnl
')
########################################
##
## Send vnc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_vnc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
allow $1 vnc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_vnc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send vnc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_vnc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
dontaudit $1 vnc_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vnc_server_packets'($*)) dnl
')
########################################
##
## Receive vnc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_vnc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
allow $1 vnc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_vnc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive vnc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_vnc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
dontaudit $1 vnc_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vnc_server_packets'($*)) dnl
')
########################################
##
## Send and receive vnc_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_vnc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vnc_server_packets'($*)) dnl
corenet_send_vnc_server_packets($1)
corenet_receive_vnc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vnc_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive vnc_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_vnc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vnc_server_packets'($*)) dnl
corenet_dontaudit_send_vnc_server_packets($1)
corenet_dontaudit_receive_vnc_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vnc_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to vnc_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_vnc_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vnc_server_packets'($*)) dnl
gen_require(`
type vnc_server_packet_t;
')
allow $1 vnc_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_vnc_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the vqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
allow $1 vqp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_vqp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the vqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
allow $1 vqp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_vqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the vqp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
dontaudit $1 vqp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_vqp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the vqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
allow $1 vqp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_vqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the vqp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
dontaudit $1 vqp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_vqp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the vqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_vqp_port'($*)) dnl
corenet_udp_send_vqp_port($1)
corenet_udp_receive_vqp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_vqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the vqp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_vqp_port'($*)) dnl
corenet_dontaudit_udp_send_vqp_port($1)
corenet_dontaudit_udp_receive_vqp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_vqp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the vqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
allow $1 vqp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_vqp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the vqp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
allow $1 vqp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_vqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to vqp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
dontaudit $1 vqp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_vqp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the vqp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
allow $1 vqp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_vqp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to vqp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_vqp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_vqp_port'($*)) dnl
gen_require(`
type vqp_port_t;
')
dontaudit $1 vqp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_vqp_port'($*)) dnl
')
########################################
##
## Send vqp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_vqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_vqp_client_packets'($*)) dnl
gen_require(`
type vqp_client_packet_t;
')
allow $1 vqp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_vqp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send vqp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_vqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vqp_client_packets'($*)) dnl
gen_require(`
type vqp_client_packet_t;
')
dontaudit $1 vqp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vqp_client_packets'($*)) dnl
')
########################################
##
## Receive vqp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_vqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_vqp_client_packets'($*)) dnl
gen_require(`
type vqp_client_packet_t;
')
allow $1 vqp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_vqp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive vqp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_vqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vqp_client_packets'($*)) dnl
gen_require(`
type vqp_client_packet_t;
')
dontaudit $1 vqp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vqp_client_packets'($*)) dnl
')
########################################
##
## Send and receive vqp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_vqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vqp_client_packets'($*)) dnl
corenet_send_vqp_client_packets($1)
corenet_receive_vqp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vqp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive vqp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_vqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vqp_client_packets'($*)) dnl
corenet_dontaudit_send_vqp_client_packets($1)
corenet_dontaudit_receive_vqp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vqp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to vqp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_vqp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vqp_client_packets'($*)) dnl
gen_require(`
type vqp_client_packet_t;
')
allow $1 vqp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_vqp_client_packets'($*)) dnl
')
########################################
##
## Send vqp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_vqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_vqp_server_packets'($*)) dnl
gen_require(`
type vqp_server_packet_t;
')
allow $1 vqp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_vqp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send vqp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_vqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vqp_server_packets'($*)) dnl
gen_require(`
type vqp_server_packet_t;
')
dontaudit $1 vqp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vqp_server_packets'($*)) dnl
')
########################################
##
## Receive vqp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_vqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_vqp_server_packets'($*)) dnl
gen_require(`
type vqp_server_packet_t;
')
allow $1 vqp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_vqp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive vqp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_vqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vqp_server_packets'($*)) dnl
gen_require(`
type vqp_server_packet_t;
')
dontaudit $1 vqp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vqp_server_packets'($*)) dnl
')
########################################
##
## Send and receive vqp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_vqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vqp_server_packets'($*)) dnl
corenet_send_vqp_server_packets($1)
corenet_receive_vqp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vqp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive vqp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_vqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vqp_server_packets'($*)) dnl
corenet_dontaudit_send_vqp_server_packets($1)
corenet_dontaudit_receive_vqp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vqp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to vqp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_vqp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vqp_server_packets'($*)) dnl
gen_require(`
type vqp_server_packet_t;
')
allow $1 vqp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_vqp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wccp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_wccp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the wccp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
dontaudit $1 wccp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wccp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wccp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the wccp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
dontaudit $1 wccp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wccp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wccp_port'($*)) dnl
corenet_udp_send_wccp_port($1)
corenet_udp_receive_wccp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wccp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the wccp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wccp_port'($*)) dnl
corenet_dontaudit_udp_send_wccp_port($1)
corenet_dontaudit_udp_receive_wccp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wccp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wccp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the wccp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wccp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to wccp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
dontaudit $1 wccp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_wccp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the wccp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
allow $1 wccp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wccp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to wccp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_wccp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_wccp_port'($*)) dnl
gen_require(`
type wccp_port_t;
')
dontaudit $1 wccp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_wccp_port'($*)) dnl
')
########################################
##
## Send wccp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wccp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
allow $1 wccp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wccp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wccp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wccp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
dontaudit $1 wccp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wccp_client_packets'($*)) dnl
')
########################################
##
## Receive wccp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wccp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
allow $1 wccp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wccp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wccp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wccp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
dontaudit $1 wccp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wccp_client_packets'($*)) dnl
')
########################################
##
## Send and receive wccp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wccp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wccp_client_packets'($*)) dnl
corenet_send_wccp_client_packets($1)
corenet_receive_wccp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wccp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wccp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wccp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wccp_client_packets'($*)) dnl
corenet_dontaudit_send_wccp_client_packets($1)
corenet_dontaudit_receive_wccp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wccp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to wccp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wccp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wccp_client_packets'($*)) dnl
gen_require(`
type wccp_client_packet_t;
')
allow $1 wccp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wccp_client_packets'($*)) dnl
')
########################################
##
## Send wccp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wccp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
allow $1 wccp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wccp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wccp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wccp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
dontaudit $1 wccp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wccp_server_packets'($*)) dnl
')
########################################
##
## Receive wccp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wccp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
allow $1 wccp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wccp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wccp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wccp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
dontaudit $1 wccp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wccp_server_packets'($*)) dnl
')
########################################
##
## Send and receive wccp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wccp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wccp_server_packets'($*)) dnl
corenet_send_wccp_server_packets($1)
corenet_receive_wccp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wccp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wccp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wccp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wccp_server_packets'($*)) dnl
corenet_dontaudit_send_wccp_server_packets($1)
corenet_dontaudit_receive_wccp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wccp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to wccp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wccp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wccp_server_packets'($*)) dnl
gen_require(`
type wccp_server_packet_t;
')
allow $1 wccp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wccp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the websm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
allow $1 websm_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_websm_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the websm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
allow $1 websm_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_websm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the websm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
dontaudit $1 websm_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_websm_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the websm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
allow $1 websm_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_websm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the websm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
dontaudit $1 websm_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_websm_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the websm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_websm_port'($*)) dnl
corenet_udp_send_websm_port($1)
corenet_udp_receive_websm_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_websm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the websm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_websm_port'($*)) dnl
corenet_dontaudit_udp_send_websm_port($1)
corenet_dontaudit_udp_receive_websm_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_websm_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the websm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
allow $1 websm_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_websm_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the websm port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
allow $1 websm_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_websm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to websm port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
dontaudit $1 websm_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_websm_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the websm port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
allow $1 websm_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_websm_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to websm port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_websm_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_websm_port'($*)) dnl
gen_require(`
type websm_port_t;
')
dontaudit $1 websm_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_websm_port'($*)) dnl
')
########################################
##
## Send websm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_websm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_websm_client_packets'($*)) dnl
gen_require(`
type websm_client_packet_t;
')
allow $1 websm_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_websm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send websm_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_websm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_websm_client_packets'($*)) dnl
gen_require(`
type websm_client_packet_t;
')
dontaudit $1 websm_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_websm_client_packets'($*)) dnl
')
########################################
##
## Receive websm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_websm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_websm_client_packets'($*)) dnl
gen_require(`
type websm_client_packet_t;
')
allow $1 websm_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_websm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive websm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_websm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_websm_client_packets'($*)) dnl
gen_require(`
type websm_client_packet_t;
')
dontaudit $1 websm_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_websm_client_packets'($*)) dnl
')
########################################
##
## Send and receive websm_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_websm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_websm_client_packets'($*)) dnl
corenet_send_websm_client_packets($1)
corenet_receive_websm_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_websm_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive websm_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_websm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_websm_client_packets'($*)) dnl
corenet_dontaudit_send_websm_client_packets($1)
corenet_dontaudit_receive_websm_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_websm_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to websm_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_websm_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_websm_client_packets'($*)) dnl
gen_require(`
type websm_client_packet_t;
')
allow $1 websm_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_websm_client_packets'($*)) dnl
')
########################################
##
## Send websm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_websm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_websm_server_packets'($*)) dnl
gen_require(`
type websm_server_packet_t;
')
allow $1 websm_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_websm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send websm_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_websm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_websm_server_packets'($*)) dnl
gen_require(`
type websm_server_packet_t;
')
dontaudit $1 websm_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_websm_server_packets'($*)) dnl
')
########################################
##
## Receive websm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_websm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_websm_server_packets'($*)) dnl
gen_require(`
type websm_server_packet_t;
')
allow $1 websm_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_websm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive websm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_websm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_websm_server_packets'($*)) dnl
gen_require(`
type websm_server_packet_t;
')
dontaudit $1 websm_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_websm_server_packets'($*)) dnl
')
########################################
##
## Send and receive websm_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_websm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_websm_server_packets'($*)) dnl
corenet_send_websm_server_packets($1)
corenet_receive_websm_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_websm_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive websm_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_websm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_websm_server_packets'($*)) dnl
corenet_dontaudit_send_websm_server_packets($1)
corenet_dontaudit_receive_websm_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_websm_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to websm_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_websm_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_websm_server_packets'($*)) dnl
gen_require(`
type websm_server_packet_t;
')
allow $1 websm_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_websm_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the whois port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
allow $1 whois_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_whois_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the whois port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
allow $1 whois_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_whois_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the whois port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
dontaudit $1 whois_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_whois_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the whois port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
allow $1 whois_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_whois_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the whois port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
dontaudit $1 whois_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_whois_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the whois port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_whois_port'($*)) dnl
corenet_udp_send_whois_port($1)
corenet_udp_receive_whois_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_whois_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the whois port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_whois_port'($*)) dnl
corenet_dontaudit_udp_send_whois_port($1)
corenet_dontaudit_udp_receive_whois_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_whois_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the whois port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
allow $1 whois_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_whois_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the whois port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
allow $1 whois_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_whois_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to whois port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
dontaudit $1 whois_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_whois_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the whois port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
allow $1 whois_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_whois_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to whois port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_whois_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_whois_port'($*)) dnl
gen_require(`
type whois_port_t;
')
dontaudit $1 whois_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_whois_port'($*)) dnl
')
########################################
##
## Send whois_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_whois_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_whois_client_packets'($*)) dnl
gen_require(`
type whois_client_packet_t;
')
allow $1 whois_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_whois_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send whois_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_whois_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_whois_client_packets'($*)) dnl
gen_require(`
type whois_client_packet_t;
')
dontaudit $1 whois_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_whois_client_packets'($*)) dnl
')
########################################
##
## Receive whois_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_whois_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_whois_client_packets'($*)) dnl
gen_require(`
type whois_client_packet_t;
')
allow $1 whois_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_whois_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive whois_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_whois_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_whois_client_packets'($*)) dnl
gen_require(`
type whois_client_packet_t;
')
dontaudit $1 whois_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_whois_client_packets'($*)) dnl
')
########################################
##
## Send and receive whois_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_whois_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_whois_client_packets'($*)) dnl
corenet_send_whois_client_packets($1)
corenet_receive_whois_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_whois_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive whois_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_whois_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_whois_client_packets'($*)) dnl
corenet_dontaudit_send_whois_client_packets($1)
corenet_dontaudit_receive_whois_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_whois_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to whois_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_whois_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_whois_client_packets'($*)) dnl
gen_require(`
type whois_client_packet_t;
')
allow $1 whois_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_whois_client_packets'($*)) dnl
')
########################################
##
## Send whois_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_whois_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_whois_server_packets'($*)) dnl
gen_require(`
type whois_server_packet_t;
')
allow $1 whois_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_whois_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send whois_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_whois_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_whois_server_packets'($*)) dnl
gen_require(`
type whois_server_packet_t;
')
dontaudit $1 whois_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_whois_server_packets'($*)) dnl
')
########################################
##
## Receive whois_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_whois_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_whois_server_packets'($*)) dnl
gen_require(`
type whois_server_packet_t;
')
allow $1 whois_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_whois_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive whois_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_whois_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_whois_server_packets'($*)) dnl
gen_require(`
type whois_server_packet_t;
')
dontaudit $1 whois_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_whois_server_packets'($*)) dnl
')
########################################
##
## Send and receive whois_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_whois_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_whois_server_packets'($*)) dnl
corenet_send_whois_server_packets($1)
corenet_receive_whois_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_whois_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive whois_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_whois_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_whois_server_packets'($*)) dnl
corenet_dontaudit_send_whois_server_packets($1)
corenet_dontaudit_receive_whois_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_whois_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to whois_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_whois_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_whois_server_packets'($*)) dnl
gen_require(`
type whois_server_packet_t;
')
allow $1 whois_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_whois_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the winshadow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
allow $1 winshadow_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_winshadow_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the winshadow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
allow $1 winshadow_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_winshadow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the winshadow port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
dontaudit $1 winshadow_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_winshadow_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the winshadow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
allow $1 winshadow_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_winshadow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the winshadow port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
dontaudit $1 winshadow_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_winshadow_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the winshadow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_winshadow_port'($*)) dnl
corenet_udp_send_winshadow_port($1)
corenet_udp_receive_winshadow_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_winshadow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the winshadow port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_winshadow_port'($*)) dnl
corenet_dontaudit_udp_send_winshadow_port($1)
corenet_dontaudit_udp_receive_winshadow_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_winshadow_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the winshadow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
allow $1 winshadow_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_winshadow_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the winshadow port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
allow $1 winshadow_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_winshadow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to winshadow port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
dontaudit $1 winshadow_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_winshadow_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the winshadow port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
allow $1 winshadow_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_winshadow_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to winshadow port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_winshadow_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_winshadow_port'($*)) dnl
gen_require(`
type winshadow_port_t;
')
dontaudit $1 winshadow_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_winshadow_port'($*)) dnl
')
########################################
##
## Send winshadow_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_winshadow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_winshadow_client_packets'($*)) dnl
gen_require(`
type winshadow_client_packet_t;
')
allow $1 winshadow_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_winshadow_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send winshadow_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_winshadow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_winshadow_client_packets'($*)) dnl
gen_require(`
type winshadow_client_packet_t;
')
dontaudit $1 winshadow_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_winshadow_client_packets'($*)) dnl
')
########################################
##
## Receive winshadow_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_winshadow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_winshadow_client_packets'($*)) dnl
gen_require(`
type winshadow_client_packet_t;
')
allow $1 winshadow_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_winshadow_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive winshadow_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_winshadow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_winshadow_client_packets'($*)) dnl
gen_require(`
type winshadow_client_packet_t;
')
dontaudit $1 winshadow_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_winshadow_client_packets'($*)) dnl
')
########################################
##
## Send and receive winshadow_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_winshadow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_winshadow_client_packets'($*)) dnl
corenet_send_winshadow_client_packets($1)
corenet_receive_winshadow_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_winshadow_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive winshadow_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_winshadow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_winshadow_client_packets'($*)) dnl
corenet_dontaudit_send_winshadow_client_packets($1)
corenet_dontaudit_receive_winshadow_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_winshadow_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to winshadow_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_winshadow_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_winshadow_client_packets'($*)) dnl
gen_require(`
type winshadow_client_packet_t;
')
allow $1 winshadow_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_winshadow_client_packets'($*)) dnl
')
########################################
##
## Send winshadow_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_winshadow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_winshadow_server_packets'($*)) dnl
gen_require(`
type winshadow_server_packet_t;
')
allow $1 winshadow_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_winshadow_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send winshadow_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_winshadow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_winshadow_server_packets'($*)) dnl
gen_require(`
type winshadow_server_packet_t;
')
dontaudit $1 winshadow_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_winshadow_server_packets'($*)) dnl
')
########################################
##
## Receive winshadow_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_winshadow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_winshadow_server_packets'($*)) dnl
gen_require(`
type winshadow_server_packet_t;
')
allow $1 winshadow_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_winshadow_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive winshadow_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_winshadow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_winshadow_server_packets'($*)) dnl
gen_require(`
type winshadow_server_packet_t;
')
dontaudit $1 winshadow_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_winshadow_server_packets'($*)) dnl
')
########################################
##
## Send and receive winshadow_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_winshadow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_winshadow_server_packets'($*)) dnl
corenet_send_winshadow_server_packets($1)
corenet_receive_winshadow_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_winshadow_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive winshadow_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_winshadow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_winshadow_server_packets'($*)) dnl
corenet_dontaudit_send_winshadow_server_packets($1)
corenet_dontaudit_receive_winshadow_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_winshadow_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to winshadow_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_winshadow_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_winshadow_server_packets'($*)) dnl
gen_require(`
type winshadow_server_packet_t;
')
allow $1 winshadow_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_winshadow_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the wap_wsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
allow $1 wap_wsp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wap_wsp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the wap_wsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
allow $1 wap_wsp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_wap_wsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the wap_wsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
dontaudit $1 wap_wsp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wap_wsp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the wap_wsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
allow $1 wap_wsp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wap_wsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the wap_wsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
dontaudit $1 wap_wsp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wap_wsp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the wap_wsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wap_wsp_port'($*)) dnl
corenet_udp_send_wap_wsp_port($1)
corenet_udp_receive_wap_wsp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wap_wsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the wap_wsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wap_wsp_port'($*)) dnl
corenet_dontaudit_udp_send_wap_wsp_port($1)
corenet_dontaudit_udp_receive_wap_wsp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wap_wsp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the wap_wsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
allow $1 wap_wsp_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wap_wsp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the wap_wsp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
allow $1 wap_wsp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wap_wsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to wap_wsp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
dontaudit $1 wap_wsp_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_wap_wsp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the wap_wsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
allow $1 wap_wsp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wap_wsp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to wap_wsp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_wap_wsp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_wap_wsp_port'($*)) dnl
gen_require(`
type wap_wsp_port_t;
')
dontaudit $1 wap_wsp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_wap_wsp_port'($*)) dnl
')
########################################
##
## Send wap_wsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wap_wsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wap_wsp_client_packets'($*)) dnl
gen_require(`
type wap_wsp_client_packet_t;
')
allow $1 wap_wsp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wap_wsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wap_wsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wap_wsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wap_wsp_client_packets'($*)) dnl
gen_require(`
type wap_wsp_client_packet_t;
')
dontaudit $1 wap_wsp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wap_wsp_client_packets'($*)) dnl
')
########################################
##
## Receive wap_wsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wap_wsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wap_wsp_client_packets'($*)) dnl
gen_require(`
type wap_wsp_client_packet_t;
')
allow $1 wap_wsp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wap_wsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wap_wsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wap_wsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wap_wsp_client_packets'($*)) dnl
gen_require(`
type wap_wsp_client_packet_t;
')
dontaudit $1 wap_wsp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wap_wsp_client_packets'($*)) dnl
')
########################################
##
## Send and receive wap_wsp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wap_wsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wap_wsp_client_packets'($*)) dnl
corenet_send_wap_wsp_client_packets($1)
corenet_receive_wap_wsp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wap_wsp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wap_wsp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wap_wsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wap_wsp_client_packets'($*)) dnl
corenet_dontaudit_send_wap_wsp_client_packets($1)
corenet_dontaudit_receive_wap_wsp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wap_wsp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to wap_wsp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wap_wsp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wap_wsp_client_packets'($*)) dnl
gen_require(`
type wap_wsp_client_packet_t;
')
allow $1 wap_wsp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wap_wsp_client_packets'($*)) dnl
')
########################################
##
## Send wap_wsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wap_wsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wap_wsp_server_packets'($*)) dnl
gen_require(`
type wap_wsp_server_packet_t;
')
allow $1 wap_wsp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wap_wsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wap_wsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wap_wsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wap_wsp_server_packets'($*)) dnl
gen_require(`
type wap_wsp_server_packet_t;
')
dontaudit $1 wap_wsp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wap_wsp_server_packets'($*)) dnl
')
########################################
##
## Receive wap_wsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wap_wsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wap_wsp_server_packets'($*)) dnl
gen_require(`
type wap_wsp_server_packet_t;
')
allow $1 wap_wsp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wap_wsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wap_wsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wap_wsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wap_wsp_server_packets'($*)) dnl
gen_require(`
type wap_wsp_server_packet_t;
')
dontaudit $1 wap_wsp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wap_wsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive wap_wsp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wap_wsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wap_wsp_server_packets'($*)) dnl
corenet_send_wap_wsp_server_packets($1)
corenet_receive_wap_wsp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wap_wsp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wap_wsp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wap_wsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wap_wsp_server_packets'($*)) dnl
corenet_dontaudit_send_wap_wsp_server_packets($1)
corenet_dontaudit_receive_wap_wsp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wap_wsp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to wap_wsp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wap_wsp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wap_wsp_server_packets'($*)) dnl
gen_require(`
type wap_wsp_server_packet_t;
')
allow $1 wap_wsp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wap_wsp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the wsdapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
allow $1 wsdapi_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wsdapi_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the wsdapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
allow $1 wsdapi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_wsdapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the wsdapi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
dontaudit $1 wsdapi_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wsdapi_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the wsdapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
allow $1 wsdapi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wsdapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the wsdapi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
dontaudit $1 wsdapi_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wsdapi_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the wsdapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wsdapi_port'($*)) dnl
corenet_udp_send_wsdapi_port($1)
corenet_udp_receive_wsdapi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wsdapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the wsdapi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wsdapi_port'($*)) dnl
corenet_dontaudit_udp_send_wsdapi_port($1)
corenet_dontaudit_udp_receive_wsdapi_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wsdapi_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the wsdapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
allow $1 wsdapi_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wsdapi_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the wsdapi port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
allow $1 wsdapi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wsdapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to wsdapi port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
dontaudit $1 wsdapi_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_wsdapi_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the wsdapi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
allow $1 wsdapi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wsdapi_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to wsdapi port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_wsdapi_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_wsdapi_port'($*)) dnl
gen_require(`
type wsdapi_port_t;
')
dontaudit $1 wsdapi_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_wsdapi_port'($*)) dnl
')
########################################
##
## Send wsdapi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wsdapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wsdapi_client_packets'($*)) dnl
gen_require(`
type wsdapi_client_packet_t;
')
allow $1 wsdapi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wsdapi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wsdapi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wsdapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsdapi_client_packets'($*)) dnl
gen_require(`
type wsdapi_client_packet_t;
')
dontaudit $1 wsdapi_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsdapi_client_packets'($*)) dnl
')
########################################
##
## Receive wsdapi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wsdapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wsdapi_client_packets'($*)) dnl
gen_require(`
type wsdapi_client_packet_t;
')
allow $1 wsdapi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wsdapi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wsdapi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wsdapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsdapi_client_packets'($*)) dnl
gen_require(`
type wsdapi_client_packet_t;
')
dontaudit $1 wsdapi_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsdapi_client_packets'($*)) dnl
')
########################################
##
## Send and receive wsdapi_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wsdapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsdapi_client_packets'($*)) dnl
corenet_send_wsdapi_client_packets($1)
corenet_receive_wsdapi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsdapi_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wsdapi_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wsdapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsdapi_client_packets'($*)) dnl
corenet_dontaudit_send_wsdapi_client_packets($1)
corenet_dontaudit_receive_wsdapi_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsdapi_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to wsdapi_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wsdapi_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsdapi_client_packets'($*)) dnl
gen_require(`
type wsdapi_client_packet_t;
')
allow $1 wsdapi_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsdapi_client_packets'($*)) dnl
')
########################################
##
## Send wsdapi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wsdapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wsdapi_server_packets'($*)) dnl
gen_require(`
type wsdapi_server_packet_t;
')
allow $1 wsdapi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wsdapi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wsdapi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wsdapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsdapi_server_packets'($*)) dnl
gen_require(`
type wsdapi_server_packet_t;
')
dontaudit $1 wsdapi_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsdapi_server_packets'($*)) dnl
')
########################################
##
## Receive wsdapi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wsdapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wsdapi_server_packets'($*)) dnl
gen_require(`
type wsdapi_server_packet_t;
')
allow $1 wsdapi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wsdapi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wsdapi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wsdapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsdapi_server_packets'($*)) dnl
gen_require(`
type wsdapi_server_packet_t;
')
dontaudit $1 wsdapi_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsdapi_server_packets'($*)) dnl
')
########################################
##
## Send and receive wsdapi_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wsdapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsdapi_server_packets'($*)) dnl
corenet_send_wsdapi_server_packets($1)
corenet_receive_wsdapi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsdapi_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wsdapi_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wsdapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsdapi_server_packets'($*)) dnl
corenet_dontaudit_send_wsdapi_server_packets($1)
corenet_dontaudit_receive_wsdapi_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsdapi_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to wsdapi_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wsdapi_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsdapi_server_packets'($*)) dnl
gen_require(`
type wsdapi_server_packet_t;
')
allow $1 wsdapi_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsdapi_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the wsicopy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
allow $1 wsicopy_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wsicopy_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the wsicopy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
allow $1 wsicopy_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_wsicopy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the wsicopy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
dontaudit $1 wsicopy_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wsicopy_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the wsicopy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
allow $1 wsicopy_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wsicopy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the wsicopy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
dontaudit $1 wsicopy_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wsicopy_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the wsicopy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wsicopy_port'($*)) dnl
corenet_udp_send_wsicopy_port($1)
corenet_udp_receive_wsicopy_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wsicopy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the wsicopy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wsicopy_port'($*)) dnl
corenet_dontaudit_udp_send_wsicopy_port($1)
corenet_dontaudit_udp_receive_wsicopy_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wsicopy_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the wsicopy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
allow $1 wsicopy_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wsicopy_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the wsicopy port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
allow $1 wsicopy_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wsicopy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to wsicopy port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
dontaudit $1 wsicopy_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_wsicopy_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the wsicopy port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
allow $1 wsicopy_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wsicopy_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to wsicopy port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_wsicopy_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_wsicopy_port'($*)) dnl
gen_require(`
type wsicopy_port_t;
')
dontaudit $1 wsicopy_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_wsicopy_port'($*)) dnl
')
########################################
##
## Send wsicopy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wsicopy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wsicopy_client_packets'($*)) dnl
gen_require(`
type wsicopy_client_packet_t;
')
allow $1 wsicopy_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wsicopy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wsicopy_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wsicopy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsicopy_client_packets'($*)) dnl
gen_require(`
type wsicopy_client_packet_t;
')
dontaudit $1 wsicopy_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsicopy_client_packets'($*)) dnl
')
########################################
##
## Receive wsicopy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wsicopy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wsicopy_client_packets'($*)) dnl
gen_require(`
type wsicopy_client_packet_t;
')
allow $1 wsicopy_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wsicopy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wsicopy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wsicopy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsicopy_client_packets'($*)) dnl
gen_require(`
type wsicopy_client_packet_t;
')
dontaudit $1 wsicopy_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsicopy_client_packets'($*)) dnl
')
########################################
##
## Send and receive wsicopy_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wsicopy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsicopy_client_packets'($*)) dnl
corenet_send_wsicopy_client_packets($1)
corenet_receive_wsicopy_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsicopy_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wsicopy_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wsicopy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsicopy_client_packets'($*)) dnl
corenet_dontaudit_send_wsicopy_client_packets($1)
corenet_dontaudit_receive_wsicopy_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsicopy_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to wsicopy_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wsicopy_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsicopy_client_packets'($*)) dnl
gen_require(`
type wsicopy_client_packet_t;
')
allow $1 wsicopy_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsicopy_client_packets'($*)) dnl
')
########################################
##
## Send wsicopy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_wsicopy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_wsicopy_server_packets'($*)) dnl
gen_require(`
type wsicopy_server_packet_t;
')
allow $1 wsicopy_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_wsicopy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send wsicopy_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_wsicopy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsicopy_server_packets'($*)) dnl
gen_require(`
type wsicopy_server_packet_t;
')
dontaudit $1 wsicopy_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsicopy_server_packets'($*)) dnl
')
########################################
##
## Receive wsicopy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_wsicopy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_wsicopy_server_packets'($*)) dnl
gen_require(`
type wsicopy_server_packet_t;
')
allow $1 wsicopy_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_wsicopy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive wsicopy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_wsicopy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsicopy_server_packets'($*)) dnl
gen_require(`
type wsicopy_server_packet_t;
')
dontaudit $1 wsicopy_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsicopy_server_packets'($*)) dnl
')
########################################
##
## Send and receive wsicopy_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_wsicopy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsicopy_server_packets'($*)) dnl
corenet_send_wsicopy_server_packets($1)
corenet_receive_wsicopy_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsicopy_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive wsicopy_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_wsicopy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsicopy_server_packets'($*)) dnl
corenet_dontaudit_send_wsicopy_server_packets($1)
corenet_dontaudit_receive_wsicopy_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsicopy_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to wsicopy_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_wsicopy_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsicopy_server_packets'($*)) dnl
gen_require(`
type wsicopy_server_packet_t;
')
allow $1 wsicopy_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsicopy_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xdmcp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
allow $1 xdmcp_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xdmcp_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xdmcp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
allow $1 xdmcp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xdmcp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xdmcp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
dontaudit $1 xdmcp_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xdmcp_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xdmcp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
allow $1 xdmcp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xdmcp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xdmcp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
dontaudit $1 xdmcp_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xdmcp_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xdmcp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xdmcp_port'($*)) dnl
corenet_udp_send_xdmcp_port($1)
corenet_udp_receive_xdmcp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xdmcp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xdmcp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xdmcp_port'($*)) dnl
corenet_dontaudit_udp_send_xdmcp_port($1)
corenet_dontaudit_udp_receive_xdmcp_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xdmcp_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xdmcp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
allow $1 xdmcp_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xdmcp_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xdmcp port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
allow $1 xdmcp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xdmcp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to xdmcp port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
dontaudit $1 xdmcp_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xdmcp_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xdmcp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
allow $1 xdmcp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xdmcp_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to xdmcp port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_xdmcp_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xdmcp_port'($*)) dnl
gen_require(`
type xdmcp_port_t;
')
dontaudit $1 xdmcp_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xdmcp_port'($*)) dnl
')
########################################
##
## Send xdmcp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xdmcp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xdmcp_client_packets'($*)) dnl
gen_require(`
type xdmcp_client_packet_t;
')
allow $1 xdmcp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xdmcp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xdmcp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xdmcp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xdmcp_client_packets'($*)) dnl
gen_require(`
type xdmcp_client_packet_t;
')
dontaudit $1 xdmcp_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xdmcp_client_packets'($*)) dnl
')
########################################
##
## Receive xdmcp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xdmcp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xdmcp_client_packets'($*)) dnl
gen_require(`
type xdmcp_client_packet_t;
')
allow $1 xdmcp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xdmcp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xdmcp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xdmcp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xdmcp_client_packets'($*)) dnl
gen_require(`
type xdmcp_client_packet_t;
')
dontaudit $1 xdmcp_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xdmcp_client_packets'($*)) dnl
')
########################################
##
## Send and receive xdmcp_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xdmcp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xdmcp_client_packets'($*)) dnl
corenet_send_xdmcp_client_packets($1)
corenet_receive_xdmcp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xdmcp_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xdmcp_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xdmcp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xdmcp_client_packets'($*)) dnl
corenet_dontaudit_send_xdmcp_client_packets($1)
corenet_dontaudit_receive_xdmcp_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xdmcp_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xdmcp_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xdmcp_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xdmcp_client_packets'($*)) dnl
gen_require(`
type xdmcp_client_packet_t;
')
allow $1 xdmcp_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xdmcp_client_packets'($*)) dnl
')
########################################
##
## Send xdmcp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xdmcp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xdmcp_server_packets'($*)) dnl
gen_require(`
type xdmcp_server_packet_t;
')
allow $1 xdmcp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xdmcp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xdmcp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xdmcp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xdmcp_server_packets'($*)) dnl
gen_require(`
type xdmcp_server_packet_t;
')
dontaudit $1 xdmcp_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xdmcp_server_packets'($*)) dnl
')
########################################
##
## Receive xdmcp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xdmcp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xdmcp_server_packets'($*)) dnl
gen_require(`
type xdmcp_server_packet_t;
')
allow $1 xdmcp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xdmcp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xdmcp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xdmcp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xdmcp_server_packets'($*)) dnl
gen_require(`
type xdmcp_server_packet_t;
')
dontaudit $1 xdmcp_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xdmcp_server_packets'($*)) dnl
')
########################################
##
## Send and receive xdmcp_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xdmcp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xdmcp_server_packets'($*)) dnl
corenet_send_xdmcp_server_packets($1)
corenet_receive_xdmcp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xdmcp_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xdmcp_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xdmcp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xdmcp_server_packets'($*)) dnl
corenet_dontaudit_send_xdmcp_server_packets($1)
corenet_dontaudit_receive_xdmcp_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xdmcp_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xdmcp_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xdmcp_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xdmcp_server_packets'($*)) dnl
gen_require(`
type xdmcp_server_packet_t;
')
allow $1 xdmcp_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xdmcp_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xen_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xen_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xen port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
dontaudit $1 xen_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xen_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xen_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xen port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
dontaudit $1 xen_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xen_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xen_port'($*)) dnl
corenet_udp_send_xen_port($1)
corenet_udp_receive_xen_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xen_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xen port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xen_port'($*)) dnl
corenet_dontaudit_udp_send_xen_port($1)
corenet_dontaudit_udp_receive_xen_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xen_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xen_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xen port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xen_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to xen port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
dontaudit $1 xen_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xen_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xen port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
allow $1 xen_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xen_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to xen port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_xen_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xen_port'($*)) dnl
gen_require(`
type xen_port_t;
')
dontaudit $1 xen_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xen_port'($*)) dnl
')
########################################
##
## Send xen_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xen_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
allow $1 xen_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xen_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xen_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xen_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
dontaudit $1 xen_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xen_client_packets'($*)) dnl
')
########################################
##
## Receive xen_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xen_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
allow $1 xen_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xen_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xen_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xen_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
dontaudit $1 xen_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xen_client_packets'($*)) dnl
')
########################################
##
## Send and receive xen_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xen_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xen_client_packets'($*)) dnl
corenet_send_xen_client_packets($1)
corenet_receive_xen_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xen_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xen_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xen_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xen_client_packets'($*)) dnl
corenet_dontaudit_send_xen_client_packets($1)
corenet_dontaudit_receive_xen_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xen_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xen_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xen_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xen_client_packets'($*)) dnl
gen_require(`
type xen_client_packet_t;
')
allow $1 xen_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xen_client_packets'($*)) dnl
')
########################################
##
## Send xen_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xen_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
allow $1 xen_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xen_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xen_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xen_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
dontaudit $1 xen_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xen_server_packets'($*)) dnl
')
########################################
##
## Receive xen_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xen_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
allow $1 xen_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xen_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xen_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xen_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
dontaudit $1 xen_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xen_server_packets'($*)) dnl
')
########################################
##
## Send and receive xen_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xen_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xen_server_packets'($*)) dnl
corenet_send_xen_server_packets($1)
corenet_receive_xen_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xen_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xen_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xen_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xen_server_packets'($*)) dnl
corenet_dontaudit_send_xen_server_packets($1)
corenet_dontaudit_receive_xen_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xen_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xen_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xen_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xen_server_packets'($*)) dnl
gen_require(`
type xen_server_packet_t;
')
allow $1 xen_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xen_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xinuexpansion3 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
allow $1 xinuexpansion3_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xinuexpansion3 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
allow $1 xinuexpansion3_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xinuexpansion3 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
dontaudit $1 xinuexpansion3_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xinuexpansion3 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
allow $1 xinuexpansion3_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xinuexpansion3 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
dontaudit $1 xinuexpansion3_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xinuexpansion3 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xinuexpansion3_port'($*)) dnl
corenet_udp_send_xinuexpansion3_port($1)
corenet_udp_receive_xinuexpansion3_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xinuexpansion3 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xinuexpansion3_port'($*)) dnl
corenet_dontaudit_udp_send_xinuexpansion3_port($1)
corenet_dontaudit_udp_receive_xinuexpansion3_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xinuexpansion3 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
allow $1 xinuexpansion3_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xinuexpansion3 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
allow $1 xinuexpansion3_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to xinuexpansion3 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
dontaudit $1 xinuexpansion3_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xinuexpansion3 port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
allow $1 xinuexpansion3_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to xinuexpansion3 port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_xinuexpansion3_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xinuexpansion3_port'($*)) dnl
gen_require(`
type xinuexpansion3_port_t;
')
dontaudit $1 xinuexpansion3_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xinuexpansion3_port'($*)) dnl
')
########################################
##
## Send xinuexpansion3_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xinuexpansion3_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xinuexpansion3_client_packets'($*)) dnl
gen_require(`
type xinuexpansion3_client_packet_t;
')
allow $1 xinuexpansion3_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xinuexpansion3_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xinuexpansion3_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xinuexpansion3_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xinuexpansion3_client_packets'($*)) dnl
gen_require(`
type xinuexpansion3_client_packet_t;
')
dontaudit $1 xinuexpansion3_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xinuexpansion3_client_packets'($*)) dnl
')
########################################
##
## Receive xinuexpansion3_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xinuexpansion3_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xinuexpansion3_client_packets'($*)) dnl
gen_require(`
type xinuexpansion3_client_packet_t;
')
allow $1 xinuexpansion3_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xinuexpansion3_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xinuexpansion3_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xinuexpansion3_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xinuexpansion3_client_packets'($*)) dnl
gen_require(`
type xinuexpansion3_client_packet_t;
')
dontaudit $1 xinuexpansion3_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xinuexpansion3_client_packets'($*)) dnl
')
########################################
##
## Send and receive xinuexpansion3_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xinuexpansion3_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xinuexpansion3_client_packets'($*)) dnl
corenet_send_xinuexpansion3_client_packets($1)
corenet_receive_xinuexpansion3_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xinuexpansion3_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xinuexpansion3_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xinuexpansion3_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xinuexpansion3_client_packets'($*)) dnl
corenet_dontaudit_send_xinuexpansion3_client_packets($1)
corenet_dontaudit_receive_xinuexpansion3_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xinuexpansion3_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xinuexpansion3_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xinuexpansion3_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xinuexpansion3_client_packets'($*)) dnl
gen_require(`
type xinuexpansion3_client_packet_t;
')
allow $1 xinuexpansion3_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xinuexpansion3_client_packets'($*)) dnl
')
########################################
##
## Send xinuexpansion3_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xinuexpansion3_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xinuexpansion3_server_packets'($*)) dnl
gen_require(`
type xinuexpansion3_server_packet_t;
')
allow $1 xinuexpansion3_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xinuexpansion3_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xinuexpansion3_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xinuexpansion3_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xinuexpansion3_server_packets'($*)) dnl
gen_require(`
type xinuexpansion3_server_packet_t;
')
dontaudit $1 xinuexpansion3_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xinuexpansion3_server_packets'($*)) dnl
')
########################################
##
## Receive xinuexpansion3_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xinuexpansion3_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xinuexpansion3_server_packets'($*)) dnl
gen_require(`
type xinuexpansion3_server_packet_t;
')
allow $1 xinuexpansion3_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xinuexpansion3_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xinuexpansion3_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xinuexpansion3_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xinuexpansion3_server_packets'($*)) dnl
gen_require(`
type xinuexpansion3_server_packet_t;
')
dontaudit $1 xinuexpansion3_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xinuexpansion3_server_packets'($*)) dnl
')
########################################
##
## Send and receive xinuexpansion3_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xinuexpansion3_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xinuexpansion3_server_packets'($*)) dnl
corenet_send_xinuexpansion3_server_packets($1)
corenet_receive_xinuexpansion3_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xinuexpansion3_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xinuexpansion3_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xinuexpansion3_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xinuexpansion3_server_packets'($*)) dnl
corenet_dontaudit_send_xinuexpansion3_server_packets($1)
corenet_dontaudit_receive_xinuexpansion3_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xinuexpansion3_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xinuexpansion3_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xinuexpansion3_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xinuexpansion3_server_packets'($*)) dnl
gen_require(`
type xinuexpansion3_server_packet_t;
')
allow $1 xinuexpansion3_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xinuexpansion3_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xinuexpansion4 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
allow $1 xinuexpansion4_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xinuexpansion4 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
allow $1 xinuexpansion4_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xinuexpansion4 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
dontaudit $1 xinuexpansion4_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xinuexpansion4 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
allow $1 xinuexpansion4_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xinuexpansion4 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
dontaudit $1 xinuexpansion4_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xinuexpansion4 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xinuexpansion4_port'($*)) dnl
corenet_udp_send_xinuexpansion4_port($1)
corenet_udp_receive_xinuexpansion4_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xinuexpansion4 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xinuexpansion4_port'($*)) dnl
corenet_dontaudit_udp_send_xinuexpansion4_port($1)
corenet_dontaudit_udp_receive_xinuexpansion4_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xinuexpansion4 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
allow $1 xinuexpansion4_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xinuexpansion4 port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
allow $1 xinuexpansion4_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to xinuexpansion4 port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
dontaudit $1 xinuexpansion4_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xinuexpansion4 port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
allow $1 xinuexpansion4_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to xinuexpansion4 port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_xinuexpansion4_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xinuexpansion4_port'($*)) dnl
gen_require(`
type xinuexpansion4_port_t;
')
dontaudit $1 xinuexpansion4_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xinuexpansion4_port'($*)) dnl
')
########################################
##
## Send xinuexpansion4_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xinuexpansion4_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xinuexpansion4_client_packets'($*)) dnl
gen_require(`
type xinuexpansion4_client_packet_t;
')
allow $1 xinuexpansion4_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xinuexpansion4_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xinuexpansion4_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xinuexpansion4_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xinuexpansion4_client_packets'($*)) dnl
gen_require(`
type xinuexpansion4_client_packet_t;
')
dontaudit $1 xinuexpansion4_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xinuexpansion4_client_packets'($*)) dnl
')
########################################
##
## Receive xinuexpansion4_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xinuexpansion4_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xinuexpansion4_client_packets'($*)) dnl
gen_require(`
type xinuexpansion4_client_packet_t;
')
allow $1 xinuexpansion4_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xinuexpansion4_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xinuexpansion4_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xinuexpansion4_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xinuexpansion4_client_packets'($*)) dnl
gen_require(`
type xinuexpansion4_client_packet_t;
')
dontaudit $1 xinuexpansion4_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xinuexpansion4_client_packets'($*)) dnl
')
########################################
##
## Send and receive xinuexpansion4_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xinuexpansion4_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xinuexpansion4_client_packets'($*)) dnl
corenet_send_xinuexpansion4_client_packets($1)
corenet_receive_xinuexpansion4_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xinuexpansion4_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xinuexpansion4_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xinuexpansion4_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xinuexpansion4_client_packets'($*)) dnl
corenet_dontaudit_send_xinuexpansion4_client_packets($1)
corenet_dontaudit_receive_xinuexpansion4_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xinuexpansion4_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xinuexpansion4_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xinuexpansion4_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xinuexpansion4_client_packets'($*)) dnl
gen_require(`
type xinuexpansion4_client_packet_t;
')
allow $1 xinuexpansion4_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xinuexpansion4_client_packets'($*)) dnl
')
########################################
##
## Send xinuexpansion4_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xinuexpansion4_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xinuexpansion4_server_packets'($*)) dnl
gen_require(`
type xinuexpansion4_server_packet_t;
')
allow $1 xinuexpansion4_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xinuexpansion4_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xinuexpansion4_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xinuexpansion4_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xinuexpansion4_server_packets'($*)) dnl
gen_require(`
type xinuexpansion4_server_packet_t;
')
dontaudit $1 xinuexpansion4_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xinuexpansion4_server_packets'($*)) dnl
')
########################################
##
## Receive xinuexpansion4_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xinuexpansion4_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xinuexpansion4_server_packets'($*)) dnl
gen_require(`
type xinuexpansion4_server_packet_t;
')
allow $1 xinuexpansion4_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xinuexpansion4_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xinuexpansion4_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xinuexpansion4_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xinuexpansion4_server_packets'($*)) dnl
gen_require(`
type xinuexpansion4_server_packet_t;
')
dontaudit $1 xinuexpansion4_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xinuexpansion4_server_packets'($*)) dnl
')
########################################
##
## Send and receive xinuexpansion4_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xinuexpansion4_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xinuexpansion4_server_packets'($*)) dnl
corenet_send_xinuexpansion4_server_packets($1)
corenet_receive_xinuexpansion4_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xinuexpansion4_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xinuexpansion4_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xinuexpansion4_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xinuexpansion4_server_packets'($*)) dnl
corenet_dontaudit_send_xinuexpansion4_server_packets($1)
corenet_dontaudit_receive_xinuexpansion4_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xinuexpansion4_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xinuexpansion4_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xinuexpansion4_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xinuexpansion4_server_packets'($*)) dnl
gen_require(`
type xinuexpansion4_server_packet_t;
')
allow $1 xinuexpansion4_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xinuexpansion4_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xfs_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
dontaudit $1 xfs_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xfs_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
dontaudit $1 xfs_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xfs_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xfs_port'($*)) dnl
corenet_udp_send_xfs_port($1)
corenet_udp_receive_xfs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xfs_port'($*)) dnl
corenet_dontaudit_udp_send_xfs_port($1)
corenet_dontaudit_udp_receive_xfs_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xfs_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xfs_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xfs port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to xfs port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
dontaudit $1 xfs_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xfs_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xfs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
allow $1 xfs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xfs_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to xfs port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_xfs_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xfs_port'($*)) dnl
gen_require(`
type xfs_port_t;
')
dontaudit $1 xfs_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xfs_port'($*)) dnl
')
########################################
##
## Send xfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
allow $1 xfs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xfs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
dontaudit $1 xfs_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xfs_client_packets'($*)) dnl
')
########################################
##
## Receive xfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
allow $1 xfs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
dontaudit $1 xfs_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xfs_client_packets'($*)) dnl
')
########################################
##
## Send and receive xfs_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xfs_client_packets'($*)) dnl
corenet_send_xfs_client_packets($1)
corenet_receive_xfs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xfs_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xfs_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xfs_client_packets'($*)) dnl
corenet_dontaudit_send_xfs_client_packets($1)
corenet_dontaudit_receive_xfs_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xfs_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xfs_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xfs_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xfs_client_packets'($*)) dnl
gen_require(`
type xfs_client_packet_t;
')
allow $1 xfs_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xfs_client_packets'($*)) dnl
')
########################################
##
## Send xfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
allow $1 xfs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xfs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
dontaudit $1 xfs_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xfs_server_packets'($*)) dnl
')
########################################
##
## Receive xfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
allow $1 xfs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
dontaudit $1 xfs_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xfs_server_packets'($*)) dnl
')
########################################
##
## Send and receive xfs_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xfs_server_packets'($*)) dnl
corenet_send_xfs_server_packets($1)
corenet_receive_xfs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xfs_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xfs_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xfs_server_packets'($*)) dnl
corenet_dontaudit_send_xfs_server_packets($1)
corenet_dontaudit_receive_xfs_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xfs_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xfs_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xfs_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xfs_server_packets'($*)) dnl
gen_require(`
type xfs_server_packet_t;
')
allow $1 xfs_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xfs_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xmsg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
allow $1 xmsg_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xmsg_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xmsg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
allow $1 xmsg_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xmsg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xmsg port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
dontaudit $1 xmsg_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xmsg_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xmsg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
allow $1 xmsg_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xmsg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xmsg port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
dontaudit $1 xmsg_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xmsg_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xmsg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xmsg_port'($*)) dnl
corenet_udp_send_xmsg_port($1)
corenet_udp_receive_xmsg_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xmsg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xmsg port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xmsg_port'($*)) dnl
corenet_dontaudit_udp_send_xmsg_port($1)
corenet_dontaudit_udp_receive_xmsg_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xmsg_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xmsg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
allow $1 xmsg_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xmsg_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xmsg port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
allow $1 xmsg_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xmsg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to xmsg port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
dontaudit $1 xmsg_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xmsg_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xmsg port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
allow $1 xmsg_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xmsg_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to xmsg port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_xmsg_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xmsg_port'($*)) dnl
gen_require(`
type xmsg_port_t;
')
dontaudit $1 xmsg_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xmsg_port'($*)) dnl
')
########################################
##
## Send xmsg_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xmsg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xmsg_client_packets'($*)) dnl
gen_require(`
type xmsg_client_packet_t;
')
allow $1 xmsg_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xmsg_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xmsg_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xmsg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xmsg_client_packets'($*)) dnl
gen_require(`
type xmsg_client_packet_t;
')
dontaudit $1 xmsg_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xmsg_client_packets'($*)) dnl
')
########################################
##
## Receive xmsg_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xmsg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xmsg_client_packets'($*)) dnl
gen_require(`
type xmsg_client_packet_t;
')
allow $1 xmsg_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xmsg_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xmsg_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xmsg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xmsg_client_packets'($*)) dnl
gen_require(`
type xmsg_client_packet_t;
')
dontaudit $1 xmsg_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xmsg_client_packets'($*)) dnl
')
########################################
##
## Send and receive xmsg_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xmsg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xmsg_client_packets'($*)) dnl
corenet_send_xmsg_client_packets($1)
corenet_receive_xmsg_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xmsg_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xmsg_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xmsg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xmsg_client_packets'($*)) dnl
corenet_dontaudit_send_xmsg_client_packets($1)
corenet_dontaudit_receive_xmsg_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xmsg_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xmsg_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xmsg_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xmsg_client_packets'($*)) dnl
gen_require(`
type xmsg_client_packet_t;
')
allow $1 xmsg_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xmsg_client_packets'($*)) dnl
')
########################################
##
## Send xmsg_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xmsg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xmsg_server_packets'($*)) dnl
gen_require(`
type xmsg_server_packet_t;
')
allow $1 xmsg_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xmsg_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xmsg_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xmsg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xmsg_server_packets'($*)) dnl
gen_require(`
type xmsg_server_packet_t;
')
dontaudit $1 xmsg_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xmsg_server_packets'($*)) dnl
')
########################################
##
## Receive xmsg_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xmsg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xmsg_server_packets'($*)) dnl
gen_require(`
type xmsg_server_packet_t;
')
allow $1 xmsg_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xmsg_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xmsg_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xmsg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xmsg_server_packets'($*)) dnl
gen_require(`
type xmsg_server_packet_t;
')
dontaudit $1 xmsg_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xmsg_server_packets'($*)) dnl
')
########################################
##
## Send and receive xmsg_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xmsg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xmsg_server_packets'($*)) dnl
corenet_send_xmsg_server_packets($1)
corenet_receive_xmsg_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xmsg_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xmsg_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xmsg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xmsg_server_packets'($*)) dnl
corenet_dontaudit_send_xmsg_server_packets($1)
corenet_dontaudit_receive_xmsg_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xmsg_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xmsg_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xmsg_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xmsg_server_packets'($*)) dnl
gen_require(`
type xmsg_server_packet_t;
')
allow $1 xmsg_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xmsg_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xodbc_connect port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
allow $1 xodbc_connect_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xodbc_connect_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xodbc_connect port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
allow $1 xodbc_connect_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xodbc_connect_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xodbc_connect port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
dontaudit $1 xodbc_connect_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xodbc_connect_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xodbc_connect port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
allow $1 xodbc_connect_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xodbc_connect_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xodbc_connect port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
dontaudit $1 xodbc_connect_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xodbc_connect_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xodbc_connect port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xodbc_connect_port'($*)) dnl
corenet_udp_send_xodbc_connect_port($1)
corenet_udp_receive_xodbc_connect_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xodbc_connect_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xodbc_connect port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xodbc_connect_port'($*)) dnl
corenet_dontaudit_udp_send_xodbc_connect_port($1)
corenet_dontaudit_udp_receive_xodbc_connect_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xodbc_connect_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xodbc_connect port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
allow $1 xodbc_connect_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xodbc_connect_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xodbc_connect port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
allow $1 xodbc_connect_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xodbc_connect_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to xodbc_connect port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
dontaudit $1 xodbc_connect_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xodbc_connect_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xodbc_connect port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
allow $1 xodbc_connect_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xodbc_connect_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to xodbc_connect port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_xodbc_connect_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xodbc_connect_port'($*)) dnl
gen_require(`
type xodbc_connect_port_t;
')
dontaudit $1 xodbc_connect_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xodbc_connect_port'($*)) dnl
')
########################################
##
## Send xodbc_connect_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xodbc_connect_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xodbc_connect_client_packets'($*)) dnl
gen_require(`
type xodbc_connect_client_packet_t;
')
allow $1 xodbc_connect_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xodbc_connect_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xodbc_connect_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xodbc_connect_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xodbc_connect_client_packets'($*)) dnl
gen_require(`
type xodbc_connect_client_packet_t;
')
dontaudit $1 xodbc_connect_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xodbc_connect_client_packets'($*)) dnl
')
########################################
##
## Receive xodbc_connect_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xodbc_connect_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xodbc_connect_client_packets'($*)) dnl
gen_require(`
type xodbc_connect_client_packet_t;
')
allow $1 xodbc_connect_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xodbc_connect_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xodbc_connect_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xodbc_connect_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xodbc_connect_client_packets'($*)) dnl
gen_require(`
type xodbc_connect_client_packet_t;
')
dontaudit $1 xodbc_connect_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xodbc_connect_client_packets'($*)) dnl
')
########################################
##
## Send and receive xodbc_connect_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xodbc_connect_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xodbc_connect_client_packets'($*)) dnl
corenet_send_xodbc_connect_client_packets($1)
corenet_receive_xodbc_connect_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xodbc_connect_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xodbc_connect_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xodbc_connect_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xodbc_connect_client_packets'($*)) dnl
corenet_dontaudit_send_xodbc_connect_client_packets($1)
corenet_dontaudit_receive_xodbc_connect_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xodbc_connect_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xodbc_connect_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xodbc_connect_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xodbc_connect_client_packets'($*)) dnl
gen_require(`
type xodbc_connect_client_packet_t;
')
allow $1 xodbc_connect_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xodbc_connect_client_packets'($*)) dnl
')
########################################
##
## Send xodbc_connect_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xodbc_connect_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xodbc_connect_server_packets'($*)) dnl
gen_require(`
type xodbc_connect_server_packet_t;
')
allow $1 xodbc_connect_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xodbc_connect_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xodbc_connect_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xodbc_connect_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xodbc_connect_server_packets'($*)) dnl
gen_require(`
type xodbc_connect_server_packet_t;
')
dontaudit $1 xodbc_connect_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xodbc_connect_server_packets'($*)) dnl
')
########################################
##
## Receive xodbc_connect_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xodbc_connect_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xodbc_connect_server_packets'($*)) dnl
gen_require(`
type xodbc_connect_server_packet_t;
')
allow $1 xodbc_connect_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xodbc_connect_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xodbc_connect_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xodbc_connect_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xodbc_connect_server_packets'($*)) dnl
gen_require(`
type xodbc_connect_server_packet_t;
')
dontaudit $1 xodbc_connect_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xodbc_connect_server_packets'($*)) dnl
')
########################################
##
## Send and receive xodbc_connect_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xodbc_connect_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xodbc_connect_server_packets'($*)) dnl
corenet_send_xodbc_connect_server_packets($1)
corenet_receive_xodbc_connect_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xodbc_connect_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xodbc_connect_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xodbc_connect_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xodbc_connect_server_packets'($*)) dnl
corenet_dontaudit_send_xodbc_connect_server_packets($1)
corenet_dontaudit_receive_xodbc_connect_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xodbc_connect_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xodbc_connect_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xodbc_connect_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xodbc_connect_server_packets'($*)) dnl
gen_require(`
type xodbc_connect_server_packet_t;
')
allow $1 xodbc_connect_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xodbc_connect_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xserver_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_xserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the xserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
dontaudit $1 xserver_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xserver_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the xserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
dontaudit $1 xserver_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xserver_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xserver_port'($*)) dnl
corenet_udp_send_xserver_port($1)
corenet_udp_receive_xserver_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the xserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xserver_port'($*)) dnl
corenet_dontaudit_udp_send_xserver_port($1)
corenet_dontaudit_udp_receive_xserver_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xserver_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xserver_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the xserver port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to xserver port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
dontaudit $1 xserver_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xserver_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the xserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
allow $1 xserver_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xserver_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to xserver port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_xserver_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xserver_port'($*)) dnl
gen_require(`
type xserver_port_t;
')
dontaudit $1 xserver_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xserver_port'($*)) dnl
')
########################################
##
## Send xserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
allow $1 xserver_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
dontaudit $1 xserver_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xserver_client_packets'($*)) dnl
')
########################################
##
## Receive xserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
allow $1 xserver_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
dontaudit $1 xserver_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xserver_client_packets'($*)) dnl
')
########################################
##
## Send and receive xserver_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xserver_client_packets'($*)) dnl
corenet_send_xserver_client_packets($1)
corenet_receive_xserver_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xserver_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xserver_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xserver_client_packets'($*)) dnl
corenet_dontaudit_send_xserver_client_packets($1)
corenet_dontaudit_receive_xserver_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xserver_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to xserver_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xserver_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xserver_client_packets'($*)) dnl
gen_require(`
type xserver_client_packet_t;
')
allow $1 xserver_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xserver_client_packets'($*)) dnl
')
########################################
##
## Send xserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_xserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
allow $1 xserver_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_xserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send xserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_xserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
dontaudit $1 xserver_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xserver_server_packets'($*)) dnl
')
########################################
##
## Receive xserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_xserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
allow $1 xserver_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_xserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive xserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_xserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
dontaudit $1 xserver_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive xserver_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_xserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xserver_server_packets'($*)) dnl
corenet_send_xserver_server_packets($1)
corenet_receive_xserver_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xserver_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive xserver_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_xserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xserver_server_packets'($*)) dnl
corenet_dontaudit_send_xserver_server_packets($1)
corenet_dontaudit_receive_xserver_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xserver_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to xserver_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_xserver_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xserver_server_packets'($*)) dnl
gen_require(`
type xserver_server_packet_t;
')
allow $1 xserver_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_xserver_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the qpasa_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
allow $1 qpasa_agent_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_qpasa_agent_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the qpasa_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
allow $1 qpasa_agent_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_qpasa_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the qpasa_agent port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
dontaudit $1 qpasa_agent_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_qpasa_agent_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the qpasa_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
allow $1 qpasa_agent_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_qpasa_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the qpasa_agent port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
dontaudit $1 qpasa_agent_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_qpasa_agent_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the qpasa_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_qpasa_agent_port'($*)) dnl
corenet_udp_send_qpasa_agent_port($1)
corenet_udp_receive_qpasa_agent_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_qpasa_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the qpasa_agent port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_qpasa_agent_port'($*)) dnl
corenet_dontaudit_udp_send_qpasa_agent_port($1)
corenet_dontaudit_udp_receive_qpasa_agent_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_qpasa_agent_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the qpasa_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
allow $1 qpasa_agent_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_qpasa_agent_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the qpasa_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
allow $1 qpasa_agent_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_qpasa_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to qpasa_agent port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
dontaudit $1 qpasa_agent_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_qpasa_agent_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the qpasa_agent port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
allow $1 qpasa_agent_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_qpasa_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to qpasa_agent port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_qpasa_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_qpasa_agent_port'($*)) dnl
gen_require(`
type qpasa_agent_port_t;
')
dontaudit $1 qpasa_agent_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_qpasa_agent_port'($*)) dnl
')
########################################
##
## Send qpasa_agent_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_qpasa_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_qpasa_agent_client_packets'($*)) dnl
gen_require(`
type qpasa_agent_client_packet_t;
')
allow $1 qpasa_agent_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_qpasa_agent_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send qpasa_agent_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_qpasa_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_qpasa_agent_client_packets'($*)) dnl
gen_require(`
type qpasa_agent_client_packet_t;
')
dontaudit $1 qpasa_agent_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_qpasa_agent_client_packets'($*)) dnl
')
########################################
##
## Receive qpasa_agent_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_qpasa_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_qpasa_agent_client_packets'($*)) dnl
gen_require(`
type qpasa_agent_client_packet_t;
')
allow $1 qpasa_agent_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_qpasa_agent_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive qpasa_agent_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_qpasa_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_qpasa_agent_client_packets'($*)) dnl
gen_require(`
type qpasa_agent_client_packet_t;
')
dontaudit $1 qpasa_agent_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_qpasa_agent_client_packets'($*)) dnl
')
########################################
##
## Send and receive qpasa_agent_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_qpasa_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_qpasa_agent_client_packets'($*)) dnl
corenet_send_qpasa_agent_client_packets($1)
corenet_receive_qpasa_agent_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_qpasa_agent_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive qpasa_agent_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_qpasa_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_qpasa_agent_client_packets'($*)) dnl
corenet_dontaudit_send_qpasa_agent_client_packets($1)
corenet_dontaudit_receive_qpasa_agent_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_qpasa_agent_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to qpasa_agent_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_qpasa_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_qpasa_agent_client_packets'($*)) dnl
gen_require(`
type qpasa_agent_client_packet_t;
')
allow $1 qpasa_agent_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_qpasa_agent_client_packets'($*)) dnl
')
########################################
##
## Send qpasa_agent_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_qpasa_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_qpasa_agent_server_packets'($*)) dnl
gen_require(`
type qpasa_agent_server_packet_t;
')
allow $1 qpasa_agent_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_qpasa_agent_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send qpasa_agent_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_qpasa_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_qpasa_agent_server_packets'($*)) dnl
gen_require(`
type qpasa_agent_server_packet_t;
')
dontaudit $1 qpasa_agent_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_qpasa_agent_server_packets'($*)) dnl
')
########################################
##
## Receive qpasa_agent_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_qpasa_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_qpasa_agent_server_packets'($*)) dnl
gen_require(`
type qpasa_agent_server_packet_t;
')
allow $1 qpasa_agent_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_qpasa_agent_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive qpasa_agent_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_qpasa_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_qpasa_agent_server_packets'($*)) dnl
gen_require(`
type qpasa_agent_server_packet_t;
')
dontaudit $1 qpasa_agent_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_qpasa_agent_server_packets'($*)) dnl
')
########################################
##
## Send and receive qpasa_agent_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_qpasa_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_qpasa_agent_server_packets'($*)) dnl
corenet_send_qpasa_agent_server_packets($1)
corenet_receive_qpasa_agent_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_qpasa_agent_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive qpasa_agent_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_qpasa_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_qpasa_agent_server_packets'($*)) dnl
corenet_dontaudit_send_qpasa_agent_server_packets($1)
corenet_dontaudit_receive_qpasa_agent_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_qpasa_agent_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to qpasa_agent_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_qpasa_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_qpasa_agent_server_packets'($*)) dnl
gen_require(`
type qpasa_agent_server_packet_t;
')
allow $1 qpasa_agent_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_qpasa_agent_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zarafa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
allow $1 zarafa_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zarafa_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zarafa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
allow $1 zarafa_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zarafa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zarafa port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
dontaudit $1 zarafa_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zarafa_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zarafa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
allow $1 zarafa_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zarafa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zarafa port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
dontaudit $1 zarafa_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zarafa_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zarafa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zarafa_port'($*)) dnl
corenet_udp_send_zarafa_port($1)
corenet_udp_receive_zarafa_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zarafa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zarafa port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zarafa_port'($*)) dnl
corenet_dontaudit_udp_send_zarafa_port($1)
corenet_dontaudit_udp_receive_zarafa_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zarafa_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zarafa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
allow $1 zarafa_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zarafa_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zarafa port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
allow $1 zarafa_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zarafa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zarafa port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
dontaudit $1 zarafa_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zarafa_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zarafa port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
allow $1 zarafa_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zarafa_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zarafa port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zarafa_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zarafa_port'($*)) dnl
gen_require(`
type zarafa_port_t;
')
dontaudit $1 zarafa_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zarafa_port'($*)) dnl
')
########################################
##
## Send zarafa_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zarafa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zarafa_client_packets'($*)) dnl
gen_require(`
type zarafa_client_packet_t;
')
allow $1 zarafa_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zarafa_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zarafa_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zarafa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zarafa_client_packets'($*)) dnl
gen_require(`
type zarafa_client_packet_t;
')
dontaudit $1 zarafa_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zarafa_client_packets'($*)) dnl
')
########################################
##
## Receive zarafa_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zarafa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zarafa_client_packets'($*)) dnl
gen_require(`
type zarafa_client_packet_t;
')
allow $1 zarafa_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zarafa_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zarafa_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zarafa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zarafa_client_packets'($*)) dnl
gen_require(`
type zarafa_client_packet_t;
')
dontaudit $1 zarafa_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zarafa_client_packets'($*)) dnl
')
########################################
##
## Send and receive zarafa_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zarafa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zarafa_client_packets'($*)) dnl
corenet_send_zarafa_client_packets($1)
corenet_receive_zarafa_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zarafa_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zarafa_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zarafa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zarafa_client_packets'($*)) dnl
corenet_dontaudit_send_zarafa_client_packets($1)
corenet_dontaudit_receive_zarafa_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zarafa_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zarafa_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zarafa_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zarafa_client_packets'($*)) dnl
gen_require(`
type zarafa_client_packet_t;
')
allow $1 zarafa_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zarafa_client_packets'($*)) dnl
')
########################################
##
## Send zarafa_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zarafa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zarafa_server_packets'($*)) dnl
gen_require(`
type zarafa_server_packet_t;
')
allow $1 zarafa_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zarafa_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zarafa_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zarafa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zarafa_server_packets'($*)) dnl
gen_require(`
type zarafa_server_packet_t;
')
dontaudit $1 zarafa_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zarafa_server_packets'($*)) dnl
')
########################################
##
## Receive zarafa_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zarafa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zarafa_server_packets'($*)) dnl
gen_require(`
type zarafa_server_packet_t;
')
allow $1 zarafa_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zarafa_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zarafa_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zarafa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zarafa_server_packets'($*)) dnl
gen_require(`
type zarafa_server_packet_t;
')
dontaudit $1 zarafa_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zarafa_server_packets'($*)) dnl
')
########################################
##
## Send and receive zarafa_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zarafa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zarafa_server_packets'($*)) dnl
corenet_send_zarafa_server_packets($1)
corenet_receive_zarafa_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zarafa_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zarafa_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zarafa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zarafa_server_packets'($*)) dnl
corenet_dontaudit_send_zarafa_server_packets($1)
corenet_dontaudit_receive_zarafa_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zarafa_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zarafa_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zarafa_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zarafa_server_packets'($*)) dnl
gen_require(`
type zarafa_server_packet_t;
')
allow $1 zarafa_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zarafa_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zabbix port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
allow $1 zabbix_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zabbix_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zabbix port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
allow $1 zabbix_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zabbix_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zabbix port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
dontaudit $1 zabbix_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zabbix_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zabbix port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
allow $1 zabbix_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zabbix_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zabbix port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
dontaudit $1 zabbix_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zabbix_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zabbix port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zabbix_port'($*)) dnl
corenet_udp_send_zabbix_port($1)
corenet_udp_receive_zabbix_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zabbix_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zabbix port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zabbix_port'($*)) dnl
corenet_dontaudit_udp_send_zabbix_port($1)
corenet_dontaudit_udp_receive_zabbix_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zabbix_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zabbix port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
allow $1 zabbix_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zabbix_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zabbix port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
allow $1 zabbix_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zabbix_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zabbix port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
dontaudit $1 zabbix_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zabbix_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zabbix port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
allow $1 zabbix_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zabbix_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zabbix port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zabbix_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zabbix_port'($*)) dnl
gen_require(`
type zabbix_port_t;
')
dontaudit $1 zabbix_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zabbix_port'($*)) dnl
')
########################################
##
## Send zabbix_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zabbix_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_client_packets'($*)) dnl
gen_require(`
type zabbix_client_packet_t;
')
allow $1 zabbix_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zabbix_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zabbix_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_client_packets'($*)) dnl
gen_require(`
type zabbix_client_packet_t;
')
dontaudit $1 zabbix_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_client_packets'($*)) dnl
')
########################################
##
## Receive zabbix_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zabbix_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_client_packets'($*)) dnl
gen_require(`
type zabbix_client_packet_t;
')
allow $1 zabbix_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zabbix_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zabbix_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_client_packets'($*)) dnl
gen_require(`
type zabbix_client_packet_t;
')
dontaudit $1 zabbix_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_client_packets'($*)) dnl
')
########################################
##
## Send and receive zabbix_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zabbix_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_client_packets'($*)) dnl
corenet_send_zabbix_client_packets($1)
corenet_receive_zabbix_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zabbix_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zabbix_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_client_packets'($*)) dnl
corenet_dontaudit_send_zabbix_client_packets($1)
corenet_dontaudit_receive_zabbix_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zabbix_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zabbix_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_client_packets'($*)) dnl
gen_require(`
type zabbix_client_packet_t;
')
allow $1 zabbix_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_client_packets'($*)) dnl
')
########################################
##
## Send zabbix_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zabbix_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_server_packets'($*)) dnl
gen_require(`
type zabbix_server_packet_t;
')
allow $1 zabbix_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zabbix_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zabbix_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_server_packets'($*)) dnl
gen_require(`
type zabbix_server_packet_t;
')
dontaudit $1 zabbix_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_server_packets'($*)) dnl
')
########################################
##
## Receive zabbix_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zabbix_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_server_packets'($*)) dnl
gen_require(`
type zabbix_server_packet_t;
')
allow $1 zabbix_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zabbix_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zabbix_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_server_packets'($*)) dnl
gen_require(`
type zabbix_server_packet_t;
')
dontaudit $1 zabbix_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_server_packets'($*)) dnl
')
########################################
##
## Send and receive zabbix_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zabbix_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_server_packets'($*)) dnl
corenet_send_zabbix_server_packets($1)
corenet_receive_zabbix_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zabbix_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zabbix_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_server_packets'($*)) dnl
corenet_dontaudit_send_zabbix_server_packets($1)
corenet_dontaudit_receive_zabbix_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zabbix_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zabbix_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_server_packets'($*)) dnl
gen_require(`
type zabbix_server_packet_t;
')
allow $1 zabbix_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zabbix_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
allow $1 zabbix_agent_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zabbix_agent_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zabbix_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
allow $1 zabbix_agent_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zabbix_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zabbix_agent port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
dontaudit $1 zabbix_agent_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zabbix_agent_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zabbix_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
allow $1 zabbix_agent_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zabbix_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zabbix_agent port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
dontaudit $1 zabbix_agent_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zabbix_agent_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zabbix_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zabbix_agent_port'($*)) dnl
corenet_udp_send_zabbix_agent_port($1)
corenet_udp_receive_zabbix_agent_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zabbix_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zabbix_agent port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zabbix_agent_port'($*)) dnl
corenet_dontaudit_udp_send_zabbix_agent_port($1)
corenet_dontaudit_udp_receive_zabbix_agent_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zabbix_agent_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zabbix_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
allow $1 zabbix_agent_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zabbix_agent_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zabbix_agent port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
allow $1 zabbix_agent_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zabbix_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zabbix_agent port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
dontaudit $1 zabbix_agent_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zabbix_agent_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zabbix_agent port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
allow $1 zabbix_agent_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zabbix_agent_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zabbix_agent port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zabbix_agent_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zabbix_agent_port'($*)) dnl
gen_require(`
type zabbix_agent_port_t;
')
dontaudit $1 zabbix_agent_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zabbix_agent_port'($*)) dnl
')
########################################
##
## Send zabbix_agent_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zabbix_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_agent_client_packets'($*)) dnl
gen_require(`
type zabbix_agent_client_packet_t;
')
allow $1 zabbix_agent_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_agent_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zabbix_agent_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zabbix_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_agent_client_packets'($*)) dnl
gen_require(`
type zabbix_agent_client_packet_t;
')
dontaudit $1 zabbix_agent_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_agent_client_packets'($*)) dnl
')
########################################
##
## Receive zabbix_agent_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zabbix_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_agent_client_packets'($*)) dnl
gen_require(`
type zabbix_agent_client_packet_t;
')
allow $1 zabbix_agent_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_agent_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zabbix_agent_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zabbix_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_agent_client_packets'($*)) dnl
gen_require(`
type zabbix_agent_client_packet_t;
')
dontaudit $1 zabbix_agent_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_agent_client_packets'($*)) dnl
')
########################################
##
## Send and receive zabbix_agent_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zabbix_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_agent_client_packets'($*)) dnl
corenet_send_zabbix_agent_client_packets($1)
corenet_receive_zabbix_agent_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_agent_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zabbix_agent_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zabbix_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_agent_client_packets'($*)) dnl
corenet_dontaudit_send_zabbix_agent_client_packets($1)
corenet_dontaudit_receive_zabbix_agent_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_agent_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zabbix_agent_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zabbix_agent_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_agent_client_packets'($*)) dnl
gen_require(`
type zabbix_agent_client_packet_t;
')
allow $1 zabbix_agent_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_agent_client_packets'($*)) dnl
')
########################################
##
## Send zabbix_agent_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zabbix_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_agent_server_packets'($*)) dnl
gen_require(`
type zabbix_agent_server_packet_t;
')
allow $1 zabbix_agent_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_agent_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zabbix_agent_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zabbix_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_agent_server_packets'($*)) dnl
gen_require(`
type zabbix_agent_server_packet_t;
')
dontaudit $1 zabbix_agent_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_agent_server_packets'($*)) dnl
')
########################################
##
## Receive zabbix_agent_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zabbix_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_agent_server_packets'($*)) dnl
gen_require(`
type zabbix_agent_server_packet_t;
')
allow $1 zabbix_agent_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_agent_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zabbix_agent_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zabbix_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_agent_server_packets'($*)) dnl
gen_require(`
type zabbix_agent_server_packet_t;
')
dontaudit $1 zabbix_agent_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_agent_server_packets'($*)) dnl
')
########################################
##
## Send and receive zabbix_agent_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zabbix_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_agent_server_packets'($*)) dnl
corenet_send_zabbix_agent_server_packets($1)
corenet_receive_zabbix_agent_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_agent_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zabbix_agent_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zabbix_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_agent_server_packets'($*)) dnl
corenet_dontaudit_send_zabbix_agent_server_packets($1)
corenet_dontaudit_receive_zabbix_agent_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_agent_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zabbix_agent_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zabbix_agent_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_agent_server_packets'($*)) dnl
gen_require(`
type zabbix_agent_server_packet_t;
')
allow $1 zabbix_agent_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_agent_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zookeeper_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
allow $1 zookeeper_client_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_client_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zookeeper_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
allow $1 zookeeper_client_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zookeeper_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
dontaudit $1 zookeeper_client_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_client_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zookeeper_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
allow $1 zookeeper_client_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zookeeper_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
dontaudit $1 zookeeper_client_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_client_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zookeeper_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_client_port'($*)) dnl
corenet_udp_send_zookeeper_client_port($1)
corenet_udp_receive_zookeeper_client_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zookeeper_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_client_port'($*)) dnl
corenet_dontaudit_udp_send_zookeeper_client_port($1)
corenet_dontaudit_udp_receive_zookeeper_client_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_client_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zookeeper_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
allow $1 zookeeper_client_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_client_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zookeeper_client port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
allow $1 zookeeper_client_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zookeeper_client port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
dontaudit $1 zookeeper_client_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zookeeper_client_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zookeeper_client port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
allow $1 zookeeper_client_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_client_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zookeeper_client port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zookeeper_client_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zookeeper_client_port'($*)) dnl
gen_require(`
type zookeeper_client_port_t;
')
dontaudit $1 zookeeper_client_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zookeeper_client_port'($*)) dnl
')
########################################
##
## Send zookeeper_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zookeeper_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_client_client_packets'($*)) dnl
gen_require(`
type zookeeper_client_client_packet_t;
')
allow $1 zookeeper_client_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zookeeper_client_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zookeeper_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_client_client_packets'($*)) dnl
gen_require(`
type zookeeper_client_client_packet_t;
')
dontaudit $1 zookeeper_client_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_client_client_packets'($*)) dnl
')
########################################
##
## Receive zookeeper_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zookeeper_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_client_client_packets'($*)) dnl
gen_require(`
type zookeeper_client_client_packet_t;
')
allow $1 zookeeper_client_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zookeeper_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zookeeper_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_client_client_packets'($*)) dnl
gen_require(`
type zookeeper_client_client_packet_t;
')
dontaudit $1 zookeeper_client_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_client_client_packets'($*)) dnl
')
########################################
##
## Send and receive zookeeper_client_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zookeeper_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_client_client_packets'($*)) dnl
corenet_send_zookeeper_client_client_packets($1)
corenet_receive_zookeeper_client_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_client_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zookeeper_client_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zookeeper_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_client_client_packets'($*)) dnl
corenet_dontaudit_send_zookeeper_client_client_packets($1)
corenet_dontaudit_receive_zookeeper_client_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_client_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zookeeper_client_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zookeeper_client_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_client_client_packets'($*)) dnl
gen_require(`
type zookeeper_client_client_packet_t;
')
allow $1 zookeeper_client_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_client_client_packets'($*)) dnl
')
########################################
##
## Send zookeeper_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zookeeper_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_client_server_packets'($*)) dnl
gen_require(`
type zookeeper_client_server_packet_t;
')
allow $1 zookeeper_client_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zookeeper_client_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zookeeper_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_client_server_packets'($*)) dnl
gen_require(`
type zookeeper_client_server_packet_t;
')
dontaudit $1 zookeeper_client_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_client_server_packets'($*)) dnl
')
########################################
##
## Receive zookeeper_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zookeeper_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_client_server_packets'($*)) dnl
gen_require(`
type zookeeper_client_server_packet_t;
')
allow $1 zookeeper_client_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zookeeper_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zookeeper_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_client_server_packets'($*)) dnl
gen_require(`
type zookeeper_client_server_packet_t;
')
dontaudit $1 zookeeper_client_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_client_server_packets'($*)) dnl
')
########################################
##
## Send and receive zookeeper_client_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zookeeper_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_client_server_packets'($*)) dnl
corenet_send_zookeeper_client_server_packets($1)
corenet_receive_zookeeper_client_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_client_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zookeeper_client_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zookeeper_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_client_server_packets'($*)) dnl
corenet_dontaudit_send_zookeeper_client_server_packets($1)
corenet_dontaudit_receive_zookeeper_client_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_client_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zookeeper_client_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zookeeper_client_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_client_server_packets'($*)) dnl
gen_require(`
type zookeeper_client_server_packet_t;
')
allow $1 zookeeper_client_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_client_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zookeeper_election port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
allow $1 zookeeper_election_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_election_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zookeeper_election port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
allow $1 zookeeper_election_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_election_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zookeeper_election port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
dontaudit $1 zookeeper_election_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_election_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zookeeper_election port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
allow $1 zookeeper_election_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_election_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zookeeper_election port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
dontaudit $1 zookeeper_election_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_election_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zookeeper_election port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_election_port'($*)) dnl
corenet_udp_send_zookeeper_election_port($1)
corenet_udp_receive_zookeeper_election_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_election_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zookeeper_election port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_election_port'($*)) dnl
corenet_dontaudit_udp_send_zookeeper_election_port($1)
corenet_dontaudit_udp_receive_zookeeper_election_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_election_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zookeeper_election port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
allow $1 zookeeper_election_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_election_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zookeeper_election port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
allow $1 zookeeper_election_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_election_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zookeeper_election port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
dontaudit $1 zookeeper_election_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zookeeper_election_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zookeeper_election port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
allow $1 zookeeper_election_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_election_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zookeeper_election port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zookeeper_election_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zookeeper_election_port'($*)) dnl
gen_require(`
type zookeeper_election_port_t;
')
dontaudit $1 zookeeper_election_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zookeeper_election_port'($*)) dnl
')
########################################
##
## Send zookeeper_election_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zookeeper_election_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_election_client_packets'($*)) dnl
gen_require(`
type zookeeper_election_client_packet_t;
')
allow $1 zookeeper_election_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_election_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zookeeper_election_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zookeeper_election_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_election_client_packets'($*)) dnl
gen_require(`
type zookeeper_election_client_packet_t;
')
dontaudit $1 zookeeper_election_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_election_client_packets'($*)) dnl
')
########################################
##
## Receive zookeeper_election_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zookeeper_election_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_election_client_packets'($*)) dnl
gen_require(`
type zookeeper_election_client_packet_t;
')
allow $1 zookeeper_election_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_election_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zookeeper_election_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zookeeper_election_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_election_client_packets'($*)) dnl
gen_require(`
type zookeeper_election_client_packet_t;
')
dontaudit $1 zookeeper_election_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_election_client_packets'($*)) dnl
')
########################################
##
## Send and receive zookeeper_election_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zookeeper_election_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_election_client_packets'($*)) dnl
corenet_send_zookeeper_election_client_packets($1)
corenet_receive_zookeeper_election_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_election_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zookeeper_election_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zookeeper_election_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_election_client_packets'($*)) dnl
corenet_dontaudit_send_zookeeper_election_client_packets($1)
corenet_dontaudit_receive_zookeeper_election_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_election_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zookeeper_election_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zookeeper_election_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_election_client_packets'($*)) dnl
gen_require(`
type zookeeper_election_client_packet_t;
')
allow $1 zookeeper_election_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_election_client_packets'($*)) dnl
')
########################################
##
## Send zookeeper_election_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zookeeper_election_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_election_server_packets'($*)) dnl
gen_require(`
type zookeeper_election_server_packet_t;
')
allow $1 zookeeper_election_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_election_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zookeeper_election_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zookeeper_election_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_election_server_packets'($*)) dnl
gen_require(`
type zookeeper_election_server_packet_t;
')
dontaudit $1 zookeeper_election_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_election_server_packets'($*)) dnl
')
########################################
##
## Receive zookeeper_election_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zookeeper_election_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_election_server_packets'($*)) dnl
gen_require(`
type zookeeper_election_server_packet_t;
')
allow $1 zookeeper_election_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_election_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zookeeper_election_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zookeeper_election_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_election_server_packets'($*)) dnl
gen_require(`
type zookeeper_election_server_packet_t;
')
dontaudit $1 zookeeper_election_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_election_server_packets'($*)) dnl
')
########################################
##
## Send and receive zookeeper_election_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zookeeper_election_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_election_server_packets'($*)) dnl
corenet_send_zookeeper_election_server_packets($1)
corenet_receive_zookeeper_election_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_election_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zookeeper_election_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zookeeper_election_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_election_server_packets'($*)) dnl
corenet_dontaudit_send_zookeeper_election_server_packets($1)
corenet_dontaudit_receive_zookeeper_election_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_election_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zookeeper_election_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zookeeper_election_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_election_server_packets'($*)) dnl
gen_require(`
type zookeeper_election_server_packet_t;
')
allow $1 zookeeper_election_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_election_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zookeeper_leader port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
allow $1 zookeeper_leader_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zookeeper_leader port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
allow $1 zookeeper_leader_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zookeeper_leader port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
dontaudit $1 zookeeper_leader_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zookeeper_leader port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
allow $1 zookeeper_leader_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zookeeper_leader port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
dontaudit $1 zookeeper_leader_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zookeeper_leader port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_leader_port'($*)) dnl
corenet_udp_send_zookeeper_leader_port($1)
corenet_udp_receive_zookeeper_leader_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zookeeper_leader port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_leader_port'($*)) dnl
corenet_dontaudit_udp_send_zookeeper_leader_port($1)
corenet_dontaudit_udp_receive_zookeeper_leader_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zookeeper_leader port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
allow $1 zookeeper_leader_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zookeeper_leader port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
allow $1 zookeeper_leader_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zookeeper_leader port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
dontaudit $1 zookeeper_leader_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zookeeper_leader port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
allow $1 zookeeper_leader_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zookeeper_leader port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zookeeper_leader_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zookeeper_leader_port'($*)) dnl
gen_require(`
type zookeeper_leader_port_t;
')
dontaudit $1 zookeeper_leader_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zookeeper_leader_port'($*)) dnl
')
########################################
##
## Send zookeeper_leader_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zookeeper_leader_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_leader_client_packets'($*)) dnl
gen_require(`
type zookeeper_leader_client_packet_t;
')
allow $1 zookeeper_leader_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_leader_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zookeeper_leader_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zookeeper_leader_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_leader_client_packets'($*)) dnl
gen_require(`
type zookeeper_leader_client_packet_t;
')
dontaudit $1 zookeeper_leader_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_leader_client_packets'($*)) dnl
')
########################################
##
## Receive zookeeper_leader_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zookeeper_leader_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_leader_client_packets'($*)) dnl
gen_require(`
type zookeeper_leader_client_packet_t;
')
allow $1 zookeeper_leader_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_leader_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zookeeper_leader_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zookeeper_leader_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_leader_client_packets'($*)) dnl
gen_require(`
type zookeeper_leader_client_packet_t;
')
dontaudit $1 zookeeper_leader_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_leader_client_packets'($*)) dnl
')
########################################
##
## Send and receive zookeeper_leader_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zookeeper_leader_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_leader_client_packets'($*)) dnl
corenet_send_zookeeper_leader_client_packets($1)
corenet_receive_zookeeper_leader_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_leader_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zookeeper_leader_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zookeeper_leader_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_leader_client_packets'($*)) dnl
corenet_dontaudit_send_zookeeper_leader_client_packets($1)
corenet_dontaudit_receive_zookeeper_leader_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_leader_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zookeeper_leader_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zookeeper_leader_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_leader_client_packets'($*)) dnl
gen_require(`
type zookeeper_leader_client_packet_t;
')
allow $1 zookeeper_leader_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_leader_client_packets'($*)) dnl
')
########################################
##
## Send zookeeper_leader_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zookeeper_leader_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_leader_server_packets'($*)) dnl
gen_require(`
type zookeeper_leader_server_packet_t;
')
allow $1 zookeeper_leader_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_leader_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zookeeper_leader_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zookeeper_leader_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_leader_server_packets'($*)) dnl
gen_require(`
type zookeeper_leader_server_packet_t;
')
dontaudit $1 zookeeper_leader_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_leader_server_packets'($*)) dnl
')
########################################
##
## Receive zookeeper_leader_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zookeeper_leader_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_leader_server_packets'($*)) dnl
gen_require(`
type zookeeper_leader_server_packet_t;
')
allow $1 zookeeper_leader_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_leader_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zookeeper_leader_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zookeeper_leader_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_leader_server_packets'($*)) dnl
gen_require(`
type zookeeper_leader_server_packet_t;
')
dontaudit $1 zookeeper_leader_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_leader_server_packets'($*)) dnl
')
########################################
##
## Send and receive zookeeper_leader_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zookeeper_leader_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_leader_server_packets'($*)) dnl
corenet_send_zookeeper_leader_server_packets($1)
corenet_receive_zookeeper_leader_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_leader_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zookeeper_leader_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zookeeper_leader_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_leader_server_packets'($*)) dnl
corenet_dontaudit_send_zookeeper_leader_server_packets($1)
corenet_dontaudit_receive_zookeeper_leader_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_leader_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zookeeper_leader_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zookeeper_leader_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_leader_server_packets'($*)) dnl
gen_require(`
type zookeeper_leader_server_packet_t;
')
allow $1 zookeeper_leader_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_leader_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zebra_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zebra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zebra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
dontaudit $1 zebra_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zebra_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zebra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zebra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
dontaudit $1 zebra_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zebra_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zebra_port'($*)) dnl
corenet_udp_send_zebra_port($1)
corenet_udp_receive_zebra_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zebra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zebra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zebra_port'($*)) dnl
corenet_dontaudit_udp_send_zebra_port($1)
corenet_dontaudit_udp_receive_zebra_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zebra_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:tcp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zebra_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zebra port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zebra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zebra port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
dontaudit $1 zebra_port_t:udp_socket name_bind;
allow $1 self:capability net_bind_service;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zebra_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zebra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
allow $1 zebra_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zebra_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zebra port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zebra_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zebra_port'($*)) dnl
gen_require(`
type zebra_port_t;
')
dontaudit $1 zebra_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zebra_port'($*)) dnl
')
########################################
##
## Send zebra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zebra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
allow $1 zebra_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zebra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zebra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zebra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
dontaudit $1 zebra_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zebra_client_packets'($*)) dnl
')
########################################
##
## Receive zebra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zebra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
allow $1 zebra_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zebra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zebra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zebra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
dontaudit $1 zebra_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zebra_client_packets'($*)) dnl
')
########################################
##
## Send and receive zebra_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zebra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zebra_client_packets'($*)) dnl
corenet_send_zebra_client_packets($1)
corenet_receive_zebra_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zebra_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zebra_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zebra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zebra_client_packets'($*)) dnl
corenet_dontaudit_send_zebra_client_packets($1)
corenet_dontaudit_receive_zebra_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zebra_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zebra_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zebra_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zebra_client_packets'($*)) dnl
gen_require(`
type zebra_client_packet_t;
')
allow $1 zebra_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zebra_client_packets'($*)) dnl
')
########################################
##
## Send zebra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zebra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
allow $1 zebra_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zebra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zebra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zebra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
dontaudit $1 zebra_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zebra_server_packets'($*)) dnl
')
########################################
##
## Receive zebra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zebra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
allow $1 zebra_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zebra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zebra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zebra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
dontaudit $1 zebra_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zebra_server_packets'($*)) dnl
')
########################################
##
## Send and receive zebra_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zebra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zebra_server_packets'($*)) dnl
corenet_send_zebra_server_packets($1)
corenet_receive_zebra_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zebra_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zebra_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zebra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zebra_server_packets'($*)) dnl
corenet_dontaudit_send_zebra_server_packets($1)
corenet_dontaudit_receive_zebra_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zebra_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zebra_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zebra_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zebra_server_packets'($*)) dnl
gen_require(`
type zebra_server_packet_t;
')
allow $1 zebra_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zebra_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zented port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
allow $1 zented_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zented_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zented port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
allow $1 zented_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zented_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zented port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
dontaudit $1 zented_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zented_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zented port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
allow $1 zented_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zented_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zented port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
dontaudit $1 zented_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zented_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zented port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zented_port'($*)) dnl
corenet_udp_send_zented_port($1)
corenet_udp_receive_zented_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zented_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zented port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zented_port'($*)) dnl
corenet_dontaudit_udp_send_zented_port($1)
corenet_dontaudit_udp_receive_zented_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zented_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zented port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
allow $1 zented_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zented_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zented port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
allow $1 zented_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zented_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zented port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
dontaudit $1 zented_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zented_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zented port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
allow $1 zented_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zented_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zented port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zented_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zented_port'($*)) dnl
gen_require(`
type zented_port_t;
')
dontaudit $1 zented_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zented_port'($*)) dnl
')
########################################
##
## Send zented_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zented_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zented_client_packets'($*)) dnl
gen_require(`
type zented_client_packet_t;
')
allow $1 zented_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zented_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zented_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zented_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zented_client_packets'($*)) dnl
gen_require(`
type zented_client_packet_t;
')
dontaudit $1 zented_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zented_client_packets'($*)) dnl
')
########################################
##
## Receive zented_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zented_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zented_client_packets'($*)) dnl
gen_require(`
type zented_client_packet_t;
')
allow $1 zented_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zented_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zented_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zented_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zented_client_packets'($*)) dnl
gen_require(`
type zented_client_packet_t;
')
dontaudit $1 zented_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zented_client_packets'($*)) dnl
')
########################################
##
## Send and receive zented_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zented_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zented_client_packets'($*)) dnl
corenet_send_zented_client_packets($1)
corenet_receive_zented_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zented_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zented_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zented_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zented_client_packets'($*)) dnl
corenet_dontaudit_send_zented_client_packets($1)
corenet_dontaudit_receive_zented_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zented_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zented_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zented_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zented_client_packets'($*)) dnl
gen_require(`
type zented_client_packet_t;
')
allow $1 zented_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zented_client_packets'($*)) dnl
')
########################################
##
## Send zented_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zented_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zented_server_packets'($*)) dnl
gen_require(`
type zented_server_packet_t;
')
allow $1 zented_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zented_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zented_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zented_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zented_server_packets'($*)) dnl
gen_require(`
type zented_server_packet_t;
')
dontaudit $1 zented_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zented_server_packets'($*)) dnl
')
########################################
##
## Receive zented_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zented_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zented_server_packets'($*)) dnl
gen_require(`
type zented_server_packet_t;
')
allow $1 zented_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zented_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zented_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zented_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zented_server_packets'($*)) dnl
gen_require(`
type zented_server_packet_t;
')
dontaudit $1 zented_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zented_server_packets'($*)) dnl
')
########################################
##
## Send and receive zented_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zented_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zented_server_packets'($*)) dnl
corenet_send_zented_server_packets($1)
corenet_receive_zented_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zented_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zented_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zented_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zented_server_packets'($*)) dnl
corenet_dontaudit_send_zented_server_packets($1)
corenet_dontaudit_receive_zented_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zented_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zented_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zented_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zented_server_packets'($*)) dnl
gen_require(`
type zented_server_packet_t;
')
allow $1 zented_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zented_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP traffic on the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:tcp_socket { send_msg recv_msg };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zope_port'($*)) dnl
')
########################################
##
## Send UDP traffic on the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_zope_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send UDP traffic on the zope port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_send_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
dontaudit $1 zope_port_t:udp_socket send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zope_port'($*)) dnl
')
########################################
##
## Receive UDP traffic on the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zope_port'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP traffic on the zope port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_receive_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
dontaudit $1 zope_port_t:udp_socket recv_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zope_port'($*)) dnl
')
########################################
##
## Send and receive UDP traffic on the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zope_port'($*)) dnl
corenet_udp_send_zope_port($1)
corenet_udp_receive_zope_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zope_port'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive
## UDP traffic on the zope port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_sendrecv_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zope_port'($*)) dnl
corenet_dontaudit_udp_send_zope_port($1)
corenet_dontaudit_udp_receive_zope_port($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zope_port'($*)) dnl
')
########################################
##
## Bind TCP sockets to the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_bind_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:tcp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zope_port'($*)) dnl
')
########################################
##
## Bind UDP sockets to the zope port.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_bind_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zope_port'($*)) dnl
')
########################################
##
## Do not audit attempts to sbind to zope port.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_udp_bind_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
dontaudit $1 zope_port_t:udp_socket name_bind;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zope_port'($*)) dnl
')
########################################
##
## Make a TCP connection to the zope port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_tcp_connect_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
allow $1 zope_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zope_port'($*)) dnl
')
########################################
##
## Do not audit attempts to make a TCP connection to zope port.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_dontaudit_tcp_connect_zope_port',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zope_port'($*)) dnl
gen_require(`
type zope_port_t;
')
dontaudit $1 zope_port_t:tcp_socket name_connect;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zope_port'($*)) dnl
')
########################################
##
## Send zope_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zope_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
allow $1 zope_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zope_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zope_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zope_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
dontaudit $1 zope_client_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zope_client_packets'($*)) dnl
')
########################################
##
## Receive zope_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zope_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
allow $1 zope_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zope_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zope_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zope_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
dontaudit $1 zope_client_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zope_client_packets'($*)) dnl
')
########################################
##
## Send and receive zope_client packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zope_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zope_client_packets'($*)) dnl
corenet_send_zope_client_packets($1)
corenet_receive_zope_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zope_client_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zope_client packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zope_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zope_client_packets'($*)) dnl
corenet_dontaudit_send_zope_client_packets($1)
corenet_dontaudit_receive_zope_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zope_client_packets'($*)) dnl
')
########################################
##
## Relabel packets to zope_client the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zope_client_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zope_client_packets'($*)) dnl
gen_require(`
type zope_client_packet_t;
')
allow $1 zope_client_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zope_client_packets'($*)) dnl
')
########################################
##
## Send zope_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_send_zope_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_send_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
allow $1 zope_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_send_zope_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send zope_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_send_zope_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
dontaudit $1 zope_server_packet_t:packet send;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zope_server_packets'($*)) dnl
')
########################################
##
## Receive zope_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_receive_zope_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_receive_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
allow $1 zope_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_receive_zope_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to receive zope_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_dontaudit_receive_zope_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
dontaudit $1 zope_server_packet_t:packet recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zope_server_packets'($*)) dnl
')
########################################
##
## Send and receive zope_server packets.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_sendrecv_zope_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zope_server_packets'($*)) dnl
corenet_send_zope_server_packets($1)
corenet_receive_zope_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zope_server_packets'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive zope_server packets.
##
##
##
## Domain to not audit.
##
##
##
#
define(`corenet_dontaudit_sendrecv_zope_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zope_server_packets'($*)) dnl
corenet_dontaudit_send_zope_server_packets($1)
corenet_dontaudit_receive_zope_server_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zope_server_packets'($*)) dnl
')
########################################
##
## Relabel packets to zope_server the packet type.
##
##
##
## Domain allowed access.
##
##
#
define(`corenet_relabelto_zope_server_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zope_server_packets'($*)) dnl
gen_require(`
type zope_server_packet_t;
')
allow $1 zope_server_packet_t:packet relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_relabelto_zope_server_packets'($*)) dnl
')
########################################
##
## Send and receive TCP network traffic on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_tcp_sendrecv_lo_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif { tcp_send tcp_recv egress ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lo_if'($*)) dnl
')
########################################
##
## Send UDP network traffic on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_send_lo_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif { udp_send egress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_send_lo_if'($*)) dnl
')
########################################
##
## Receive UDP network traffic on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_receive_lo_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif { udp_recv ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lo_if'($*)) dnl
')
########################################
##
## Send and receive UDP network traffic on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_udp_sendrecv_lo_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lo_if'($*)) dnl
corenet_udp_send_lo_if($1)
corenet_udp_receive_lo_if($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lo_if'($*)) dnl
')
########################################
##
## Send raw IP packets on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_send_lo_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_send_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif { rawip_send egress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_send_lo_if'($*)) dnl
')
########################################
##
## Receive raw IP packets on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_receive_lo_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_lo_if'($*)) dnl
gen_require(`
type lo_netif_t;
')
allow $1 lo_netif_t:netif { rawip_recv ingress };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_receive_lo_if'($*)) dnl
')
########################################
##
## Send and receive raw IP packets on the lo interface.
##
##
##
## Domain allowed access.
##
##
##
#
define(`corenet_raw_sendrecv_lo_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_lo_if'($*)) dnl
corenet_raw_send_lo_if($1)
corenet_raw_receive_lo_if($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_lo_if'($*)) dnl
')
##
## Device nodes and interfaces for many basic system devices.
##
##
##
## This module creates the device node concept and provides
## the policy for many of the device files. Notable exceptions are
## the mass storage and terminal devices that are covered by other
## modules.
##
##
## This module creates the concept of a device node. That is a
## char or block device file, usually in /dev. All types that
## are used to label device nodes should use the dev_node macro.
##
##
## Additionally, this module controls access to three things:
##
## - the device directories containing device nodes
## - device nodes as a group
## - individual access to specific device nodes covered by
## this module.
##
##
##
##
## Depended on by other required modules.
##
########################################
##
## Make the specified type usable for device
## nodes in a filesystem.
##
##
##
## Make the specified type usable for device nodes
## in a filesystem. Types used for device nodes that
## do not use this interface, or an interface that
## calls this one, will have unexpected behaviors
## while the system is running.
##
##
## Example:
##
##
## type mydev_t;
## dev_node(mydev_t)
## allow mydomain_t mydev_t:chr_file read_chr_file_perms;
##
##
## Related interfaces:
##
##
## - term_tty()
## - term_pty()
##
##
##
##
## Type to be used for device nodes.
##
##
##
#
define(`dev_node',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_node'($*)) dnl
gen_require(`
attribute device_node;
')
typeattribute $1 device_node;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_node'($*)) dnl
')
########################################
##
## Associate the specified file type with device filesystem.
##
##
##
## The type of the file to be associated.
##
##
#
define(`dev_associate',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_associate'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:filesystem associate;
fs_associate_tmpfs($1) #For backwards compatibility
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_associate'($*)) dnl
')
########################################
##
## Get attributes of device filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_fs'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_fs'($*)) dnl
')
########################################
##
## Mount a filesystem on /dev
##
##
##
## Domain allow access.
##
##
#
define(`dev_mounton',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_mounton'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_mounton'($*)) dnl
')
########################################
##
## Allow caller domain to mounton all device nodes
##
##
##
## Domain allow access.
##
##
#
define(`dev_mounton_all_device_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_mounton_all_device_nodes'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_node:file mounton;
allow $1 device_node:chr_file mounton;
allow $1 device_node:blk_file mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_mounton_all_device_nodes'($*)) dnl
')
########################################
##
## Allow full relabeling (to and from) of all device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_relabel_all_dev_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_all_dev_nodes'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
relabel_dirs_pattern($1, device_t, device_node)
relabel_files_pattern($1, device_t, device_node)
relabel_lnk_files_pattern($1, device_t, device_node)
relabel_fifo_files_pattern($1, device_t, device_node)
relabel_sock_files_pattern($1, device_t, device_node)
relabel_blk_files_pattern($1, device_t, device_node)
relabel_chr_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_all_dev_nodes'($*)) dnl
')
########################################
##
## Allow full relabeling (to and from) of all device files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_relabel_all_dev_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_all_dev_files'($*)) dnl
gen_require(`
type device_t;
')
relabel_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_all_dev_files'($*)) dnl
')
########################################
##
## List all of the device nodes in a device directory.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_list_all_dev_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_list_all_dev_nodes'($*)) dnl
gen_require(`
type device_t;
')
list_dirs_pattern($1, device_t, device_t)
read_lnk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_list_all_dev_nodes'($*)) dnl
')
########################################
##
## Set the attributes of /dev directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_generic_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
setattr_dirs_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_generic_dirs'($*)) dnl
')
########################################
##
## Dontaudit attempts to list all device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_list_all_dev_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_list_all_dev_nodes'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_list_all_dev_nodes'($*)) dnl
')
########################################
##
## Dontaudit attempts to list all device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_all_access_check',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_all_access_check'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_all_access_check'($*)) dnl
')
########################################
##
## Add entries to directories in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_add_entry_generic_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_add_entry_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir add_entry_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_add_entry_generic_dirs'($*)) dnl
')
########################################
##
## Add entries to directories in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_remove_entry_generic_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_remove_entry_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir del_entry_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_remove_entry_generic_dirs'($*)) dnl
')
########################################
##
## Create a directory in the device directory.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_generic_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:dir list_dir_perms;
create_dirs_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_generic_dirs'($*)) dnl
')
########################################
##
## Watch generic device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_watch_generic_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_watch_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
watch_dirs_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_watch_generic_dirs'($*)) dnl
')
########################################
##
## Delete a directory in the device directory.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_generic_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
delete_dirs_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_generic_dirs'($*)) dnl
')
########################################
##
## Manage of directories in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_generic_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_dirs'($*)) dnl
gen_require(`
type device_t;
')
manage_dirs_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_dirs'($*)) dnl
')
########################################
##
## Allow full relabeling (to and from) of directories in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_generic_dev_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_dev_dirs'($*)) dnl
gen_require(`
type device_t;
')
relabel_dirs_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_generic_dev_dirs'($*)) dnl
')
########################################
##
## dontaudit getattr generic files in /dev.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_generic_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_files'($*)) dnl
')
########################################
##
## Read generic files in /dev.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_read_generic_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_generic_files'($*)) dnl
gen_require(`
type device_t;
')
read_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_generic_files'($*)) dnl
')
#######################################
##
## Read generic files in /dev.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_generic_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_generic_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:file { read getattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_generic_files'($*)) dnl
')
########################################
##
## Read and write generic files in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_generic_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_generic_files'($*)) dnl
gen_require(`
type device_t;
')
rw_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_generic_files'($*)) dnl
')
########################################
##
## Delete generic files in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_generic_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_generic_files'($*)) dnl
gen_require(`
type device_t;
')
delete_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_generic_files'($*)) dnl
')
########################################
##
## Create a file in the device directory.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_generic_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_files'($*)) dnl
gen_require(`
type device_t;
')
manage_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_files'($*)) dnl
')
########################################
##
## Dontaudit getattr on generic pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_generic_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_pipes'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_pipes'($*)) dnl
')
########################################
##
## Write generic socket files in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_generic_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_generic_sockets'($*)) dnl
gen_require(`
type device_t;
')
write_sock_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_generic_sockets'($*)) dnl
')
########################################
##
## Allow getattr on generic block devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
getattr_blk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_generic_blk_files'($*)) dnl
')
########################################
##
## Rename generic block device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rename_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rename_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
rename_blk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rename_generic_blk_files'($*)) dnl
')
########################################
##
## write generic sock files in /dev. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_generic_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_generic_sock_files'($*)) dnl
refpolicywarn(`$0($*) has been replaced with dev_write_generic_sockets().')
dev_write_generic_sockets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_generic_sock_files'($*)) dnl
')
########################################
##
## Dontaudit getattr on generic block devices.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_blk_files'($*)) dnl
')
########################################
##
## Dontaudit setattr on generic block devices.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:blk_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_blk_files'($*)) dnl
')
########################################
##
## Create generic block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
create_blk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_generic_blk_files'($*)) dnl
')
########################################
##
## Delete generic block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
delete_blk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_generic_blk_files'($*)) dnl
')
########################################
##
## Allow getattr for generic character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
getattr_chr_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_generic_chr_files'($*)) dnl
')
########################################
##
## Dontaudit getattr for generic character device files.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_chr_files'($*)) dnl
')
########################################
##
## Rename generic character device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rename_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rename_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
rename_chr_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rename_generic_chr_files'($*)) dnl
')
########################################
##
## Dontaudit setattr for generic character device files.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_chr_files'($*)) dnl
')
########################################
##
## Read generic character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:chr_file read_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_generic_chr_files'($*)) dnl
')
########################################
##
## Read and write generic character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_generic_chr_files'($*)) dnl
')
########################################
##
## Read and write generic block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:blk_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_generic_blk_files'($*)) dnl
')
########################################
##
## Dontaudit attempts to read/write generic character device files.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_rw_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_generic_chr_files'($*)) dnl
')
########################################
##
## Create generic character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
create_chr_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_generic_chr_files'($*)) dnl
')
########################################
##
## Delete generic character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
delete_chr_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_generic_chr_files'($*)) dnl
')
########################################
##
## Relabel from generic character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabelfrom_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabelfrom_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:chr_file relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabelfrom_generic_chr_files'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_generic_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:lnk_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_symlinks'($*)) dnl
')
########################################
##
## Create symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_generic_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
create_lnk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_generic_symlinks'($*)) dnl
')
########################################
##
## Delete symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_generic_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
delete_lnk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_generic_symlinks'($*)) dnl
')
########################################
##
## Read symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_generic_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
allow $1 device_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_generic_symlinks'($*)) dnl
')
########################################
##
## Create, delete, read, and write symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_generic_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
manage_lnk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_symlinks'($*)) dnl
')
########################################
##
## Relabel symbolic links in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_generic_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_symlinks'($*)) dnl
gen_require(`
type device_t;
')
relabel_lnk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_generic_symlinks'($*)) dnl
')
########################################
##
## Create, delete, read, and write device nodes in device directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_all_dev_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_all_dev_nodes'($*)) dnl
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
')
manage_dirs_pattern($1, device_t, device_t)
manage_sock_files_pattern($1, device_t, device_t)
manage_lnk_files_pattern($1, device_t, device_t)
manage_chr_files_pattern($1, device_t, { device_t device_node })
manage_blk_files_pattern($1, device_t, { device_t device_node })
relabel_dirs_pattern($1, device_t, device_t)
relabel_chr_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
typeattribute $1 memory_raw_read;
typeattribute $1 memory_raw_write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_all_dev_nodes'($*)) dnl
')
########################################
##
## Dontaudit getattr for generic device files.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_rw_generic_dev_nodes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_generic_dev_nodes'($*)) dnl
gen_require(`
type device_t;
')
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_generic_dev_nodes'($*)) dnl
')
########################################
##
## Read block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
read_blk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_generic_blk_files'($*)) dnl
')
########################################
##
## Create, delete, read, and write block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_generic_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_blk_files'($*)) dnl
gen_require(`
type device_t;
')
manage_blk_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_blk_files'($*)) dnl
')
########################################
##
## Create, delete, read, and write character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_generic_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_generic_chr_files'($*)) dnl
gen_require(`
type device_t;
')
manage_chr_files_pattern($1, device_t, device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_generic_chr_files'($*)) dnl
')
########################################
##
## Create, read, and write device nodes. The node
## will be transitioned to the type provided.
##
##
##
## Domain allowed access.
##
##
##
##
## Type to which the created node will be transitioned.
##
##
##
##
## Object class(es) (single or set including {}) for which this
## the transition will occur.
##
##
##
##
## The name of the object being created.
##
##
#
define(`dev_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans'($*)) dnl
gen_require(`
type device_t;
')
filetrans_pattern($1, device_t, $2, $3, $4)
dev_associate($2)
files_associate_tmp($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans'($*)) dnl
')
########################################
##
## Create, read, and write device nodes. The node
## will be transitioned to the type provided. This is
## a temporary interface until devtmpfs functionality
## fixed.
##
##
##
## Domain allowed access.
##
##
##
##
## Object class(es) (single or set including {}) for which this
## the transition will occur.
##
##
##
##
## The name of the object being created.
##
##
#
define(`dev_tmpfs_filetrans_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_tmpfs_filetrans_dev'($*)) dnl
gen_require(`
type device_t;
')
fs_tmpfs_filetrans($1, device_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_tmpfs_filetrans_dev'($*)) dnl
')
########################################
##
## Allow getattr on all device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_all'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
allow $1 { device_t device_node }:dir_file_class_set getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_all'($*)) dnl
')
########################################
##
## Getattr on all block file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_getattr_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
getattr_blk_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_all_blk_files'($*)) dnl
')
########################################
##
## Lock on all block file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_lock_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_lock_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
lock_blk_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_lock_all_blk_files'($*)) dnl
')
########################################
##
## Read on all block file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_read_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
read_blk_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_all_blk_files'($*)) dnl
')
########################################
##
## Dontaudit getattr on all block file device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
dontaudit $1 { device_t device_node }:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all_blk_files'($*)) dnl
')
########################################
##
## Getattr on all character file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_getattr_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
getattr_chr_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_all_chr_files'($*)) dnl
')
########################################
##
## Dontaudit getattr on all character file device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
dontaudit $1 { device_t device_node }:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all_chr_files'($*)) dnl
')
########################################
##
## Setattr on all block file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_setattr_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
setattr_blk_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_all_blk_files'($*)) dnl
')
########################################
##
## Setattr on all character file device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_setattr_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
setattr_chr_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_all_chr_files'($*)) dnl
')
########################################
##
## Dontaudit read on all block file device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:blk_file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_all_blk_files'($*)) dnl
')
########################################
##
## Dontaudit write on all block file device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_write_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:blk_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_all_blk_files'($*)) dnl
')
########################################
##
## Dontaudit read on all character file device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:chr_file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_all_chr_files'($*)) dnl
')
########################################
##
## Dontaudit write on all character file device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_write_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:chr_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_all_chr_files'($*)) dnl
')
########################################
##
## Create all device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_all_files'($*)) dnl
gen_require(`
attribute device_node;
')
create_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_all_files'($*)) dnl
')
########################################
##
## Create all block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
create_blk_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_all_blk_files'($*)) dnl
')
########################################
##
## Create all character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
create_chr_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_all_chr_files'($*)) dnl
')
########################################
##
## rw all inherited character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_all_inherited_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_all_inherited_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_node:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_all_inherited_chr_files'($*)) dnl
')
########################################
##
## rw all inherited blk device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_all_inherited_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_all_inherited_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
allow $1 device_node:blk_file rw_inherited_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_all_inherited_blk_files'($*)) dnl
')
########################################
##
## Delete all block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
delete_blk_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_all_blk_files'($*)) dnl
')
########################################
##
## Delete all character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
delete_chr_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_all_chr_files'($*)) dnl
')
########################################
##
## Rename all block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rename_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rename_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
rename_blk_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rename_all_blk_files'($*)) dnl
')
########################################
##
## Rename all character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rename_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rename_all_chr_files'($*)) dnl
gen_require(`
attribute device_node;
')
rename_chr_files_pattern($1, device_t, device_node)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rename_all_chr_files'($*)) dnl
')
########################################
##
## Read, write, create, and delete all block device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_all_blk_files'($*)) dnl
gen_require(`
attribute device_node;
')
manage_blk_files_pattern($1, device_t, device_node)
# these next rules are to satisfy assertions broken by the above lines.
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_all_blk_files'($*)) dnl
')
########################################
##
## Read, write, create, and delete all character device files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_all_chr_files'($*)) dnl
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
')
manage_chr_files_pattern($1, device_t, device_node)
typeattribute $1 memory_raw_read, memory_raw_write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_all_chr_files'($*)) dnl
')
########################################
##
## Getattr the agp devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_agp_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_agp_dev'($*)) dnl
gen_require(`
type device_t, agp_device_t;
')
getattr_chr_files_pattern($1, device_t, agp_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_agp_dev'($*)) dnl
')
########################################
##
## Read and write the agp devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_agp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_agp'($*)) dnl
gen_require(`
type device_t, agp_device_t;
')
rw_chr_files_pattern($1, device_t, agp_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_agp'($*)) dnl
')
########################################
##
## Get the attributes of the apm bios device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_apm_bios_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_apm_bios_dev'($*)) dnl
gen_require(`
type device_t, apm_bios_t;
')
getattr_chr_files_pattern($1, device_t, apm_bios_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_apm_bios_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## the apm bios device node.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_apm_bios_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_apm_bios_dev'($*)) dnl
gen_require(`
type apm_bios_t;
')
dontaudit $1 apm_bios_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_apm_bios_dev'($*)) dnl
')
########################################
##
## Set the attributes of the apm bios device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_apm_bios_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_apm_bios_dev'($*)) dnl
gen_require(`
type device_t, apm_bios_t;
')
setattr_chr_files_pattern($1, device_t, apm_bios_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_apm_bios_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes of
## the apm bios device node.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_apm_bios_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_apm_bios_dev'($*)) dnl
gen_require(`
type apm_bios_t;
')
dontaudit $1 apm_bios_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_apm_bios_dev'($*)) dnl
')
########################################
##
## Read and write the apm bios.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_apm_bios',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_apm_bios'($*)) dnl
gen_require(`
type device_t, apm_bios_t;
')
rw_chr_files_pattern($1, device_t, apm_bios_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_apm_bios'($*)) dnl
')
########################################
##
## Get the attributes of the autofs device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_autofs_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_autofs_dev'($*)) dnl
gen_require(`
type device_t, autofs_device_t;
')
getattr_chr_files_pattern($1, device_t, autofs_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_autofs_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## the autofs device node.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_autofs_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_autofs_dev'($*)) dnl
gen_require(`
type autofs_device_t;
')
dontaudit $1 autofs_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_autofs_dev'($*)) dnl
')
########################################
##
## Set the attributes of the autofs device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_autofs_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_autofs_dev'($*)) dnl
gen_require(`
type device_t, autofs_device_t;
')
setattr_chr_files_pattern($1, device_t, autofs_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_autofs_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes of
## the autofs device node.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_autofs_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_autofs_dev'($*)) dnl
gen_require(`
type autofs_device_t;
')
dontaudit $1 autofs_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_autofs_dev'($*)) dnl
')
########################################
##
## Read and write the autofs device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_autofs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_autofs'($*)) dnl
gen_require(`
type device_t, autofs_device_t;
')
rw_chr_files_pattern($1, device_t, autofs_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_autofs'($*)) dnl
')
########################################
##
## Relabel the autofs device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_autofs_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_autofs_dev'($*)) dnl
gen_require(`
type autofs_device_t;
')
allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_autofs_dev'($*)) dnl
')
########################################
##
## Read and write the PCMCIA card manager device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_cardmgr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_cardmgr'($*)) dnl
gen_require(`
type cardmgr_dev_t;
')
rw_chr_files_pattern($1, device_t, cardmgr_dev_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_cardmgr'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write the PCMCIA card manager device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_rw_cardmgr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_cardmgr'($*)) dnl
gen_require(`
type cardmgr_dev_t;
')
dontaudit $1 cardmgr_dev_t:chr_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_cardmgr'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## the PCMCIA card manager device
## with the correct type.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_cardmgr_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_cardmgr_dev'($*)) dnl
gen_require(`
type device_t, cardmgr_dev_t;
')
create_chr_files_pattern($1, device_t, cardmgr_dev_t)
create_blk_files_pattern($1, device_t, cardmgr_dev_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_cardmgr_dev'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## the PCMCIA card manager device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_cardmgr_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_cardmgr_dev'($*)) dnl
gen_require(`
type device_t, cardmgr_dev_t;
')
manage_chr_files_pattern($1, device_t, cardmgr_dev_t)
manage_blk_files_pattern($1, device_t, cardmgr_dev_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_cardmgr_dev'($*)) dnl
')
########################################
##
## Automatic type transition to the type
## for PCMCIA card manager device nodes when
## created in /dev.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`dev_filetrans_cardmgr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_cardmgr'($*)) dnl
gen_require(`
type device_t, cardmgr_dev_t;
')
filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_cardmgr'($*)) dnl
')
########################################
##
## Automatic type transition to the type
## for xserver misc device nodes when
## created in /dev.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_filetrans_xserver_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_xserver_misc'($*)) dnl
gen_require(`
type device_t, xserver_misc_device_t;
')
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_xserver_misc'($*)) dnl
')
########################################
##
## Get the attributes of the CPU
## microcode and id interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_cpu_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_cpu_dev'($*)) dnl
gen_require(`
type device_t, cpu_device_t;
')
getattr_chr_files_pattern($1, device_t, cpu_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_cpu_dev'($*)) dnl
')
########################################
##
## Set the attributes of the CPU
## microcode and id interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_cpu_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_cpu_dev'($*)) dnl
gen_require(`
type device_t, cpu_device_t;
')
setattr_chr_files_pattern($1, device_t, cpu_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_cpu_dev'($*)) dnl
')
########################################
##
## Read the CPU identity.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_cpuid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_cpuid'($*)) dnl
gen_require(`
type device_t, cpu_device_t;
')
read_chr_files_pattern($1, device_t, cpu_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_cpuid'($*)) dnl
')
########################################
##
## Read and write the the CPU microcode device. This
## is required to load CPU microcode.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_cpu_microcode',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_cpu_microcode'($*)) dnl
gen_require(`
type device_t, cpu_device_t;
')
rw_chr_files_pattern($1, device_t, cpu_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_cpu_microcode'($*)) dnl
')
########################################
##
## Read the kernel crash device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_crash',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_crash'($*)) dnl
gen_require(`
type device_t, crash_device_t;
')
read_chr_files_pattern($1, device_t, crash_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_crash'($*)) dnl
')
########################################
##
## Read and write to the cachefilesd device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_cachefiles',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_cachefiles'($*)) dnl
gen_require(`
type device_t, cachefiles_device_t;
')
rw_chr_files_pattern($1, device_t, cachefiles_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_cachefiles'($*)) dnl
')
########################################
##
## Read and write the the hardware SSL accelerator.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_crypto',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_crypto'($*)) dnl
gen_require(`
type device_t, crypt_device_t;
')
rw_chr_files_pattern($1, device_t, crypt_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_crypto'($*)) dnl
')
########################################
##
## Read and write the the ecrypt filesystem device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_ecryptfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_ecryptfs'($*)) dnl
gen_require(`
type device_t, ecryptfs_device_t;
')
rw_chr_files_pattern($1, device_t, ecryptfs_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_ecryptfs'($*)) dnl
')
#######################################
##
## Set the attributes of the dlm control devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_dlm_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_dlm_control'($*)) dnl
gen_require(`
type device_t, kvm_device_t;
')
setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_dlm_control'($*)) dnl
')
#######################################
##
## Read and write the the dlm control device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_dlm_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_dlm_control'($*)) dnl
gen_require(`
type device_t, dlm_control_device_t;
')
rw_chr_files_pattern($1, device_t, dlm_control_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_dlm_control'($*)) dnl
')
########################################
##
## getattr the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_dri_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_dri_dev'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
getattr_chr_files_pattern($1, device_t, dri_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_dri_dev'($*)) dnl
')
########################################
##
## Setattr the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_dri_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_dri_dev'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
setattr_chr_files_pattern($1, device_t, dri_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_dri_dev'($*)) dnl
')
########################################
##
## Mmap the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_map_dri',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_map_dri'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
allow $1 dri_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_map_dri'($*)) dnl
')
########################################
##
## Read and write the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_dri',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_dri'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
rw_chr_files_pattern($1, device_t, dri_device_t)
allow $1 dri_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_dri'($*)) dnl
')
########################################
##
## Read and write the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_inherited_dri',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_inherited_dri'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
allow $1 device_t:dir search_dir_perms;
allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_inherited_dri'($*)) dnl
')
########################################
##
## Dontaudit read and write on the dri devices.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_rw_dri',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_dri'($*)) dnl
gen_require(`
type dri_device_t;
')
dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_dri'($*)) dnl
')
########################################
##
## Create, read, write, and delete the dri devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_dri_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_dri_dev'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
manage_chr_files_pattern($1, device_t, dri_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_dri_dev'($*)) dnl
')
########################################
##
## Automatic type transition to the type
## for DRI device nodes when created in /dev.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`dev_filetrans_dri',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_dri'($*)) dnl
gen_require(`
type device_t, dri_device_t;
')
filetrans_pattern($1, device_t, dri_device_t, chr_file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_dri'($*)) dnl
')
########################################
##
## Get the attributes of the event devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_input_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_input_dev'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 event_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_input_dev'($*)) dnl
')
########################################
##
## Set the attributes of the event devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_input_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_input_dev'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 event_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_input_dev'($*)) dnl
')
########################################
##
## Read input event devices (/dev/input).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_input',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_input'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
read_chr_files_pattern($1, device_t, event_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_input'($*)) dnl
')
########################################
##
## Read input event devices (/dev/input).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_input_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_input_dev'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
rw_chr_files_pattern($1, device_t, event_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_input_dev'($*)) dnl
')
########################################
##
## Read input event devices (/dev/input).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_inherited_input_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_inherited_input_dev'($*)) dnl
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir search_dir_perms;
allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_inherited_input_dev'($*)) dnl
')
########################################
##
## Read ipmi devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_ipmi_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_ipmi_dev'($*)) dnl
gen_require(`
type device_t, ipmi_device_t;
')
read_chr_files_pattern($1, device_t, ipmi_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_ipmi_dev'($*)) dnl
')
########################################
##
## Read and write ipmi devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_ipmi_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_ipmi_dev'($*)) dnl
gen_require(`
type device_t, ipmi_device_t;
')
rw_chr_files_pattern($1, device_t, ipmi_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_ipmi_dev'($*)) dnl
')
########################################
##
## Manage ipmi devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_ipmi_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_ipmi_dev'($*)) dnl
gen_require(`
type device_t, ipmi_device_t;
')
manage_chr_files_pattern($1, device_t, ipmi_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_ipmi_dev'($*)) dnl
')
########################################
##
## Automatic type transition to the type
## for PCMCIA card manager device nodes when
## created in /dev.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`dev_filetrans_ipmi',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_ipmi'($*)) dnl
gen_require(`
type device_t, ipmi_device_t;
')
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_ipmi'($*)) dnl
')
########################################
##
## Get attributes of infiniband devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_infiniband_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_infiniband_dev'($*)) dnl
gen_require(`
type device_t, infiniband_device_t;
')
getattr_chr_files_pattern($1, device_t, infiniband_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_infiniband_dev'($*)) dnl
')
########################################
##
## Read infiniband devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_infiniband_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_infiniband_dev'($*)) dnl
gen_require(`
type device_t, infiniband_device_t;
')
read_chr_files_pattern($1, device_t, infiniband_device_t)
read_blk_files_pattern($1, device_t, infiniband_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_infiniband_dev'($*)) dnl
')
########################################
##
## Read and write ipmi devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_infiniband_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_infiniband_dev'($*)) dnl
gen_require(`
type device_t, infiniband_device_t;
')
rw_chr_files_pattern($1, device_t, infiniband_device_t)
rw_blk_files_pattern($1, device_t, infiniband_device_t)
allow $1 infiniband_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_infiniband_dev'($*)) dnl
')
########################################
##
## Read infiniband mgmt devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_infiniband_mgmt_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_infiniband_mgmt_dev'($*)) dnl
gen_require(`
type device_t, infiniband_mgmt_device_t;
')
read_chr_files_pattern($1, device_t, infiniband_mgmt_device_t)
read_blk_files_pattern($1, device_t, infiniband_mgmt_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_infiniband_mgmt_dev'($*)) dnl
')
########################################
##
## Read and write ipmi devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_infiniband_mgmt_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_infiniband_mgmt_dev'($*)) dnl
gen_require(`
type device_t, infiniband_mgmt_device_t;
')
rw_chr_files_pattern($1, device_t, infiniband_mgmt_device_t)
rw_blk_files_pattern($1, device_t, infiniband_mgmt_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_infiniband_mgmt_dev'($*)) dnl
')
########################################
##
## Get the attributes of the framebuffer device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_framebuffer_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_framebuffer_dev'($*)) dnl
gen_require(`
type device_t, framebuf_device_t;
')
getattr_chr_files_pattern($1, device_t, framebuf_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_framebuffer_dev'($*)) dnl
')
########################################
##
## Set the attributes of the framebuffer device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_framebuffer_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_framebuffer_dev'($*)) dnl
gen_require(`
type device_t, framebuf_device_t;
')
setattr_chr_files_pattern($1, device_t, framebuf_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_framebuffer_dev'($*)) dnl
')
########################################
##
## Dot not audit attempts to set the attributes
## of the framebuffer device node.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_framebuffer_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_framebuffer_dev'($*)) dnl
gen_require(`
type framebuf_device_t;
')
dontaudit $1 framebuf_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_framebuffer_dev'($*)) dnl
')
########################################
##
## Read the framebuffer.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_framebuffer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_framebuffer'($*)) dnl
gen_require(`
type framebuf_device_t;
')
read_chr_files_pattern($1, device_t, framebuf_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_framebuffer'($*)) dnl
')
########################################
##
## Do not audit attempts to read the framebuffer.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_framebuffer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_framebuffer'($*)) dnl
gen_require(`
type framebuf_device_t;
')
dontaudit $1 framebuf_device_t:chr_file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_framebuffer'($*)) dnl
')
########################################
##
## Write the framebuffer.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_framebuffer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_framebuffer'($*)) dnl
gen_require(`
type device_t, framebuf_device_t;
')
write_chr_files_pattern($1, device_t, framebuf_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_framebuffer'($*)) dnl
')
########################################
##
## Mmap the framebuffer.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_map_framebuffer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_map_framebuffer'($*)) dnl
gen_require(`
type framebuf_device_t;
')
allow $1 framebuf_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_map_framebuffer'($*)) dnl
')
########################################
##
## Read and write the framebuffer.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_framebuffer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_framebuffer'($*)) dnl
gen_require(`
type device_t, framebuf_device_t;
')
rw_chr_files_pattern($1, device_t, framebuf_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_framebuffer'($*)) dnl
')
########################################
##
## Read the kernel messages
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_kmsg',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_kmsg'($*)) dnl
gen_require(`
type device_t, kmsg_device_t;
')
read_chr_files_pattern($1, device_t, kmsg_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_kmsg'($*)) dnl
')
########################################
##
## Do not audit attempts to read the kernel messages
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_kmsg',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_kmsg'($*)) dnl
gen_require(`
type kmsg_device_t;
')
dontaudit $1 kmsg_device_t:chr_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_kmsg'($*)) dnl
')
########################################
##
## Write to the kernel messages device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_kmsg',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_kmsg'($*)) dnl
gen_require(`
type device_t, kmsg_device_t;
')
write_chr_files_pattern($1, device_t, kmsg_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_kmsg'($*)) dnl
')
########################################
##
## Get the attributes of the ksm devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_ksm_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_ksm_dev'($*)) dnl
gen_require(`
type device_t, ksm_device_t;
')
getattr_chr_files_pattern($1, device_t, ksm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_ksm_dev'($*)) dnl
')
########################################
##
## Set the attributes of the ksm devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_ksm_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_ksm_dev'($*)) dnl
gen_require(`
type device_t, ksm_device_t;
')
setattr_chr_files_pattern($1, device_t, ksm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_ksm_dev'($*)) dnl
')
########################################
##
## Read the ksm devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_ksm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_ksm'($*)) dnl
gen_require(`
type device_t, ksm_device_t;
')
read_chr_files_pattern($1, device_t, ksm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_ksm'($*)) dnl
')
########################################
##
## Read and write to ksm devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_ksm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_ksm'($*)) dnl
gen_require(`
type device_t, ksm_device_t;
')
rw_chr_files_pattern($1, device_t, ksm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_ksm'($*)) dnl
')
########################################
##
## Get the attributes of the kvm devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_kvm_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_kvm_dev'($*)) dnl
gen_require(`
type device_t, kvm_device_t;
')
getattr_chr_files_pattern($1, device_t, kvm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_kvm_dev'($*)) dnl
')
########################################
##
## Set the attributes of the kvm devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_kvm_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_kvm_dev'($*)) dnl
gen_require(`
type device_t, kvm_device_t;
')
setattr_chr_files_pattern($1, device_t, kvm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_kvm_dev'($*)) dnl
')
########################################
##
## Read the kvm devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_kvm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_kvm'($*)) dnl
gen_require(`
type device_t, kvm_device_t;
')
read_chr_files_pattern($1, device_t, kvm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_kvm'($*)) dnl
')
########################################
##
## Read and write to kvm devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_kvm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_kvm'($*)) dnl
gen_require(`
type device_t, kvm_device_t;
')
rw_chr_files_pattern($1, device_t, kvm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_kvm'($*)) dnl
')
########################################
##
## Read and write to sev devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_sev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_sev'($*)) dnl
gen_require(`
type device_t, sev_device_t;
')
rw_chr_files_pattern($1, device_t, sev_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_sev'($*)) dnl
')
######################################
##
## Read the lirc device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_lirc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_lirc'($*)) dnl
gen_require(`
type device_t, lirc_device_t;
')
read_chr_files_pattern($1, device_t, lirc_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_lirc'($*)) dnl
')
######################################
##
## Read and write the lirc device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_lirc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_lirc'($*)) dnl
gen_require(`
type device_t, lirc_device_t;
')
rw_chr_files_pattern($1, device_t, lirc_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_lirc'($*)) dnl
')
######################################
##
## Automatic type transition to the type
## for lirc device nodes when created in /dev.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`dev_filetrans_lirc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_lirc'($*)) dnl
gen_require(`
type device_t, lirc_device_t;
')
filetrans_pattern($1, device_t, lirc_device_t, chr_file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_lirc'($*)) dnl
')
########################################
##
## Get the attributes of the loop comtrol device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_loop_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_loop_control'($*)) dnl
gen_require(`
type device_t, loop_control_device_t;
')
getattr_chr_files_pattern($1, device_t, loop_control_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_loop_control'($*)) dnl
')
########################################
##
## Read the loop comtrol device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_loop_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_loop_control'($*)) dnl
gen_require(`
type device_t, loop_control_device_t;
')
read_chr_files_pattern($1, device_t, loop_control_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_loop_control'($*)) dnl
')
########################################
##
## Read and write the loop control device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_loop_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_loop_control'($*)) dnl
gen_require(`
type device_t, loop_control_device_t;
')
rw_chr_files_pattern($1, device_t, loop_control_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_loop_control'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write loop control device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_rw_loop_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_loop_control'($*)) dnl
gen_require(`
type loop_control_device_t;
')
dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_loop_control'($*)) dnl
')
########################################
##
## Delete the loop control device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_loop_control_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_loop_control_dev'($*)) dnl
gen_require(`
type device_t, loop_control_device_t;
')
delete_chr_files_pattern($1, device_t, loop_control_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_loop_control_dev'($*)) dnl
')
########################################
##
## Get the attributes of the loop comtrol device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_lvm_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_lvm_control'($*)) dnl
gen_require(`
type device_t, lvm_control_t;
')
getattr_chr_files_pattern($1, device_t, lvm_control_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_lvm_control'($*)) dnl
')
########################################
##
## Read the lvm comtrol device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_lvm_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_lvm_control'($*)) dnl
gen_require(`
type device_t, lvm_control_t;
')
read_chr_files_pattern($1, device_t, lvm_control_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_lvm_control'($*)) dnl
')
########################################
##
## Read and write the lvm control device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_lvm_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_lvm_control'($*)) dnl
gen_require(`
type device_t, lvm_control_t;
')
rw_chr_files_pattern($1, device_t, lvm_control_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_lvm_control'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write lvm control device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_rw_lvm_control',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_lvm_control'($*)) dnl
gen_require(`
type lvm_control_t;
')
dontaudit $1 lvm_control_t:chr_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_lvm_control'($*)) dnl
')
########################################
##
## Delete the lvm control device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_lvm_control_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_lvm_control_dev'($*)) dnl
gen_require(`
type device_t, lvm_control_t;
')
delete_chr_files_pattern($1, device_t, lvm_control_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_lvm_control_dev'($*)) dnl
')
########################################
##
## dontaudit getattr raw memory devices (e.g. /dev/mem).
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_memory_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_memory_dev'($*)) dnl
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_memory_dev'($*)) dnl
')
########################################
##
## Read raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_raw_memory',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_raw_memory'($*)) dnl
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_read;
')
read_chr_files_pattern($1, device_t, memory_device_t)
allow $1 memory_device_t:chr_file map;
allow $1 self:lockdown integrity;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_raw_memory'($*)) dnl
')
########################################
##
## Allow to be reader of raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_raw_memory_reader',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_raw_memory_reader'($*)) dnl
gen_require(`
attribute memory_raw_read;
')
typeattribute $1 memory_raw_read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_raw_memory_reader'($*)) dnl
')
########################################
##
## Do not audit attempts to read raw memory devices
## (e.g. /dev/mem).
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_raw_memory',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_raw_memory'($*)) dnl
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_raw_memory'($*)) dnl
')
########################################
##
## Write raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_raw_memory',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_raw_memory'($*)) dnl
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_write;
')
write_chr_files_pattern($1, device_t, memory_device_t)
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_raw_memory'($*)) dnl
')
########################################
##
## Allow to be writer of raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_raw_memory_writer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_raw_memory_writer'($*)) dnl
gen_require(`
attribute memory_raw_write;
')
typeattribute $1 memory_raw_write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_raw_memory_writer'($*)) dnl
')
########################################
##
## Read and execute raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rx_raw_memory',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rx_raw_memory'($*)) dnl
gen_require(`
type device_t, memory_device_t;
')
dev_read_raw_memory($1)
allow $1 memory_device_t:chr_file { map execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rx_raw_memory'($*)) dnl
')
########################################
##
## Write and execute raw memory devices (e.g. /dev/mem).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_wx_raw_memory',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_wx_raw_memory'($*)) dnl
gen_require(`
type device_t, memory_device_t;
')
dev_write_raw_memory($1)
allow $1 memory_device_t:chr_file { map execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_wx_raw_memory'($*)) dnl
')
########################################
##
## Get the attributes of miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_misc_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_misc_dev'($*)) dnl
gen_require(`
type device_t, misc_device_t;
')
getattr_chr_files_pattern($1, device_t, misc_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_misc_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of miscellaneous devices.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_misc_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_misc_dev'($*)) dnl
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_misc_dev'($*)) dnl
')
########################################
##
## Set the attributes of miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_misc_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_misc_dev'($*)) dnl
gen_require(`
type device_t, misc_device_t;
')
setattr_chr_files_pattern($1, device_t, misc_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_misc_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of miscellaneous devices.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_misc_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_misc_dev'($*)) dnl
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_misc_dev'($*)) dnl
')
########################################
##
## Read miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_misc'($*)) dnl
gen_require(`
type device_t, misc_device_t;
')
read_chr_files_pattern($1, device_t, misc_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_misc'($*)) dnl
')
########################################
##
## Write miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_misc'($*)) dnl
gen_require(`
type device_t, misc_device_t;
')
write_chr_files_pattern($1, device_t, misc_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_misc'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write miscellaneous devices.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_rw_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_misc'($*)) dnl
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_misc'($*)) dnl
')
########################################
##
## Get the attributes of the modem devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_modem_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_modem_dev'($*)) dnl
gen_require(`
type device_t, modem_device_t;
')
getattr_chr_files_pattern($1, device_t, modem_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_modem_dev'($*)) dnl
')
########################################
##
## Set the attributes of the modem devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_modem_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_modem_dev'($*)) dnl
gen_require(`
type device_t, modem_device_t;
')
setattr_chr_files_pattern($1, device_t, modem_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_modem_dev'($*)) dnl
')
########################################
##
## Read the modem devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_modem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_modem'($*)) dnl
gen_require(`
type device_t, modem_device_t;
')
read_chr_files_pattern($1, device_t, modem_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_modem'($*)) dnl
')
########################################
##
## Read and write to modem devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_modem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_modem'($*)) dnl
gen_require(`
type device_t, modem_device_t;
')
rw_chr_files_pattern($1, device_t, modem_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_modem'($*)) dnl
')
########################################
##
## Get the attributes of the monitor devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_monitor_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_monitor_dev'($*)) dnl
gen_require(`
type device_t, monitor_device_t;
')
getattr_chr_files_pattern($1, device_t, monitor_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_monitor_dev'($*)) dnl
')
########################################
##
## Set the attributes of the monitor devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_monitor_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_monitor_dev'($*)) dnl
gen_require(`
type device_t, monitor_device_t;
')
setattr_chr_files_pattern($1, device_t, monitor_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_monitor_dev'($*)) dnl
')
########################################
##
## Read the monitor devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_monitor_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_monitor_dev'($*)) dnl
gen_require(`
type device_t, monitor_device_t;
')
read_chr_files_pattern($1, device_t, monitor_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_monitor_dev'($*)) dnl
')
########################################
##
## Read and write to monitor devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_monitor_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_monitor_dev'($*)) dnl
gen_require(`
type device_t, monitor_device_t;
')
rw_chr_files_pattern($1, device_t, monitor_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_monitor_dev'($*)) dnl
')
########################################
##
## Get the attributes of the mouse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_mouse_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_mouse_dev'($*)) dnl
gen_require(`
type device_t, mouse_device_t;
')
getattr_chr_files_pattern($1, device_t, mouse_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_mouse_dev'($*)) dnl
')
########################################
##
## Set the attributes of the mouse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_mouse_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_mouse_dev'($*)) dnl
gen_require(`
type device_t, mouse_device_t;
')
setattr_chr_files_pattern($1, device_t, mouse_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_mouse_dev'($*)) dnl
')
########################################
##
## Read the mouse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_mouse',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_mouse'($*)) dnl
gen_require(`
type device_t, mouse_device_t;
')
read_chr_files_pattern($1, device_t, mouse_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_mouse'($*)) dnl
')
########################################
##
## Read and write to mouse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_mouse',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_mouse'($*)) dnl
gen_require(`
type device_t, mouse_device_t;
')
rw_chr_files_pattern($1, device_t, mouse_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_mouse'($*)) dnl
')
########################################
##
## Get the attributes of the memory type range
## registers (MTRR) device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_mtrr_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_mtrr_dev'($*)) dnl
gen_require(`
type device_t, mtrr_device_t;
')
getattr_files_pattern($1, device_t, mtrr_device_t)
getattr_chr_files_pattern($1, device_t, mtrr_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_mtrr_dev'($*)) dnl
')
########################################
##
## Write the memory type range
## registers (MTRR). (Deprecated)
##
##
##
## Write the memory type range
## registers (MTRR). This interface has
## been deprecated, dev_rw_mtrr() should be
## used instead.
##
##
## The MTRR device ioctls can be used for
## reading and writing; thus, write access to the
## device cannot be separated from read access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_mtrr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_mtrr'($*)) dnl
refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
dev_rw_mtrr($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_mtrr'($*)) dnl
')
########################################
##
## Do not audit attempts to write the memory type
## range registers (MTRR).
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_write_mtrr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_mtrr'($*)) dnl
gen_require(`
type mtrr_device_t;
')
dontaudit $1 mtrr_device_t:file write_file_perms;
dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_mtrr'($*)) dnl
')
########################################
##
## Do not audit attempts to read the memory type
## range registers (MTRR).
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_mtrr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_mtrr'($*)) dnl
gen_require(`
type mtrr_device_t;
')
dontaudit $1 mtrr_device_t:file { open read };
dontaudit $1 mtrr_device_t:chr_file { open read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_mtrr'($*)) dnl
')
########################################
##
## Read the memory type range registers (MTRR).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_mtrr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_mtrr'($*)) dnl
gen_require(`
type device_t, mtrr_device_t;
')
read_files_pattern($1, device_t, mtrr_device_t)
read_chr_files_pattern($1, device_t, mtrr_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_mtrr'($*)) dnl
')
########################################
##
## Read and write the memory type range registers (MTRR).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_mtrr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_mtrr'($*)) dnl
gen_require(`
type device_t, mtrr_device_t;
')
rw_files_pattern($1, device_t, mtrr_device_t)
rw_chr_files_pattern($1, device_t, mtrr_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_mtrr'($*)) dnl
')
########################################
##
## Get the attributes of the network control device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_netcontrol_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_netcontrol_dev'($*)) dnl
gen_require(`
type device_t, netcontrol_device_t;
')
getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_netcontrol_dev'($*)) dnl
')
########################################
##
## Read the network control identity.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_netcontrol',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_netcontrol'($*)) dnl
gen_require(`
type device_t, netcontrol_device_t;
')
read_chr_files_pattern($1, device_t, netcontrol_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_netcontrol'($*)) dnl
')
########################################
##
## Read and write the the network control device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_netcontrol',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_netcontrol'($*)) dnl
gen_require(`
type device_t, netcontrol_device_t;
')
rw_chr_files_pattern($1, device_t, netcontrol_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_netcontrol'($*)) dnl
')
########################################
##
## Get the attributes of the null device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_null_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_null_dev'($*)) dnl
gen_require(`
type device_t, null_device_t;
')
getattr_chr_files_pattern($1, device_t, null_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_null_dev'($*)) dnl
')
########################################
##
## Set the attributes of the null device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_null_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_null_dev'($*)) dnl
gen_require(`
type device_t, null_device_t;
')
setattr_chr_files_pattern($1, device_t, null_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_null_dev'($*)) dnl
')
########################################
##
## Delete the null device (/dev/null).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_delete_null',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_delete_null'($*)) dnl
gen_require(`
type device_t, null_device_t;
')
delete_chr_files_pattern($1, device_t, null_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_delete_null'($*)) dnl
')
########################################
##
## Read and write to the null device (/dev/null).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_null',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_null'($*)) dnl
gen_require(`
type device_t, null_device_t;
')
rw_chr_files_pattern($1, device_t, null_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_null'($*)) dnl
')
########################################
##
## Create the null device (/dev/null).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_null_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_null_dev'($*)) dnl
gen_require(`
type device_t, null_device_t;
')
create_chr_files_pattern($1, device_t, null_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_null_dev'($*)) dnl
')
########################################
##
## Get the status of a null device service.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_service_status_null_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_service_status_null_dev'($*)) dnl
gen_require(`
type null_device_t;
')
allow $1 null_device_t:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_service_status_null_dev'($*)) dnl
')
########################################
##
## Configure null_device as a unit files.
##
##
##
## Domain allowed to transition.
##
##
#
define(`dev_config_null_dev_service',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_config_null_dev_service'($*)) dnl
gen_require(`
type null_device_t;
')
allow $1 null_device_t:service manage_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_config_null_dev_service'($*)) dnl
')
########################################
##
## Read Non-Volatile Memory Host Controller Interface. (Deprecated)
##
##
## Use storage_raw_read_fixed_disk() instead.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_nvme',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_nvme'($*)) dnl
refpolicywarn(`$0($*) has been replaced with storage_raw_read_fixed_disk().')
storage_raw_read_fixed_disk($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_nvme'($*)) dnl
')
########################################
##
## Read/Write Non-Volatile Memory Host Controller Interface. (Deprecated)
##
##
## Use storage_raw_read_fixed_disk() and
## storage_raw_write_fixed_disk() instead.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_nvme',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_nvme'($*)) dnl
refpolicywarn(`$0($*) has been replaced with storage_raw_read_fixed_disk() and storage_raw_write_fixed_disk().')
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_nvme'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_nvram_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_nvram_dev'($*)) dnl
gen_require(`
type nvram_device_t;
')
dontaudit $1 nvram_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_nvram_dev'($*)) dnl
')
########################################
##
## Read BIOS non-volatile RAM.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_nvram',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_nvram'($*)) dnl
gen_require(`
type nvram_device_t;
')
read_chr_files_pattern($1, device_t, nvram_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_nvram'($*)) dnl
')
########################################
##
## Read and write BIOS non-volatile RAM.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_nvram',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_nvram'($*)) dnl
gen_require(`
type nvram_device_t;
')
rw_chr_files_pattern($1, device_t, nvram_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_nvram'($*)) dnl
')
########################################
##
## Get the attributes of the printer device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_printer_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_printer_dev'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
getattr_chr_files_pattern($1, device_t, printer_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_printer_dev'($*)) dnl
')
########################################
##
## Set the attributes of the printer device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_printer_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_printer_dev'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
setattr_chr_files_pattern($1, device_t, printer_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_printer_dev'($*)) dnl
')
########################################
##
## Append the printer device.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for lpd/checkpc_t
define(`dev_append_printer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_append_printer'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
append_chr_files_pattern($1, device_t, printer_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_append_printer'($*)) dnl
')
########################################
##
## Read and write the printer device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_printer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_printer'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
rw_chr_files_pattern($1, device_t, printer_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_printer'($*)) dnl
')
########################################
##
## Relabel the printer device node.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_printer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_printer'($*)) dnl
gen_require(`
type printer_device_t;
')
allow $1 printer_device_t:chr_file relabel_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_printer'($*)) dnl
')
########################################
##
## Read and write the printer device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_printer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_printer'($*)) dnl
gen_require(`
type device_t, printer_device_t;
')
manage_chr_files_pattern($1, device_t, printer_device_t)
dev_filetrans_printer_named_dev($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_printer'($*)) dnl
')
########################################
##
## Get the attributes of the QEMU
## microcode and id interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_qemu_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_qemu_dev'($*)) dnl
gen_require(`
type device_t, qemu_device_t;
')
getattr_chr_files_pattern($1, device_t, qemu_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_qemu_dev'($*)) dnl
')
########################################
##
## Set the attributes of the QEMU
## microcode and id interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_qemu_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_qemu_dev'($*)) dnl
gen_require(`
type device_t, qemu_device_t;
')
setattr_chr_files_pattern($1, device_t, qemu_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_qemu_dev'($*)) dnl
')
########################################
##
## Read the QEMU device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_qemu',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_qemu'($*)) dnl
gen_require(`
type device_t, qemu_device_t;
')
read_chr_files_pattern($1, device_t, qemu_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_qemu'($*)) dnl
')
########################################
##
## Read and write the the QEMU device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_qemu',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_qemu'($*)) dnl
gen_require(`
type device_t, qemu_device_t;
')
rw_chr_files_pattern($1, device_t, qemu_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_qemu'($*)) dnl
')
########################################
##
## Read from random number generator
## devices (e.g., /dev/random).
##
##
##
## Allow the specified domain to read from random number
## generator devices (e.g., /dev/random). Typically this is
## used in situations when a cryptographically secure random
## number is needed.
##
##
## Related interface:
##
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_read_rand',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_rand'($*)) dnl
gen_require(`
type device_t, random_device_t;
')
read_chr_files_pattern($1, device_t, random_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_rand'($*)) dnl
')
########################################
##
## Do not audit attempts to read from random
## number generator devices (e.g., /dev/random)
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_rand',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_rand'($*)) dnl
gen_require(`
type random_device_t;
')
dontaudit $1 random_device_t:chr_file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_rand'($*)) dnl
')
########################################
##
## Do not audit attempts to append to the random
## number generator devices (e.g., /dev/random)
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_append_rand',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_append_rand'($*)) dnl
gen_require(`
type random_device_t;
')
dontaudit $1 random_device_t:chr_file { append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_append_rand'($*)) dnl
')
########################################
##
## Write to the random device (e.g., /dev/random). This adds
## entropy used to generate the random data read from the
## random device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_rand',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_rand'($*)) dnl
gen_require(`
type device_t, random_device_t;
')
write_chr_files_pattern($1, device_t, random_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_rand'($*)) dnl
')
########################################
##
## Read the realtime clock (/dev/rtc).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_realtime_clock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_realtime_clock'($*)) dnl
gen_require(`
type device_t, clock_device_t;
')
read_chr_files_pattern($1, device_t, clock_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_realtime_clock'($*)) dnl
')
########################################
##
## Set the realtime clock (/dev/rtc).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_realtime_clock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_realtime_clock'($*)) dnl
gen_require(`
type device_t, clock_device_t;
')
write_chr_files_pattern($1, device_t, clock_device_t)
allow $1 clock_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_realtime_clock'($*)) dnl
')
########################################
##
## Read and set the realtime clock (/dev/rtc).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_realtime_clock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_realtime_clock'($*)) dnl
dev_read_realtime_clock($1)
dev_write_realtime_clock($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_realtime_clock'($*)) dnl
')
########################################
##
## Get the attributes of the scanner device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_scanner_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_scanner_dev'($*)) dnl
gen_require(`
type device_t, scanner_device_t;
')
getattr_chr_files_pattern($1, device_t, scanner_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_scanner_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## the scanner device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_scanner_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_scanner_dev'($*)) dnl
gen_require(`
type scanner_device_t;
')
dontaudit $1 scanner_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_scanner_dev'($*)) dnl
')
########################################
##
## Set the attributes of the scanner device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_scanner_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_scanner_dev'($*)) dnl
gen_require(`
type device_t, scanner_device_t;
')
setattr_chr_files_pattern($1, device_t, scanner_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_scanner_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes of
## the scanner device.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_scanner_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_scanner_dev'($*)) dnl
gen_require(`
type scanner_device_t;
')
dontaudit $1 scanner_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_scanner_dev'($*)) dnl
')
########################################
##
## Read and write the scanner device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_scanner',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_scanner'($*)) dnl
gen_require(`
type device_t, scanner_device_t;
')
rw_chr_files_pattern($1, device_t, scanner_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_scanner'($*)) dnl
')
########################################
##
## Get the attributes of the sound devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_sound_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_sound_dev'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
getattr_chr_files_pattern($1, device_t, sound_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_sound_dev'($*)) dnl
')
########################################
##
## Set the attributes of the sound devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_sound_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_sound_dev'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
setattr_chr_files_pattern($1, device_t, sound_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_sound_dev'($*)) dnl
')
########################################
##
## Read the sound devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_sound',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_sound'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
read_chr_files_pattern($1, device_t, sound_device_t)
allow $1 sound_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_sound'($*)) dnl
')
########################################
##
## Write the sound devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_sound',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_sound'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
write_chr_files_pattern($1, device_t, sound_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_sound'($*)) dnl
')
########################################
##
## Read the sound mixer devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_sound_mixer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_sound_mixer'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
read_chr_files_pattern($1, device_t, sound_device_t)
allow $1 sound_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_sound_mixer'($*)) dnl
')
########################################
##
## Write the sound mixer devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_sound_mixer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_sound_mixer'($*)) dnl
gen_require(`
type device_t, sound_device_t;
')
write_chr_files_pattern($1, device_t, sound_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_sound_mixer'($*)) dnl
')
########################################
##
## Get the attributes of the the power management device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_power_mgmt_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_power_mgmt_dev'($*)) dnl
gen_require(`
type device_t, power_device_t;
')
getattr_chr_files_pattern($1, device_t, power_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_power_mgmt_dev'($*)) dnl
')
########################################
##
## Set the attributes of the the power management device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_power_mgmt_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_power_mgmt_dev'($*)) dnl
gen_require(`
type device_t, power_device_t;
')
setattr_chr_files_pattern($1, device_t, power_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_power_mgmt_dev'($*)) dnl
')
########################################
##
## Read and write the the power management device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_power_management',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_power_management'($*)) dnl
gen_require(`
type device_t, power_device_t;
')
rw_chr_files_pattern($1, device_t, power_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_power_management'($*)) dnl
')
########################################
##
## Getattr on smartcard devices
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_smartcard_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_smartcard_dev'($*)) dnl
gen_require(`
type smartcard_device_t;
')
allow $1 smartcard_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_smartcard_dev'($*)) dnl
')
########################################
##
## dontaudit getattr on smartcard devices
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_smartcard_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_smartcard_dev'($*)) dnl
gen_require(`
type smartcard_device_t;
')
dontaudit $1 smartcard_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_smartcard_dev'($*)) dnl
')
########################################
##
## Read and write smartcard devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_smartcard',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_smartcard'($*)) dnl
gen_require(`
type device_t, smartcard_device_t;
')
rw_chr_files_pattern($1, device_t, smartcard_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_smartcard'($*)) dnl
')
########################################
##
## Create, read, write, and delete smartcard devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_smartcard',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_smartcard'($*)) dnl
gen_require(`
type device_t, smartcard_device_t;
')
manage_chr_files_pattern($1, device_t, smartcard_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_smartcard'($*)) dnl
')
########################################
##
## Associate a file to a sysfs filesystem.
##
##
##
## The type of the file to be associated to sysfs.
##
##
#
define(`dev_associate_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_associate_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_associate_sysfs'($*)) dnl
')
########################################
##
## Get the attributes of sysfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_sysfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_sysfs_dirs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir getattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_sysfs_dirs'($*)) dnl
')
########################################
##
## Set the attributes of sysfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_sysfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_sysfs_dirs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir setattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_sysfs_dirs'($*)) dnl
')
########################################
##
## Get attributes of sysfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_sysfs_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_sysfs_fs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_sysfs_fs'($*)) dnl
')
########################################
##
## Mount a filesystem on /sys
##
##
##
## Domain allow access.
##
##
#
define(`dev_mounton_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_mounton_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_mounton_sysfs'($*)) dnl
')
########################################
##
## Dontaudit attempts to mount a filesystem on /sys
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_mounton_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_mounton_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_mounton_sysfs'($*)) dnl
')
########################################
##
## Mount sysfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_mount_sysfs_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_mount_sysfs_fs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_mount_sysfs_fs'($*)) dnl
')
########################################
##
## Unmount sysfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_unmount_sysfs_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_unmount_sysfs_fs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_unmount_sysfs_fs'($*)) dnl
')
########################################
##
## Remount sysfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_remount_sysfs_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_remount_sysfs_fs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_remount_sysfs_fs'($*)) dnl
')
########################################
##
## Search the sysfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_search_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_search_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
search_dirs_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_search_sysfs'($*)) dnl
')
########################################
##
## Do not audit attempts to search sysfs.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_search_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_search_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_search_sysfs'($*)) dnl
')
########################################
##
## List the contents of the sysfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_list_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_list_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_list_sysfs'($*)) dnl
')
########################################
##
## Write in a sysfs directories.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for cpuspeed
define(`dev_write_sysfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_sysfs_dirs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_sysfs_dirs'($*)) dnl
')
########################################
##
## Access check for a sysfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_access_check_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_access_check_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_access_check_sysfs'($*)) dnl
')
########################################
##
## Do not audit attempts to write in a sysfs directory.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_write_sysfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_sysfs_dirs'($*)) dnl
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_sysfs_dirs'($*)) dnl
')
########################################
##
## Read cpu online hardware state information.
##
##
##
## Allow the specified domain to read /sys/devices/system/cpu/online file.
##
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_cpu_online',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_cpu_online'($*)) dnl
gen_require(`
type cpu_online_t;
')
dev_search_sysfs($1)
read_files_pattern($1, cpu_online_t, cpu_online_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_cpu_online'($*)) dnl
')
########################################
##
## Relabel cpu online hardware state information.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_cpu_online',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_cpu_online'($*)) dnl
gen_require(`
type cpu_online_t;
type sysfs_t;
')
dev_search_sysfs($1)
allow $1 cpu_online_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_cpu_online'($*)) dnl
')
########################################
##
## Read hardware state information.
##
##
##
## Allow the specified domain to read the contents of
## the sysfs filesystem. This filesystem contains
## information, parameters, and other settings on the
## hardware installed on the system.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_read_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
read_files_pattern($1, sysfs_t, sysfs_t)
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_sysfs'($*)) dnl
')
########################################
##
## Allow caller to modify hardware state information.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
rw_files_pattern($1, sysfs_t, sysfs_t)
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_sysfs'($*)) dnl
')
########################################
##
## Allow caller create hardware state information files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_sysfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_sysfs_files'($*)) dnl
gen_require(`
type sysfs_t;
')
create_files_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_sysfs_files'($*)) dnl
')
########################################
##
## Relabel hardware state directories.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_sysfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_sysfs_dirs'($*)) dnl
gen_require(`
type sysfs_t;
')
relabel_dirs_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_sysfs_dirs'($*)) dnl
')
########################################
##
## Relabel hardware state files
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_all_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_all_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
relabel_dirs_pattern($1, sysfs_t, sysfs_t)
relabel_files_pattern($1, sysfs_t, sysfs_t)
relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_all_sysfs'($*)) dnl
')
########################################
##
## Allow caller to modify hardware state information.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_sysfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_sysfs_dirs'($*)) dnl
gen_require(`
type sysfs_t;
')
manage_dirs_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_sysfs_dirs'($*)) dnl
')
########################################
##
## Allow caller to modify hardware state information.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
manage_dirs_pattern($1, sysfs_t, sysfs_t)
manage_files_pattern($1, sysfs_t, sysfs_t)
manage_lnk_files_pattern($1, sysfs_t, sysfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_sysfs'($*)) dnl
')
########################################
##
## Mmap the sysfs.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_map_sysfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_map_sysfs'($*)) dnl
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_map_sysfs'($*)) dnl
')
########################################
##
## Read and write the TPM device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_tpm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_tpm'($*)) dnl
gen_require(`
type device_t, tpm_device_t;
')
rw_chr_files_pattern($1, device_t, tpm_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_tpm'($*)) dnl
')
########################################
##
## Read from pseudo random number generator devices (e.g., /dev/urandom).
##
##
##
## Allow the specified domain to read from pseudo random number
## generator devices (e.g., /dev/urandom). Typically this is
## used in situations when a cryptographically secure random
## number is not necessarily needed. One example is the Stack
## Smashing Protector (SSP, formerly known as ProPolice) support
## that may be compiled into programs.
##
##
## Related interface:
##
##
##
## Related tunable:
##
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`dev_read_urand',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_urand'($*)) dnl
gen_require(`
type device_t, urandom_device_t;
')
read_chr_files_pattern($1, device_t, urandom_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_urand'($*)) dnl
')
########################################
##
## Do not audit attempts to read from pseudo
## random devices (e.g., /dev/urandom)
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_read_urand',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_urand'($*)) dnl
gen_require(`
type urandom_device_t;
')
dontaudit $1 urandom_device_t:chr_file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_urand'($*)) dnl
')
########################################
##
## Write to the pseudo random device (e.g., /dev/urandom). This
## sets the random number generator seed.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_urand',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_urand'($*)) dnl
gen_require(`
type device_t, urandom_device_t;
')
write_chr_files_pattern($1, device_t, urandom_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_urand'($*)) dnl
')
########################################
##
## Do not audit attempts to write to pseudo
## random devices (e.g., /dev/urandom)
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_write_urand',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_urand'($*)) dnl
gen_require(`
type urandom_device_t;
')
dontaudit $1 urandom_device_t:chr_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_urand'($*)) dnl
')
########################################
##
## Getattr generic the USB devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_generic_usb_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_usb_dev'($*)) dnl
gen_require(`
type usb_device_t,device_t;
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_generic_usb_dev'($*)) dnl
')
########################################
##
## Setattr generic the USB devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_generic_usb_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_usb_dev'($*)) dnl
gen_require(`
type usb_device_t;
')
setattr_chr_files_pattern($1, device_t, usb_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_generic_usb_dev'($*)) dnl
')
########################################
##
## Read generic the USB devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_generic_usb_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_generic_usb_dev'($*)) dnl
gen_require(`
type usb_device_t;
')
read_chr_files_pattern($1, device_t, usb_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_generic_usb_dev'($*)) dnl
')
########################################
##
## Read and write generic the USB devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_generic_usb_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_generic_usb_dev'($*)) dnl
gen_require(`
type device_t, usb_device_t;
')
rw_chr_files_pattern($1, device_t, usb_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_generic_usb_dev'($*)) dnl
')
########################################
##
## Relabel generic the USB devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_relabel_generic_usb_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_usb_dev'($*)) dnl
gen_require(`
type usb_device_t;
')
relabel_chr_files_pattern($1, device_t, usb_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_relabel_generic_usb_dev'($*)) dnl
')
########################################
##
## Read USB monitor devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_usbmon_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_usbmon_dev'($*)) dnl
gen_require(`
type device_t, usbmon_device_t;
')
read_chr_files_pattern($1, device_t, usbmon_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_usbmon_dev'($*)) dnl
')
########################################
##
## Mmap USB monitor devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_map_usbmon_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_map_usbmon_dev'($*)) dnl
gen_require(`
type usbmon_device_t;
')
allow $1 usbmon_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_map_usbmon_dev'($*)) dnl
')
########################################
##
## Write USB monitor devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_usbmon_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_usbmon_dev'($*)) dnl
gen_require(`
type device_t, usbmon_device_t;
')
write_chr_files_pattern($1, device_t, usbmon_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_usbmon_dev'($*)) dnl
')
########################################
##
## Mount a usbfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_mount_usbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_mount_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_mount_usbfs'($*)) dnl
')
########################################
##
## Associate a file to a usbfs filesystem.
##
##
##
## The type of the file to be associated to usbfs.
##
##
#
define(`dev_associate_usbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_associate_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_associate_usbfs'($*)) dnl
')
########################################
##
## Get the attributes of a directory in the usb filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_usbfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_usbfs_dirs'($*)) dnl
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir getattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_usbfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of a directory in the usb filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_usbfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_usbfs_dirs'($*)) dnl
gen_require(`
type usbfs_t;
')
dontaudit $1 usbfs_t:dir getattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_usbfs_dirs'($*)) dnl
')
########################################
##
## Search the directory containing USB hardware information.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_search_usbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_search_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
search_dirs_pattern($1, usbfs_t, usbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_search_usbfs'($*)) dnl
')
########################################
##
## Allow caller to get a list of usb hardware.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_list_usbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_list_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
getattr_files_pattern($1, usbfs_t, usbfs_t)
list_dirs_pattern($1, usbfs_t, usbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_list_usbfs'($*)) dnl
')
########################################
##
## Set the attributes of usbfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_usbfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_usbfs_files'($*)) dnl
gen_require(`
type usbfs_t;
')
setattr_files_pattern($1, usbfs_t, usbfs_t)
list_dirs_pattern($1, usbfs_t, usbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_usbfs_files'($*)) dnl
')
########################################
##
## Read USB hardware information using
## the usbfs filesystem interface.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_usbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
read_files_pattern($1, usbfs_t, usbfs_t)
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
list_dirs_pattern($1, usbfs_t, usbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_usbfs'($*)) dnl
')
########################################
##
## Allow caller to modify usb hardware configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_usbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_usbfs'($*)) dnl
gen_require(`
type usbfs_t;
')
list_dirs_pattern($1, usbfs_t, usbfs_t)
rw_files_pattern($1, usbfs_t, usbfs_t)
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_usbfs'($*)) dnl
')
######################################
##
## Read and write userio device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_userio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_userio_dev'($*)) dnl
gen_require(`
type device_t, userio_device_t;
')
rw_chr_files_pattern($1, device_t, userio_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_userio_dev'($*)) dnl
')
########################################
##
## Mmap the userio devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_map_userio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_map_userio_dev'($*)) dnl
gen_require(`
type device_t, userio_device_t;
')
allow $1 userio_device_t:chr_file map;
allow $1 self:lockdown integrity;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_map_userio_dev'($*)) dnl
')
########################################
##
## Get the attributes of video4linux devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_video_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
getattr_chr_files_pattern($1, device_t, v4l_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_video_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of video4linux device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_video_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_video_dev'($*)) dnl
gen_require(`
type v4l_device_t;
')
dontaudit $1 v4l_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_video_dev'($*)) dnl
')
########################################
##
## Set the attributes of video4linux device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_video_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
setattr_chr_files_pattern($1, device_t, v4l_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_video_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of video4linux device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_video_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_video_dev'($*)) dnl
gen_require(`
type v4l_device_t;
')
dontaudit $1 v4l_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_video_dev'($*)) dnl
')
########################################
##
## Read the video4linux devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_video_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
read_chr_files_pattern($1, device_t, v4l_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_video_dev'($*)) dnl
')
########################################
##
## Mmap the video4linux devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_map_video_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_map_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
allow $1 v4l_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_map_video_dev'($*)) dnl
')
########################################
##
## Write the video4linux devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_video_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_video_dev'($*)) dnl
gen_require(`
type device_t, v4l_device_t;
')
write_chr_files_pattern($1, device_t, v4l_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_video_dev'($*)) dnl
')
########################################
##
## Get the attributes of vfio devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_vfio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_vfio_dev'($*)) dnl
gen_require(`
type device_t, vfio_device_t;
')
getattr_chr_files_pattern($1, device_t, vfio_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_vfio_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of vfio device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_vfio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_vfio_dev'($*)) dnl
gen_require(`
type vfio_device_t;
')
dontaudit $1 vfio_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_vfio_dev'($*)) dnl
')
########################################
##
## Set the attributes of vfio device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_vfio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_vfio_dev'($*)) dnl
gen_require(`
type device_t, vfio_device_t;
')
setattr_chr_files_pattern($1, device_t, vfio_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_vfio_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of vfio device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_setattr_vfio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_vfio_dev'($*)) dnl
gen_require(`
type vfio_device_t;
')
dontaudit $1 vfio_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_vfio_dev'($*)) dnl
')
########################################
##
## Read the vfio devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_vfio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_vfio_dev'($*)) dnl
gen_require(`
type device_t, vfio_device_t;
')
read_chr_files_pattern($1, device_t, vfio_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_vfio_dev'($*)) dnl
')
########################################
##
## Write the vfio devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_vfio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_vfio_dev'($*)) dnl
gen_require(`
type device_t, vfio_device_t;
')
write_chr_files_pattern($1, device_t, vfio_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_vfio_dev'($*)) dnl
')
########################################
##
## Read and write the VFIO devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_vfio_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_vfio_dev'($*)) dnl
gen_require(`
type device_t, vfio_device_t;
')
rw_chr_files_pattern($1, device_t, vfio_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_vfio_dev'($*)) dnl
')
########################################
##
## Allow read/write the vhost net device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_vhost',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_vhost'($*)) dnl
gen_require(`
type device_t, vhost_device_t;
')
rw_chr_files_pattern($1, device_t, vhost_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_vhost'($*)) dnl
')
########################################
##
## Allow read/write inheretid the vhost net device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_inherited_vhost',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_inherited_vhost'($*)) dnl
gen_require(`
type device_t, vhost_device_t;
')
allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_inherited_vhost'($*)) dnl
')
########################################
##
## Read and write VMWare devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_vmware',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_vmware'($*)) dnl
gen_require(`
type device_t, vmware_device_t;
')
rw_chr_files_pattern($1, device_t, vmware_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_vmware'($*)) dnl
')
########################################
##
## Read, write, and mmap VMWare devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rwx_vmware',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rwx_vmware'($*)) dnl
gen_require(`
type device_t, vmware_device_t;
')
dev_rw_vmware($1)
allow $1 vmware_device_t:chr_file { map execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rwx_vmware'($*)) dnl
')
########################################
##
## Read from watchdog devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_watchdog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_watchdog'($*)) dnl
gen_require(`
type device_t, watchdog_device_t;
')
read_chr_files_pattern($1, device_t, watchdog_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_watchdog'($*)) dnl
')
########################################
##
## Write to watchdog devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_write_watchdog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_write_watchdog'($*)) dnl
gen_require(`
type device_t, watchdog_device_t;
')
write_chr_files_pattern($1, device_t, watchdog_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_write_watchdog'($*)) dnl
')
########################################
##
## RW to watchdog devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_watchdog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_watchdog'($*)) dnl
gen_require(`
type device_t, watchdog_device_t;
')
rw_chr_files_pattern($1, device_t, watchdog_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_watchdog'($*)) dnl
')
########################################
##
## Read and write the the wireless device.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_wireless',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_wireless'($*)) dnl
gen_require(`
type device_t, wireless_device_t;
')
rw_chr_files_pattern($1, device_t, wireless_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_wireless'($*)) dnl
')
########################################
##
## Read and write Xen devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_xen',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_xen'($*)) dnl
gen_require(`
type device_t, xen_device_t;
')
rw_chr_files_pattern($1, device_t, xen_device_t)
allow $1 xen_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_xen'($*)) dnl
')
########################################
##
## Create, read, write, and delete Xen devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_xen',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_xen'($*)) dnl
gen_require(`
type device_t, xen_device_t;
')
manage_chr_files_pattern($1, device_t, xen_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_xen'($*)) dnl
')
########################################
##
## Automatic type transition to the type
## for xen device nodes when created in /dev.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`dev_filetrans_xen',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_xen'($*)) dnl
gen_require(`
type device_t, xen_device_t;
')
filetrans_pattern($1, device_t, xen_device_t, chr_file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_xen'($*)) dnl
')
########################################
##
## Get the attributes of X server miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_xserver_misc_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_xserver_misc_dev'($*)) dnl
gen_require(`
type device_t, xserver_misc_device_t;
')
getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_xserver_misc_dev'($*)) dnl
')
########################################
##
## Set the attributes of X server miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_setattr_xserver_misc_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_setattr_xserver_misc_dev'($*)) dnl
gen_require(`
type device_t, xserver_misc_device_t;
')
setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_setattr_xserver_misc_dev'($*)) dnl
')
########################################
##
## Read and write X server miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_xserver_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_xserver_misc'($*)) dnl
gen_require(`
type device_t, xserver_misc_device_t;
')
rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
allow $1 xserver_misc_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_xserver_misc'($*)) dnl
')
########################################
##
## Dontaudit attempts to Read and write X server miscellaneous devices.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_leaked_xserver_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_leaked_xserver_misc'($*)) dnl
gen_require(`
type xserver_misc_device_t;
')
dontaudit $1 xserver_misc_device_t:chr_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_leaked_xserver_misc'($*)) dnl
')
########################################
##
## Read and write X server miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_manage_xserver_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_manage_xserver_misc'($*)) dnl
gen_require(`
type device_t, xserver_misc_device_t;
')
manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
dev_filetrans_xserver_named_dev($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_manage_xserver_misc'($*)) dnl
')
########################################
##
## mmap X server miscellaneous devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_map_xserver_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_map_xserver_misc'($*)) dnl
gen_require(`
type xserver_misc_device_t;
')
allow $1 xserver_misc_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_map_xserver_misc'($*)) dnl
')
########################################
##
## Read and write to the zero device (/dev/zero).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_zero',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_zero'($*)) dnl
gen_require(`
type device_t, zero_device_t;
')
rw_chr_files_pattern($1, device_t, zero_device_t)
allow $1 zero_device_t:chr_file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_zero'($*)) dnl
')
########################################
##
## Read, write, and execute the zero device (/dev/zero).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rwx_zero',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rwx_zero'($*)) dnl
gen_require(`
type zero_device_t;
')
dev_rw_zero($1)
allow $1 zero_device_t:chr_file { map execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rwx_zero'($*)) dnl
')
########################################
##
## Execmod the zero device (/dev/zero).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_execmod_zero',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_execmod_zero'($*)) dnl
gen_require(`
type zero_device_t;
')
dev_rw_zero($1)
allow $1 zero_device_t:chr_file execmod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_execmod_zero'($*)) dnl
')
########################################
##
## Create the zero device (/dev/zero).
##
##
##
## Domain allowed access.
##
##
#
define(`dev_create_zero_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_create_zero_dev'($*)) dnl
gen_require(`
type device_t, zero_device_t;
')
create_chr_files_pattern($1, device_t, zero_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_create_zero_dev'($*)) dnl
')
########################################
##
## Unconfined access to devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_unconfined'($*)) dnl
gen_require(`
attribute devices_unconfined_type;
')
typeattribute $1 devices_unconfined_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_unconfined'($*)) dnl
')
########################################
##
## Dontaudit getattr on all device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`dev_dontaudit_getattr_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all'($*)) dnl
gen_require(`
attribute device_node;
type device_t;
')
dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all'($*)) dnl
')
########################################
##
## Get the attributes of the mei devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_getattr_mei',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_getattr_mei'($*)) dnl
gen_require(`
type device_t, mei_device_t;
')
getattr_chr_files_pattern($1, device_t, mei_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_getattr_mei'($*)) dnl
')
########################################
##
## Read the mei devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_mei',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_mei'($*)) dnl
gen_require(`
type device_t, mei_device_t;
')
read_chr_files_pattern($1, device_t, mei_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_mei'($*)) dnl
')
########################################
##
## Read and write to mei devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_mei',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_mei'($*)) dnl
gen_require(`
type device_t, mei_device_t;
')
rw_chr_files_pattern($1, device_t, mei_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_mei'($*)) dnl
')
########################################
##
## Read and write uhid devices.
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_uhid_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_uhid_dev'($*)) dnl
gen_require(`
type device_t, uhid_device_t;
')
rw_chr_files_pattern($1, device_t, uhid_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_uhid_dev'($*)) dnl
')
########################################
##
## Allow read/write the hypervkvp device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_hypervkvp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_hypervkvp'($*)) dnl
gen_require(`
type device_t, hypervkvp_device_t;
')
rw_chr_files_pattern($1, device_t, hypervkvp_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_hypervkvp'($*)) dnl
')
########################################
##
## Allow read/write the hypervkvp device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_gpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_gpfs'($*)) dnl
gen_require(`
type device_t, gpfs_device_t;
')
read_chr_files_pattern($1, device_t, gpfs_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_gpfs'($*)) dnl
')
########################################
##
## Allow read/write the gpiochip device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_read_gpio',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_read_gpio'($*)) dnl
gen_require(`
type device_t, gpio_device_t;
')
read_chr_files_pattern($1, device_t, gpio_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_read_gpio'($*)) dnl
')
########################################
##
## Allow read/write the hypervvssd device
##
##
##
## Domain allowed access.
##
##
#
define(`dev_rw_hypervvssd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_rw_hypervvssd'($*)) dnl
gen_require(`
type device_t, hypervvssd_device_t;
')
rw_chr_files_pattern($1, device_t, hypervvssd_device_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_rw_hypervvssd'($*)) dnl
')
########################################
##
## Create all named devices with the correct label
##
##
##
## Domain allowed access.
##
##
#
define(`dev_filetrans_printer_named_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_printer_named_dev'($*)) dnl
gen_require(`
type printer_device_t;
')
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_printer_named_dev'($*)) dnl
')
########################################
##
## Create all named devices with the correct label
##
##
##
## Domain allowed access.
##
##
#
define(`dev_filetrans_all_named_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_all_named_dev'($*)) dnl
gen_require(`
type device_t;
type acpi_device_t;
type dma_device_t;
type usb_device_t;
type uhid_device_t;
type sound_device_t;
type apm_bios_t;
type mouse_device_t;
type autofs_device_t;
type lvm_control_t;
type crash_device_t;
type dlm_control_device_t;
type clock_device_t;
type v4l_device_t;
type vsock_device_t;
type vmci_device_t;
type vfio_device_t;
type event_device_t;
type xen_device_t;
type framebuf_device_t;
type null_device_t;
type random_device_t;
type dri_device_t;
type hsa_device_t;
type ipmi_device_t;
type memory_device_t;
type kmsg_device_t;
type qemu_device_t;
type ksm_device_t;
type kvm_device_t;
type sev_device_t;
type lirc_device_t;
type cpu_device_t;
type scanner_device_t;
type modem_device_t;
type monitor_device_t;
type vhost_device_t;
type netcontrol_device_t;
type nvram_device_t;
type power_device_t;
type opal_device_t;
type wireless_device_t;
type tpm_device_t;
type userio_device_t;
type urandom_device_t;
type usbmon_device_t;
type vmware_device_t;
type watchdog_device_t;
type crypt_device_t;
type zero_device_t;
type smartcard_device_t;
type mtrr_device_t;
type ecryptfs_device_t;
type mptctl_device_t;
type hypervkvp_device_t;
type hypervvssd_device_t;
type gpfs_device_t;
type gpio_device_t;
type cachefiles_device_t;
')
dev_filetrans_printer_named_dev($1)
filetrans_pattern($1, device_t, acpi_device_t, chr_file, "acpi_thermal_rel")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9")
filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
filetrans_pattern($1, device_t, cachefiles_device_t, chr_file, "cachefiles")
filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
filetrans_pattern($1, device_t, acpi_device_t, chr_file, "dell-smbios")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9")
# Note this file path is /dev/dma_heap/system
filetrans_pattern($1, device_t, dma_device_t, chr_file, "system")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock")
filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event3")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event4")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event5")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event6")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event21")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event22")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event23")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event24")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event25")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event26")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event27")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event28")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event29")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event30")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "000")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "001")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "002")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "003")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "004")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "005")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "006")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet")
filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random")
filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "isst_interface")
filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915")
filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mptctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt0ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt1ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt2ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt3ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt4ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt5ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt6ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt7ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt8ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt9ctl")
filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm")
filetrans_pattern($1, device_t, sev_device_t, chr_file, "sev")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost")
filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency")
filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9")
filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu")
filetrans_pattern($1, device_t, opal_device_t, chr_file, "op_panel")
filetrans_pattern($1, device_t, opal_device_t, chr_file, "opal-prd")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "port")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9")
filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9")
filetrans_pattern($1, device_t, random_device_t, chr_file, "random")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9")
filetrans_pattern($1, device_t, power_device_t, chr_file, "smu")
filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm0")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm1")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm2")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm3")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm4")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm5")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm6")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm7")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm8")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm9")
filetrans_pattern($1, device_t, random_device_t, chr_file, "trng")
filetrans_pattern($1, device_t, dma_device_t, chr_file, "udmabuf")
filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9")
filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-0")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-1")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-2")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-3")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-4")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-5")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-6")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-7")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vsock")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9")
filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
filetrans_pattern($1, device_t, crypt_device_t, chr_file, "pkey")
filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9")
filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9")
filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9")
filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus_backend")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "hypercall")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp")
filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss")
filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0")
filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0")
filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1")
filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2")
dev_filetrans_xserver_named_dev($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_all_named_dev'($*)) dnl
')
########################################
##
## Create all named devices with the correct label
##
##
##
## Domain allowed access.
##
##
#
define(`dev_filetrans_xserver_named_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `dev_filetrans_xserver_named_dev'($*)) dnl
gen_require(`
type xserver_misc_device_t;
')
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia-uvm")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `dev_filetrans_xserver_named_dev'($*)) dnl
')
## Core policy for domains.
##
## Contains the concept of a domain.
##
########################################
##
## Make the specified type usable as a basic domain.
##
##
##
## Make the specified type usable as a basic domain.
##
##
## This is primarily used for kernel threads;
## generally the domain_type() interface is
## more appropriate for userland processes.
##
##
##
##
## Type to be used as a basic domain type.
##
##
#
define(`domain_base_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_base_type'($*)) dnl
gen_require(`
attribute domain;
')
typeattribute $1 domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_base_type'($*)) dnl
')
########################################
##
## Make the specified type usable as a domain.
##
##
##
## Make the specified type usable as a domain. This,
## or an interface that calls this interface, must be
## used on all types that are used as domains.
##
##
## Related interfaces:
##
##
## - application_domain()
## - init_daemon_domain()
## - init_domaion()
## - init_ranged_daemon_domain()
## - init_ranged_domain()
## - init_ranged_system_domain()
## - init_script_domain()
## - init_system_domain()
##
##
## Example:
##
##
## type mydomain_t;
## domain_type(mydomain_t)
## type myfile_t;
## files_type(myfile_t)
## allow mydomain_t myfile_t:file read_file_perms;
##
##
##
##
## Type to be used as a domain type.
##
##
##
#
define(`domain_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_type'($*)) dnl
# start with basic domain
domain_base_type($1)
# Only way to get corenet_unlabeled packets disabled to work
corenet_all_recvfrom_unlabeled($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_type'($*)) dnl
')
########################################
##
## Make the specified type usable as
## an entry point for the domain.
##
##
##
## Domain to be entered.
##
##
##
##
## Type of program used for entering
## the domain.
##
##
#
define(`domain_entry_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_entry_file'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 $2:file entrypoint;
allow $1 $2:file { mmap_exec_file_perms ioctl lock };
typeattribute $2 entry_type;
corecmd_executable_file($2)
#optional_policy(`
# unconfined_exec_typebounds($2)
#')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_entry_file'($*)) dnl
')
########################################
##
## Make the file descriptors of the specified
## domain for interactive use (widely inheritable)
##
##
##
## Domain allowed access.
##
##
#
define(`domain_interactive_fd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_interactive_fd'($*)) dnl
gen_require(`
attribute privfd;
')
typeattribute $1 privfd;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_interactive_fd'($*)) dnl
')
########################################
##
## Allow the specified domain to perform
## dynamic transitions.
##
##
##
## Allow the specified domain to perform
## dynamic transitions.
##
##
## This violates process tranquility, and it
## is strongly suggested that this not be used.
##
##
##
##
## Domain allowed access.
##
##
#
define(`domain_dyntrans_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dyntrans_type'($*)) dnl
gen_require(`
attribute set_curr_context;
')
typeattribute $1 set_curr_context;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dyntrans_type'($*)) dnl
')
########################################
##
## Makes caller and execption to the constraint
## preventing changing to the system user
## identity and system role.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_system_change_exemption',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_system_change_exemption'($*)) dnl
gen_require(`
attribute can_system_change;
')
typeattribute $1 can_system_change;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_system_change_exemption'($*)) dnl
')
########################################
##
## Makes caller an exception to the constraint preventing
## changing of user identity.
##
##
##
## The process type to make an exception to the constraint.
##
##
#
define(`domain_subj_id_change_exemption',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_subj_id_change_exemption'($*)) dnl
gen_require(`
attribute can_change_process_identity;
')
typeattribute $1 can_change_process_identity;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_subj_id_change_exemption'($*)) dnl
')
########################################
##
## Makes caller an exception to the constraint preventing
## changing of role.
##
##
##
## The process type to make an exception to the constraint.
##
##
#
define(`domain_role_change_exemption',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_role_change_exemption'($*)) dnl
gen_require(`
attribute can_change_process_role;
')
typeattribute $1 can_change_process_role;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_role_change_exemption'($*)) dnl
')
########################################
##
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
##
##
##
## The process type to make an exception to the constraint.
##
##
##
#
define(`domain_obj_id_change_exemption',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_obj_id_change_exemption'($*)) dnl
gen_require(`
attribute can_change_object_identity;
')
typeattribute $1 can_change_object_identity;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_obj_id_change_exemption'($*)) dnl
')
########################################
##
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
##
##
##
## Make the specified domain the target of
## the user domain exception of the
## SELinux role and identity change
## constraints.
##
##
## This interface is needed to decouple
## the user domains from the base module.
## It should not be used other than on
## user domains.
##
##
##
##
## Domain target for user exemption.
##
##
#
define(`domain_user_exemption_target',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_user_exemption_target'($*)) dnl
gen_require(`
attribute process_user_target;
')
typeattribute $1 process_user_target;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_user_exemption_target'($*)) dnl
')
########################################
##
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
##
##
##
## Make the specified domain the source of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
##
##
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## cron domains.
##
##
##
##
## Domain target for user exemption.
##
##
#
define(`domain_cron_exemption_source',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_cron_exemption_source'($*)) dnl
gen_require(`
attribute cron_source_domain;
')
typeattribute $1 cron_source_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_cron_exemption_source'($*)) dnl
')
########################################
##
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
##
##
##
## Make the specified domain the target of
## the cron domain exception of the
## SELinux role and identity change
## constraints.
##
##
## This interface is needed to decouple
## the cron domains from the base module.
## It should not be used other than on
## user cron jobs.
##
##
##
##
## Domain target for user exemption.
##
##
#
define(`domain_cron_exemption_target',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_cron_exemption_target'($*)) dnl
gen_require(`
attribute cron_job_domain;
')
typeattribute $1 cron_job_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_cron_exemption_target'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from
## domains with interactive programs.
##
##
##
## Allow the specified domain to inherit and use file
## descriptors from domains with interactive programs.
## This does not allow access to the objects being referenced
## by the file descriptors.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_use_interactive_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_use_interactive_fds'($*)) dnl
gen_require(`
attribute privfd;
')
allow $1 privfd:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_use_interactive_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit file
## descriptors from domains with interactive
## programs.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_use_interactive_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_use_interactive_fds'($*)) dnl
gen_require(`
attribute privfd;
')
dontaudit $1 privfd:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_use_interactive_fds'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to domains whose file
## discriptors are widely inheritable.
##
##
##
## Domain allowed access.
##
##
#
# cjp: this was added because of newrole
define(`domain_sigchld_interactive_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_sigchld_interactive_fds'($*)) dnl
gen_require(`
attribute privfd;
')
allow $1 privfd:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_sigchld_interactive_fds'($*)) dnl
')
########################################
##
## Set the nice level of all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_setpriority_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_setpriority_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process setsched;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_setpriority_all_domains'($*)) dnl
')
########################################
##
## Send general signals to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_signal_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_signal_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_signal_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to send general
## signals to all domains.
##
##
##
## Domain to not audit.
##
##
##
#
define(`domain_dontaudit_signal_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_signal_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_signal_all_domains'($*)) dnl
')
########################################
##
## Send a null signal to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_signull_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_signull_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_signull_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to send
## signulls to all domains.
##
##
##
## Domain to not audit.
##
##
##
#
define(`domain_dontaudit_signull_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_signull_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_signull_all_domains'($*)) dnl
')
########################################
##
## Send a stop signal to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_sigstop_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_sigstop_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process sigstop;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_sigstop_all_domains'($*)) dnl
')
########################################
##
## Send a child terminated signal to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_sigchld_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_sigchld_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_sigchld_all_domains'($*)) dnl
')
########################################
##
## Send a kill signal to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_kill_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_kill_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process sigkill;
allow $1 self:capability kill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_kill_all_domains'($*)) dnl
')
########################################
##
## Destroy all domains semaphores
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_destroy_all_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_destroy_all_semaphores'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:sem destroy;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_destroy_all_semaphores'($*)) dnl
')
########################################
##
## Search the process state directory (/proc/pid) of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_search_all_domains_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_search_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
kernel_search_proc($1)
allow $1 domain:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_search_all_domains_state'($*)) dnl
')
########################################
##
## Allow read and view of process kernel keyrings
##
##
##
## Domain to dontaudit.
##
##
#
define(`domain_read_view_all_domains_keyrings',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_read_view_all_domains_keyrings'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:key { read view};
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_read_view_all_domains_keyrings'($*)) dnl
')
########################################
##
## Allow read and write of process kernel keyrings
##
##
##
## Domain to dontaudit.
##
##
#
define(`domain_rw_all_domains_keyrings',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_rw_all_domains_keyrings'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:key { read write};
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_rw_all_domains_keyrings'($*)) dnl
')
########################################
##
## Allow manage of process kernel keyrings
##
##
##
## Domain to dontaudit.
##
##
#
define(`domain_manage_all_domains_keyrings',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_manage_all_domains_keyrings'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:key manage_key_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_manage_all_domains_keyrings'($*)) dnl
')
########################################
##
## Dontaudit search of process kernel keyrings
##
##
##
## Domain to dontaudit.
##
##
#
define(`domain_dontaudit_search_all_domains_keyrings',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_search_all_domains_keyrings'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:key search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_search_all_domains_keyrings'($*)) dnl
')
########################################
##
## Dontaudit link of process kernel keyrings
##
##
##
## Domain to dontaudit.
##
##
#
define(`domain_dontaudit_link_all_domains_keyrings',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_link_all_domains_keyrings'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:key link;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_link_all_domains_keyrings'($*)) dnl
')
########################################
##
## Do not audit attempts to search the process
## state directory (/proc/pid) of all domains.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_search_all_domains_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_search_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_search_all_domains_state'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_read_all_domains_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_read_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
kernel_search_proc($1)
allow $1 domain:dir list_dir_perms;
read_files_pattern($1, domain, domain)
read_lnk_files_pattern($1, domain, domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_read_all_domains_state'($*)) dnl
')
########################################
##
## Get the attributes of all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_getattr_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:process getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_domains'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of all confined domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_read_confined_domains_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_read_confined_domains_state'($*)) dnl
gen_require(`
attribute domain, unconfined_domain_type;
')
kernel_search_proc($1)
allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file read_file_perms;
dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_read_confined_domains_state'($*)) dnl
')
########################################
##
## Get the attributes of all confined domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_getattr_confined_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_confined_domains'($*)) dnl
gen_require(`
attribute domain, unconfined_domain_type;
')
allow $1 { domain -unconfined_domain_type }:process getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_confined_domains'($*)) dnl
')
########################################
##
## Ptrace all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_ptrace_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_ptrace_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process ptrace;
allow domain $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_ptrace_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to ptrace all domains.
##
##
##
## Do not audit attempts to ptrace all domains.
##
##
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
##
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_ptrace_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_ptrace_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:process ptrace;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_ptrace_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to ptrace confined domains.
##
##
##
## Do not audit attempts to ptrace confined domains.
##
##
## Generally this needs to be suppressed because procps tries to access
## /proc/pid/environ and this now triggers a ptrace check in recent kernels
## (2.4 and 2.6).
##
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_ptrace_confined_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_ptrace_confined_domains'($*)) dnl
gen_require(`
attribute domain, unconfined_domain_type;
')
dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_ptrace_confined_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to read the process
## state (/proc/pid) of all domains.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_read_all_domains_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_read_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir list_dir_perms;
dontaudit $1 domain:lnk_file read_lnk_file_perms;
dontaudit $1 domain:file read_file_perms;
# cjp: these should be removed:
dontaudit $1 domain:sock_file read_sock_file_perms;
dontaudit $1 domain:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_read_all_domains_state'($*)) dnl
')
########################################
##
## Do not audit attempts to read the process state
## directories of all domains.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_list_all_domains_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_list_all_domains_state'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_list_all_domains_state'($*)) dnl
')
########################################
##
## Get the session ID of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getsession_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getsession_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process getsession;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getsession_all_domains'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## session ID of all domains.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getsession_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getsession_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:process getsession;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getsession_all_domains'($*)) dnl
')
########################################
##
## Get the process group ID of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getpgid_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getpgid_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process getpgid;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getpgid_all_domains'($*)) dnl
')
########################################
##
## Get the scheduler information of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getsched_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getsched_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process getsched;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getsched_all_domains'($*)) dnl
')
########################################
##
## Get the capability information of all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getcap_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getcap_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process getcap;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getcap_all_domains'($*)) dnl
')
########################################
##
## Get the attributes of all domains
## sockets, for all socket types.
##
##
##
## Get the attributes of all domains
## sockets, for all socket types.
##
##
## This is commonly used for domains
## that can use lsof on all domains.
##
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getattr_all_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_all_sockets'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:socket_class_set getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
##
##
##
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
##
##
## This interface was added for PCMCIA cardmgr
## and is probably excessive.
##
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:socket_class_set getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_tcp_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:tcp_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_udp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_udp_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:udp_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_udp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## all domains UDP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_rw_all_udp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_rw_all_udp_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:udp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_rw_all_udp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get attribues of
## all domains IPSEC key management sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_key_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_key_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_key_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get attribues of
## all domains packet sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_packet_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_packet_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:packet_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_packet_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get attribues of
## all domains raw sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_raw_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_raw_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:rawip_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_raw_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## all domains key sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_rw_all_key_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_rw_all_key_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:key_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_rw_all_key_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_dgram_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_dgram_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_dgram_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_dgram_sockets'($*)) dnl
')
########################################
##
## Get the attributes
## of all domains unix datagram sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getattr_all_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_all_stream_sockets'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:unix_stream_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_all_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_stream_sockets'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:unix_stream_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_stream_sockets'($*)) dnl
')
########################################
##
## Get the attributes of all domains
## unnamed pipes.
##
##
##
## Get the attributes of all domains
## unnamed pipes.
##
##
## This is commonly used for domains
## that can use lsof on all domains.
##
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getattr_all_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_all_pipes'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_all_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_pipes'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_pipes'($*)) dnl
')
########################################
##
## Allow specified type to set context of all
## domains IPSEC associations.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_ipsec_setcontext_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_ipsec_setcontext_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:association setcontext;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_ipsec_setcontext_all_domains'($*)) dnl
')
########################################
##
## Get the attributes of entry point
## files for all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_getattr_all_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_getattr_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_getattr_all_entry_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all entry point files.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_getattr_all_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
dontaudit $1 entry_type:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_entry_files'($*)) dnl
')
########################################
##
## Read the entry point files for all domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_read_all_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_read_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:lnk_file read_lnk_file_perms;
allow $1 entry_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_read_all_entry_files'($*)) dnl
')
########################################
##
## Execute the entry point files for all
## domains in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_exec_all_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_exec_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
can_exec($1, entry_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_exec_all_entry_files'($*)) dnl
')
########################################
##
## dontaudit checking for execute on all entry point files
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_exec_all_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_exec_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
dontaudit $1 entry_type:file exec_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_exec_all_entry_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete all
## entrypoint files.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`domain_manage_all_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_manage_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_manage_all_entry_files'($*)) dnl
')
########################################
##
## Relabel from domain types on files if a user managed to mislable
##
##
##
## Domain allowed access.
##
##
#
define(`domain_relabelfrom',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_relabelfrom'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:dir_file_class_set relabelfrom_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_relabelfrom'($*)) dnl
')
########################################
##
## Relabel to and from all entry point
## file types.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`domain_relabel_all_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_relabel_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_relabel_all_entry_files'($*)) dnl
')
########################################
##
## Mmap all entry point files as executable.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`domain_mmap_all_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_mmap_all_entry_files'($*)) dnl
gen_require(`
attribute entry_type;
')
allow $1 entry_type:file mmap_exec_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_mmap_all_entry_files'($*)) dnl
')
########################################
##
## Execute an entry_type in the specified domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
# cjp: added for userhelper
define(`domain_entry_file_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_entry_file_spec_domtrans'($*)) dnl
gen_require(`
attribute entry_type;
')
domain_transition_pattern($1, entry_type, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_entry_file_spec_domtrans'($*)) dnl
')
########################################
##
## Ability to mmap a low area of the address
## space conditionally, as configured by
## /proc/sys/vm/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_mmap_low',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_mmap_low'($*)) dnl
gen_require(`
attribute mmap_low_domain_type;
bool mmap_low_allowed;
')
typeattribute $1 mmap_low_domain_type;
if ( mmap_low_allowed ) {
allow $1 self:memprotect mmap_zero;
}
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_mmap_low'($*)) dnl
')
########################################
##
## Ability to mmap a low area of the address
## space unconditionally, as configured
## by /proc/sys/vm/mmap_min_addr.
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_mmap_low_uncond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_mmap_low_uncond'($*)) dnl
gen_require(`
attribute mmap_low_domain_type;
')
typeattribute $1 mmap_low_domain_type;
allow $1 self:memprotect mmap_zero;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_mmap_low_uncond'($*)) dnl
')
########################################
##
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
##
##
##
## Domain allowed access.
##
##
#
define(`domain_all_recvfrom_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_all_recvfrom_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
corenet_all_recvfrom_labeled($1, domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_all_recvfrom_all_domains'($*)) dnl
')
########################################
##
## Send generic signals to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_unconfined_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_unconfined_signal'($*)) dnl
gen_require(`
attribute unconfined_domain_type;
')
allow $1 unconfined_domain_type:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_unconfined_signal'($*)) dnl
')
########################################
##
## Named Filetrans Domain.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_named_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_named_filetrans'($*)) dnl
gen_require(`
attribute named_filetrans_domain;
')
typeattribute $1 named_filetrans_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_named_filetrans'($*)) dnl
')
#####################################
##
## named_filetrans_domain stub attribute interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`domain_stub_named_filetrans_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_stub_named_filetrans_domain'($*)) dnl
gen_require(`
attribute named_filetrans_domain;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_stub_named_filetrans_domain'($*)) dnl
')
########################################
##
## Unconfined access to domains.
##
##
##
## Domain allowed access.
##
##
#
define(`domain_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_unconfined'($*)) dnl
gen_require(`
attribute set_curr_context;
attribute can_change_object_identity;
attribute unconfined_domain_type;
attribute process_uncond_exempt;
')
typeattribute $1 unconfined_domain_type;
# pass constraints
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
mcs_process_set_categories($1)
userdom_filetrans_home_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_unconfined'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## all leaked sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_leaks'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:socket_class_set { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_leaks'($*)) dnl
')
########################################
##
## Allow caller to transition to any domain
##
##
##
## Domain allowed access.
##
##
#
define(`domain_transition_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_transition_all'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process transition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_transition_all'($*)) dnl
')
########################################
##
## Do not audit attempts to access check /proc
##
##
##
## Domain to not audit.
##
##
#
define(`domain_dontaudit_access_check',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dontaudit_access_check'($*)) dnl
gen_require(`
attribute domain;
')
dontaudit $1 domain:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dontaudit_access_check'($*)) dnl
')
########################################
##
## Allow set resource limits to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_setrlimit_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_setrlimit_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process setrlimit;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_setrlimit_all_domains'($*)) dnl
')
########################################
##
## Allow set resource limits to all domains.
##
##
##
## Domain allowed access.
##
##
##
#
define(`domain_rlimitinh_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_rlimitinh_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process rlimitinh;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_rlimitinh_all_domains'($*)) dnl
')
########################################
##
## Allow all domains noatsecure permission
##
##
##
## Domain allowed access.
##
##
#
define(`domain_noatsecure_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_noatsecure_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:process { noatsecure };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_noatsecure_all_domains'($*)) dnl
')
######################################
##
## Allow domain dyntransition to all domains in domain attribute.
##
##
##
## Domain allowed to transition.
##
##
#
define(`domain_dyntrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_dyntrans'($*)) dnl
gen_require(`
attribute domain;
')
dyntrans_pattern($1, domain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_dyntrans'($*)) dnl
')
########################################
##
## Allow read and write perf_event file descriptors from all domains
##
##
##
## Domain allowed access.
##
##
#
define(`domain_rw_perf_event_all_domains',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `domain_rw_perf_event_all_domains'($*)) dnl
gen_require(`
attribute domain;
')
allow $1 domain:perf_event rw_inherited_perf_event_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `domain_rw_perf_event_all_domains'($*)) dnl
')
##
## Basic filesystem types and interfaces.
##
##
##
## This module contains basic filesystem types and interfaces. This
## includes:
##
## - The concept of different file types including basic
## files, mount points, tmp files, etc.
## - Access to groups of files and all files.
## - Types and interfaces for the basic filesystem layout
## (/, /etc, /tmp, /usr, etc.).
##
##
##
##
## Contains the concept of a file.
## Comains the file initial SID.
##
#####################################
##
## files stub etc_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`files_stub_etc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_stub_etc'($*)) dnl
gen_require(`
type etc_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_stub_etc'($*)) dnl
')
#####################################
##
## files stub var_lock_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`files_stub_var_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_stub_var_lock'($*)) dnl
gen_require(`
type var_lock_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_stub_var_lock'($*)) dnl
')
#####################################
##
## files stub var_log_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`files_stub_var_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_stub_var_log'($*)) dnl
gen_require(`
type var_log_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_stub_var_log'($*)) dnl
')
#####################################
##
## files stub var_lib_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`files_stub_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_stub_var_lib'($*)) dnl
gen_require(`
type var_lib_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_stub_var_lib'($*)) dnl
')
#####################################
##
## files stub var_run_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`files_stub_var_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_stub_var_run'($*)) dnl
gen_require(`
type var_run_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_stub_var_run'($*)) dnl
')
#####################################
##
## files stub var_run_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`files_stub_var_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_stub_var_spool'($*)) dnl
gen_require(`
type var_spool_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_stub_var_spool'($*)) dnl
')
#####################################
##
## files stub var_run_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`files_stub_var',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_stub_var'($*)) dnl
gen_require(`
type var_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_stub_var'($*)) dnl
')
#####################################
##
## files stub tmp_t interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`files_stub_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_stub_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_stub_tmp'($*)) dnl
')
########################################
##
## Make the specified type usable for files
## in a filesystem.
##
##
##
## Make the specified type usable for files
## in a filesystem. Types used for files that
## do not use this interface, or an interface that
## calls this one, will have unexpected behaviors
## while the system is running. If the type is used
## for device nodes (character or block files), then
## the dev_node() interface is more appropriate.
##
##
## Related interfaces:
##
##
## - application_domain()
## - application_executable_file()
## - corecmd_executable_file()
## - init_daemon_domain()
## - init_domaion()
## - init_ranged_daemon_domain()
## - init_ranged_domain()
## - init_ranged_system_domain()
## - init_script_file()
## - init_script_domain()
## - init_system_domain()
## - files_config_files()
## - files_lock_file()
## - files_mountpoint()
## - files_pid_file()
## - files_security_file()
## - files_security_mountpoint()
## - files_spool_file()
## - files_tmp_file()
## - files_tmpfs_file()
## - logging_log_file()
## - userdom_user_home_content()
##
##
## Example:
##
##
## type myfile_t;
## files_type(myfile_t)
## allow mydomain_t myfile_t:file read_file_perms;
##
##
##
##
## Type to be used for files.
##
##
##
#
define(`files_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_type'($*)) dnl
gen_require(`
attribute file_type, non_security_file_type, non_auth_file_type;
')
typeattribute $1 file_type, non_security_file_type, non_auth_file_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_type'($*)) dnl
')
########################################
##
## Mark the specified type as a file
## that is related to authentication.
##
##
##
## Type of the authentication-related
## file.
##
##
#
define(`files_auth_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_auth_file'($*)) dnl
gen_require(`
attribute file_type, security_file_type, auth_file_type;
')
typeattribute $1 file_type, security_file_type, auth_file_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_auth_file'($*)) dnl
')
########################################
##
## Make the specified type a file that
## should not be dontaudited from
## browsing from user domains.
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
define(`files_security_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_security_file'($*)) dnl
gen_require(`
attribute file_type, security_file_type, non_auth_file_type;
')
typeattribute $1 file_type, security_file_type, non_auth_file_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_security_file'($*)) dnl
')
########################################
##
## Make the specified type usable for
## filesystem mount points.
##
##
##
## Type to be used for mount points.
##
##
#
define(`files_mountpoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mountpoint'($*)) dnl
gen_require(`
attribute mountpoint;
')
files_type($1)
typeattribute $1 mountpoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mountpoint'($*)) dnl
')
########################################
##
## Create a private type object in mountpoint dir
## with an automatic type transition
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_mountpoint_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mountpoint_filetrans'($*)) dnl
gen_require(`
attribute mountpoint;
')
filetrans_pattern($1, mountpoint, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mountpoint_filetrans'($*)) dnl
')
########################################
##
## Make the specified type usable for
## security file filesystem mount points.
##
##
##
## Type to be used for mount points.
##
##
#
define(`files_security_mountpoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_security_mountpoint'($*)) dnl
gen_require(`
attribute mountpoint;
')
files_security_file($1)
typeattribute $1 mountpoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_security_mountpoint'($*)) dnl
')
########################################
##
## Make the specified type usable for
## lock files.
##
##
##
## Type to be used for lock files.
##
##
#
define(`files_lock_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_lock_file'($*)) dnl
gen_require(`
attribute lockfile;
')
files_type($1)
typeattribute $1 lockfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_lock_file'($*)) dnl
')
########################################
##
## Make the specified type usable for
## runtime process ID files.
##
##
##
## Make the specified type usable for runtime process ID files,
## typically found in /var/run.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a PID file type may result in problems with starting
## or stopping services.
##
##
## Related interfaces:
##
##
## - files_pid_filetrans()
##
##
## Example usage with a domain that can create and
## write its PID file with a private PID file type in the
## /var/run directory:
##
##
## type mypidfile_t;
## files_pid_file(mypidfile_t)
## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
## files_pid_filetrans(mydomain_t, mypidfile_t, file)
##
##
##
##
## Type to be used for PID files.
##
##
##
#
define(`files_pid_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_pid_file'($*)) dnl
gen_require(`
attribute pidfile;
')
files_type($1)
typeattribute $1 pidfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_pid_file'($*)) dnl
')
########################################
##
## Make the specified type a
## configuration file.
##
##
##
## Make the specified type usable for configuration files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## configuration management tools.
##
##
## Example usage with a domain that can read
## its configuration file /etc:
##
##
## type myconffile_t;
## files_config_file(myconffile_t)
## allow mydomain_t myconffile_t:file read_file_perms;
## files_search_etc(mydomain_t)
##
##
##
##
## Type to be used as a configuration file.
##
##
##
#
define(`files_config_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_config_file'($*)) dnl
gen_require(`
attribute configfile;
')
files_type($1)
typeattribute $1 configfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_config_file'($*)) dnl
')
########################################
##
## Make the specified type a
## polyinstantiated directory.
##
##
##
## Type of the file to be used as a
## polyinstantiated directory.
##
##
#
define(`files_poly',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_poly'($*)) dnl
gen_require(`
attribute polydir;
')
files_type($1)
typeattribute $1 polydir;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_poly'($*)) dnl
')
########################################
##
## Make the specified type a parent
## of a polyinstantiated directory.
##
##
##
## Type of the file to be used as a
## parent directory.
##
##
#
define(`files_poly_parent',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_poly_parent'($*)) dnl
gen_require(`
attribute polyparent;
')
files_type($1)
typeattribute $1 polyparent;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_poly_parent'($*)) dnl
')
########################################
##
## Make the specified type a
## polyinstantiation member directory.
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
define(`files_poly_member',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_poly_member'($*)) dnl
gen_require(`
attribute polymember;
')
files_type($1)
typeattribute $1 polymember;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_poly_member'($*)) dnl
')
########################################
##
## Make the domain use the specified
## type of polyinstantiated directory.
##
##
##
## Domain using the polyinstantiated
## directory.
##
##
##
##
## Type of the file to be used as a
## member directory.
##
##
#
define(`files_poly_member_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_poly_member_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
type_member $1 tmp_t:dir $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_poly_member_tmp'($*)) dnl
')
########################################
##
## Make the specified type a file
## used for temporary files.
##
##
##
## Make the specified type usable for temporary files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## purging temporary files.
##
##
## Related interfaces:
##
##
## - files_tmp_filetrans()
##
##
## Example usage with a domain that can create and
## write its temporary file in the system temporary file
## directories (/tmp or /var/tmp):
##
##
## type mytmpfile_t;
## files_tmp_file(mytmpfile_t)
## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
## files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
##
##
##
##
## Type of the file to be used as a
## temporary file.
##
##
##
#
define(`files_tmp_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_tmp_file'($*)) dnl
gen_require(`
attribute tmpfile;
type tmp_t;
')
files_type($1)
files_poly_member($1)
typeattribute $1 tmpfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_tmp_file'($*)) dnl
')
########################################
##
## Transform the type into a file, for use on a
## virtual memory filesystem (tmpfs).
##
##
##
## The type to be transformed.
##
##
#
define(`files_tmpfs_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_tmpfs_file'($*)) dnl
gen_require(`
attribute tmpfsfile;
')
files_type($1)
typeattribute $1 tmpfsfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_tmpfs_file'($*)) dnl
')
########################################
##
## Get the attributes of all directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_dirs'($*)) dnl
gen_require(`
attribute file_type;
')
getattr_dirs_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_dirs'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_dirs'($*)) dnl
')
########################################
##
## List all non-security directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_non_security',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_non_security'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
list_dirs_pattern($1, non_security_file_type, non_security_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_non_security'($*)) dnl
')
########################################
##
## Watch all non-security directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
watch_dirs_pattern($1, non_security_file_type, non_security_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_non_security_dirs'($*)) dnl
')
########################################
##
## Watch all non-security files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
watch_files_pattern($1, non_security_file_type, non_security_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_non_security_files'($*)) dnl
')
########################################
##
## Watch all non-security lnk_files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_non_security_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_non_security_lnk_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
watch_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_non_security_lnk_files'($*)) dnl
')
########################################
##
## Do not audit attempts to list all
## non-security directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_non_security',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_non_security'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_non_security'($*)) dnl
')
########################################
##
## Mount a filesystem on all non-security
## directories and files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_non_security',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_non_security'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir { write setattr mounton };
allow $1 non_security_file_type:file mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_non_security'($*)) dnl
')
########################################
##
## Allow attempts to modify any directory
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_non_security_dirs'($*)) dnl
')
########################################
##
## Allow attempts to setattr any directory
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir { read setattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_non_security_dirs'($*)) dnl
')
########################################
##
## Allow attempts to create non-security directories
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir { create_dir_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_non_security_dirs'($*)) dnl
')
########################################
##
## Allow attempts to manage non-security directories
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_non_security_dirs'($*)) dnl
')
########################################
##
## Allow attempts to search non-security directories
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_non_security_dirs'($*)) dnl
')
########################################
##
## Get the attributes of all files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
getattr_files_pattern($1, file_type, file_type)
getattr_lnk_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_files'($*)) dnl
')
########################################
##
## Get the attributes of all chr files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_chr_files'($*)) dnl
gen_require(`
attribute file_type;
')
getattr_chr_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_chr_files'($*)) dnl
')
########################################
##
## Get the attributes of all blk files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_blk_files'($*)) dnl
gen_require(`
attribute file_type;
')
getattr_blk_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_blk_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of proc_type files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_proc_type_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_proc_type_files'($*)) dnl
gen_require(`
attribute proc_type;
')
dontaudit $1 proc_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_proc_type_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of sysctl_type files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_sysctl_type_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_sysctl_type_files'($*)) dnl
gen_require(`
attribute sysctl_type;
')
dontaudit $1 sysctl_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_sysctl_type_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of filesystem_type files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_filesystem_type_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_filesystem_type_files'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_filesystem_type_files'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## non security dirs.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_non_security_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of non security files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_setattr_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_non_security_files'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of non security directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_setattr_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_non_security_dirs'($*)) dnl
')
########################################
##
## Read all files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
read_files_pattern($1, file_type, file_type)
optional_policy(`
auth_read_shadow($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_files'($*)) dnl
')
########################################
##
## Mmap all files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mmap_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mmap_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mmap_all_files'($*)) dnl
')
########################################
##
## Allow shared library text relocations in all files.
##
##
##
## Allow shared library text relocations in all files.
##
##
## This is added to support WINE policy.
##
##
##
##
## Domain allowed access.
##
##
#
define(`files_execmod_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_execmod_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:file execmod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_execmod_all_files'($*)) dnl
')
########################################
##
## Read all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
list_dirs_pattern($1, non_security_file_type, non_security_file_type)
read_files_pattern($1, non_security_file_type, non_security_file_type)
read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_non_security_files'($*)) dnl
')
########################################
##
## Map all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_map_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_map_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_map_non_security_files'($*)) dnl
')
########################################
##
## Read/Write all inherited non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_rw_inherited_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_inherited_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_inherited_non_security_files'($*)) dnl
')
########################################
##
## Allow Append to non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_append_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_append_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_append_non_security_files'($*)) dnl
')
########################################
##
## Manage all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
manage_files_pattern($1, non_security_file_type, non_security_file_type)
manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_non_security_files'($*)) dnl
')
########################################
##
## Relabel all non-security files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_relabel_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
relabel_files_pattern($1, non_security_file_type, non_security_file_type)
allow $1 { non_security_file_type }:dir list_dir_perms;
relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_non_security_files'($*)) dnl
')
########################################
##
## Search all base file dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_base_file_types',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_base_file_types'($*)) dnl
gen_require(`
attribute base_file_type;
')
allow $1 base_file_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_base_file_types'($*)) dnl
')
########################################
##
## Relabel all base file types.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_base_file_types',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_base_file_types'($*)) dnl
gen_require(`
attribute base_file_type;
')
allow $1 base_file_type:dir list_dir_perms;
relabel_dirs_pattern($1, base_file_type , base_file_type )
relabel_files_pattern($1, base_file_type , base_file_type )
relabel_lnk_files_pattern($1, base_file_type , base_file_type )
relabel_fifo_files_pattern($1, base_file_type , base_file_type )
relabel_sock_files_pattern($1, base_file_type , base_file_type )
relabel_blk_files_pattern($1, base_file_type , base_file_type )
relabel_chr_files_pattern($1, base_file_type , base_file_type )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_base_file_types'($*)) dnl
')
########################################
##
## Read all directories on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`files_read_all_dirs_except',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_dirs_except'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_dirs_except'($*)) dnl
')
########################################
##
## Read all files on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`files_read_all_files_except',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_files_except'($*)) dnl
gen_require(`
attribute file_type;
')
read_files_pattern($1, { file_type $2 }, { file_type $2 })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_files_except'($*)) dnl
')
########################################
##
## Read all symbolic links on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`files_read_all_symlinks_except',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_symlinks_except'($*)) dnl
gen_require(`
attribute file_type;
')
read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_symlinks_except'($*)) dnl
')
########################################
##
## Get the attributes of all symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_symlinks'($*)) dnl
gen_require(`
attribute file_type;
')
getattr_lnk_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all symbolic links.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_symlinks'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:lnk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to read all symbolic links.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_all_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_all_symlinks'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:lnk_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_all_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security symbolic links.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_symlinks'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:lnk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security block devices.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_blk_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_blk_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security character devices.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_chr_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_chr_files'($*)) dnl
')
########################################
##
## Read all symbolic links.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_all_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_symlinks'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
read_lnk_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_symlinks'($*)) dnl
')
########################################
##
## Get the attributes of all named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_pipes'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
getattr_fifo_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all named pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_pipes'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security named pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_pipes'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to read/write
## of non security named pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_rw_inherited_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_inherited_pipes'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_inherited_pipes'($*)) dnl
')
########################################
##
## Get the attributes of all named sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_sockets'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
getattr_sock_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all named sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_sockets'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:sock_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## of all named sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_all_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_all_sockets'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:sock_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## of all security file types.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_all_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_all_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_all_non_security_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of non security named sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_non_security_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_sockets'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:sock_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_sockets'($*)) dnl
')
########################################
##
## Read all block nodes with file types.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_blk_files'($*)) dnl
gen_require(`
attribute file_type;
')
read_blk_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_blk_files'($*)) dnl
')
########################################
##
## Read all character nodes with file types.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_chr_files'($*)) dnl
gen_require(`
attribute file_type;
')
read_chr_files_pattern($1, file_type, file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_chr_files'($*)) dnl
')
########################################
##
## Relabel all files on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`files_relabel_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:dir list_dir_perms;
relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
auth_relabelto_shadow($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_files'($*)) dnl
')
########################################
##
## rw all files on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`files_rw_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
rw_files_pattern($1, { file_type $2 }, { file_type $2 })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_all_files'($*)) dnl
')
########################################
##
## Manage all files on the filesystem, except
## the listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`files_manage_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
manage_files_pattern($1, { file_type $2 }, { file_type $2 })
manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
seutil_create_bin_policy($1)
files_manage_kernel_modules($1)
auth_reader_shadow($1)
auth_writer_shadow($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_all_files'($*)) dnl
')
########################################
##
## Search the contents of all directories on
## extended attribute filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_all'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_all'($*)) dnl
')
########################################
##
## List the contents of all directories on
## extended attribute filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_all'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_all'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_all_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_dirs'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_dirs'($*)) dnl
')
########################################
##
## Get the attributes of all filesystems
## with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
# dwalsh: This interface is to allow quotacheck to work on a
# a filesystem mounted with the --context switch
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
#
define(`files_getattr_all_file_type_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_file_type_fs'($*)) dnl
')
########################################
##
## Relabel a filesystem to the type of a file.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_all_file_type_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_all_file_type_fs'($*)) dnl
')
########################################
##
## Relabel a filesystem to the type of a file.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_all_file_type_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem { relabelfrom relabelto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_file_type_fs'($*)) dnl
')
########################################
##
## Mount all filesystems with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mount_all_file_type_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mount_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mount_all_file_type_fs'($*)) dnl
')
########################################
##
## Unmount all filesystems with the type of a file.
##
##
##
## Domain allowed access.
##
##
#
define(`files_unmount_all_file_type_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_unmount_all_file_type_fs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_unmount_all_file_type_fs'($*)) dnl
')
########################################
##
## Read all non-authentication related
## directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_non_auth_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_non_auth_dirs'($*)) dnl
gen_require(`
attribute non_auth_file_type;
')
allow $1 non_auth_file_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_non_auth_dirs'($*)) dnl
')
########################################
##
## Watch non-authentication related directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_non_auth_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_non_auth_dirs'($*)) dnl
gen_require(`
attribute non_auth_file_type;
')
watch_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_non_auth_dirs'($*)) dnl
')
########################################
##
## Read all non-authentication related
## files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_non_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_non_auth_files'($*)) dnl
gen_require(`
attribute non_auth_file_type;
')
read_files_pattern($1, non_auth_file_type, non_auth_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_non_auth_files'($*)) dnl
')
########################################
##
## Read all non-authentication related
## symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_non_auth_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_non_auth_symlinks'($*)) dnl
gen_require(`
attribute non_auth_file_type;
')
read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_non_auth_symlinks'($*)) dnl
')
########################################
##
## rw non-authentication related files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_non_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_non_auth_files'($*)) dnl
gen_require(`
attribute non_auth_file_type;
')
rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_non_auth_files'($*)) dnl
')
########################################
##
## Manage non-authentication related
## files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_non_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_non_auth_files'($*)) dnl
gen_require(`
attribute non_auth_file_type;
')
manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
# satisfy the assertions:
seutil_create_bin_policy($1)
files_manage_kernel_modules($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_non_auth_files'($*)) dnl
')
########################################
##
## Relabel all non-authentication related
## files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_relabel_non_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_non_auth_files'($*)) dnl
gen_require(`
attribute non_auth_file_type;
')
allow $1 non_auth_file_type:dir list_dir_perms;
relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
# this is only relabelfrom since there should be no
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_non_auth_files'($*)) dnl
')
#############################################
##
## Manage all configuration directories on filesystem
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_config_dirs'($*)) dnl
gen_require(`
attribute configfile;
')
manage_dirs_pattern($1, configfile, configfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_config_dirs'($*)) dnl
')
#########################################
##
## Relabel configuration directories
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_relabel_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_config_dirs'($*)) dnl
gen_require(`
attribute configfile;
')
relabel_dirs_pattern($1, configfile, configfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_config_dirs'($*)) dnl
')
########################################
##
## Read config files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_config_files'($*)) dnl
gen_require(`
attribute configfile;
')
allow $1 configfile:dir list_dir_perms;
read_files_pattern($1, configfile, configfile)
read_lnk_files_pattern($1, configfile, configfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_config_files'($*)) dnl
')
###########################################
##
## Manage all configuration files on filesystem
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_config_files'($*)) dnl
gen_require(`
attribute configfile;
')
manage_files_pattern($1, configfile, configfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_config_files'($*)) dnl
')
#######################################
##
## Relabel configuration files
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_relabel_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_config_files'($*)) dnl
gen_require(`
attribute configfile;
')
relabel_files_pattern($1, configfile, configfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_config_files'($*)) dnl
')
########################################
##
## Mount a filesystem on all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir { search_dir_perms mounton };
allow $1 mountpoint:file { getattr mounton };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_all_mountpoints'($*)) dnl
')
########################################
##
## Get the attributes of all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_mountpoints'($*)) dnl
')
########################################
##
## Set the attributes of all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_all_mountpoints'($*)) dnl
')
########################################
##
## Set the attributes of all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_all_mountpoints'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes on all mount points.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_setattr_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_all_mountpoints'($*)) dnl
')
########################################
##
## Search all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_all_mountpoints'($*)) dnl
')
########################################
##
## Do not audit searching of all mount points.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_mountpoints'($*)) dnl
')
########################################
##
## List all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_all_mountpoints'($*)) dnl
')
########################################
##
## Do not audit listing of all mount points.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_all_mountpoints'($*)) dnl
')
########################################
##
## Write all mount points.
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_all_mountpoints'($*)) dnl
')
########################################
##
## Do not audit attempts to write to mount points.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
dontaudit $1 self:capability { dac_read_search };
dontaudit $1 mountpoint:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_mountpoints'($*)) dnl
')
########################################
##
## Do not audit attempts to unmount all mount points.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_unmount_all_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_unmount_all_mountpoints'($*)) dnl
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_unmount_all_mountpoints'($*)) dnl
')
########################################
##
## Read all mountpoint symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_mountpoint_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_mountpoint_symlinks'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_mountpoint_symlinks'($*)) dnl
')
########################################
##
## Make all mountpoint as entrypoint.
##
##
##
## Domain allowed access.
##
##
#
define(`files_entrypoint_all_mountpoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_entrypoint_all_mountpoint'($*)) dnl
gen_require(`
attribute mountpoint;
')
allow $1 mountpoint:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_entrypoint_all_mountpoint'($*)) dnl
')
########################################
##
## Remove all file type directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rmdir_all_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rmdir_all_dirs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir rmdir;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rmdir_all_dirs'($*)) dnl
')
########################################
##
## Write all file type directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_all_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_all_dirs'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_all_dirs'($*)) dnl
')
########################################
##
## List the contents of the root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_root',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_root'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir list_dir_perms;
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_root'($*)) dnl
')
########################################
##
## Do not audit attempts to write to / dirs.
##
##
##
## Domain to not audit.
##
##
#
define(`files_write_root_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_root_dirs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_root_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to write to / dirs.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_root_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_root_dirs'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_root_dirs'($*)) dnl
')
###################
##
## Do not audit attempts to write
## files in the root directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_rw_root_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_dir'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_dir'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## access on root directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_access_check_root',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_root'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_root'($*)) dnl
')
########################################
##
## Create an object in the root directory, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_root_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_root_filetrans'($*)) dnl
gen_require(`
type root_t;
')
filetrans_pattern($1, root_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_root_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to read files in
## the root directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_root_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_root_files'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_root_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## files in the root directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_rw_root_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_files'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## character device nodes in the root directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_rw_root_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_chr_files'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:chr_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_chr_files'($*)) dnl
')
########################################
##
## Delete files in the root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_root_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_root_files'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_root_files'($*)) dnl
')
########################################
##
## Remove entries from the root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_root_dir_entry',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_root_dir_entry'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_root_dir_entry'($*)) dnl
')
########################################
##
## Set attributes of the root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_root_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_root_dirs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir setattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_root_dirs'($*)) dnl
')
##########################################
##
## Watch the root directory.
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_root_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_root_dirs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_root_dirs'($*)) dnl
')
##########################################
##
## Watch_mount the root directory.
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_mount_root_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_mount_root_dirs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir watch_mount_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_mount_root_dirs'($*)) dnl
')
##########################################
##
## Watch_with_perm the root directory.
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_with_perm_root_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_with_perm_root_dirs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir watch_with_perm_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_with_perm_root_dirs'($*)) dnl
')
########################################
##
## Relabel a rootfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_rootfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_rootfs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:filesystem relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_rootfs'($*)) dnl
')
########################################
##
## Unmount a rootfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`files_unmount_rootfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_unmount_rootfs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_unmount_rootfs'($*)) dnl
')
########################################
##
## Mount a filesystem on the root file system
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_rootfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_rootfs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:dir { search_dir_perms mounton };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_rootfs'($*)) dnl
')
########################################
##
## Remount a filesystem on the root file system
##
##
##
## Domain allowed access.
##
##
#
define(`files_remount_rootfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_remount_rootfs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:filesystem { remount };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_remount_rootfs'($*)) dnl
')
########################################
##
## Mount a filesystem on the root file system
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_mounton_rootfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_mounton_rootfs'($*)) dnl
gen_require(`
type root_t;
')
dontaudit $1 root_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_mounton_rootfs'($*)) dnl
')
########################################
##
## Get attributes of the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_boot_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_boot_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get attributes
## of the /boot directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_boot_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_boot_dirs'($*)) dnl
')
########################################
##
## Search the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_boot',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_boot'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_boot'($*)) dnl
')
########################################
##
## Do not audit attempts to search the /boot directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_boot',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_boot'($*)) dnl
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_boot'($*)) dnl
')
########################################
##
## List the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_boot',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_boot'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_boot'($*)) dnl
')
#######################################
##
## Do not audit attempts to list the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_list_boot',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_boot'($*)) dnl
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_boot'($*)) dnl
')
########################################
##
## Create directories in /boot
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_boot_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir { create rw_dir_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_boot_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## directories in /boot.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_boot_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_boot_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to manage entries
## in the /boot directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_manage_boot_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_manage_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_manage_boot_dirs'($*)) dnl
')
########################################
##
## Watch directories in /boot.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_boot_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_boot_dirs'($*)) dnl
')
########################################
##
## Watch_mount directories in /boot.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_mount_boot_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_mount_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir watch_mount_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_mount_boot_dirs'($*)) dnl
')
########################################
##
## Watch_with_perm directories in /boot.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_with_perm_boot_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_with_perm_boot_dirs'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir watch_with_perm_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_with_perm_boot_dirs'($*)) dnl
')
########################################
##
## Create a private type object in boot
## with an automatic type transition
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_boot_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_boot_filetrans'($*)) dnl
gen_require(`
type boot_t;
')
filetrans_pattern($1, boot_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_boot_filetrans'($*)) dnl
')
########################################
##
## read files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_boot_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_boot_files'($*)) dnl
gen_require(`
type boot_t;
')
read_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_boot_files'($*)) dnl
')
######################################
##
## Map files in the /boot.
##
##
##
## Domain allowed access.
##
##
#
define(`files_map_boot_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_map_boot_files'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_map_boot_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_boot_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_boot_files'($*)) dnl
gen_require(`
type boot_t;
')
manage_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_boot_files'($*)) dnl
')
########################################
##
## Dontaudit Create, read, write, and delete files
## in the boot files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_dontaudit_manage_boot_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_manage_boot_files'($*)) dnl
gen_require(`
type boot_t;
')
dontaudit $1 boot_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_manage_boot_files'($*)) dnl
')
########################################
##
## Relabel from files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelfrom_boot_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelfrom_boot_files'($*)) dnl
gen_require(`
type boot_t;
')
relabelfrom_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelfrom_boot_files'($*)) dnl
')
########################################
##
## Relabel to files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_boot_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_boot_files'($*)) dnl
gen_require(`
type boot_t;
')
relabelto_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_boot_files'($*)) dnl
')
######################################
##
## Read symbolic links in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_boot_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_boot_symlinks'($*)) dnl
gen_require(`
type boot_t;
')
read_lnk_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_boot_symlinks'($*)) dnl
')
########################################
##
## Read and write symbolic links
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_boot_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_boot_symlinks'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
rw_lnk_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_boot_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_boot_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_boot_symlinks'($*)) dnl
gen_require(`
type boot_t;
')
manage_lnk_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_boot_symlinks'($*)) dnl
')
########################################
##
## Read kernel files in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_kernel_img',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_kernel_img'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
read_files_pattern($1, boot_t, boot_t)
read_lnk_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_kernel_img'($*)) dnl
')
########################################
##
## Install a kernel into the /boot directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_create_kernel_img',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_kernel_img'($*)) dnl
gen_require(`
type boot_t;
')
allow $1 boot_t:file { create_file_perms rw_file_perms };
manage_lnk_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_kernel_img'($*)) dnl
')
########################################
##
## Delete a kernel from /boot.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_delete_kernel',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_kernel'($*)) dnl
gen_require(`
type boot_t;
')
delete_files_pattern($1, boot_t, boot_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_kernel'($*)) dnl
')
########################################
##
## Getattr of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_default_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_default_dirs'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_default_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## directories with the default file type.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_default_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_default_dirs'($*)) dnl
gen_require(`
type default_t;
')
dontaudit $1 default_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_default_dirs'($*)) dnl
')
########################################
##
## Search the contents of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_default',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_default'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_default'($*)) dnl
')
########################################
##
## List contents of directories with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_default',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_default'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_default'($*)) dnl
')
########################################
##
## Do not audit attempts to list contents of
## directories with the default file type.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_default',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_default'($*)) dnl
gen_require(`
type default_t;
')
dontaudit $1 default_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_default'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories with
## the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_default_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_default_dirs'($*)) dnl
gen_require(`
type default_t;
')
manage_dirs_pattern($1, default_t, default_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_default_dirs'($*)) dnl
')
########################################
##
## Mount a filesystem on a directory with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_default',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_default'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir { search_dir_perms mounton };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_default'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## files with the default file type.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_default_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_default_files'($*)) dnl
gen_require(`
type default_t;
')
dontaudit $1 default_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_default_files'($*)) dnl
')
########################################
##
## Read files with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_default_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_default_files'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_default_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read files
## with the default file type.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_default_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_default_files'($*)) dnl
gen_require(`
type default_t;
')
dontaudit $1 default_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_default_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files with
## the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_default_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_default_files'($*)) dnl
gen_require(`
type default_t;
')
manage_files_pattern($1, default_t, default_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_default_files'($*)) dnl
')
########################################
##
## Read symbolic links with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_default_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_default_symlinks'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_default_symlinks'($*)) dnl
')
########################################
##
## Read sockets with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_default_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_default_sockets'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:sock_file read_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_default_sockets'($*)) dnl
')
########################################
##
## Read named pipes with the default file type.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_default_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_default_pipes'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_default_pipes'($*)) dnl
')
########################################
##
## Mounton directories on filesystem /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_etc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_etc'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_etc'($*)) dnl
')
########################################
##
## Search the contents of /etc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_etc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_etc'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_etc'($*)) dnl
')
########################################
##
## Set the attributes of the /etc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_etc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_etc_dirs'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_etc_dirs'($*)) dnl
')
########################################
##
## List the contents of /etc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_etc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_etc'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_etc'($*)) dnl
')
########################################
##
## Do not audit attempts to write to /etc dirs.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_etc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_dirs'($*)) dnl
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_dirs'($*)) dnl
')
########################################
##
## Add and remove entries from /etc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_etc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_etc_dirs'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_etc_dirs'($*)) dnl
')
#######################################
##
## Dontaudit remove dir /etc directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_remove_etc_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_remove_etc_dir'($*)) dnl
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:dir rmdir;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_remove_etc_dir'($*)) dnl
')
##########################################
##
## Manage generic directories in /etc
##
##
##
## Domain allowed access
##
##
##
#
define(`files_manage_etc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_etc_dirs'($*)) dnl
gen_require(`
type etc_t;
')
manage_dirs_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_etc_dirs'($*)) dnl
')
########################################
##
## Read generic files in /etc.
##
##
##
## Allow the specified domain to read generic
## files in /etc. These files are typically
## general system configuration files that do
## not have more specific SELinux types. Some
## examples of these files are:
##
##
## - /etc/fstab
## - /etc/passwd
## - /etc/services
## - /etc/shells
##
##
## This interface does not include access to /etc/shadow.
##
##
## Generally, it is safe for many domains to have
## this access. However, since this interface provides
## access to the /etc/passwd file, caution must be
## exercised, as user account names can be leaked
## through this access.
##
##
## Related interfaces:
##
##
## - auth_read_shadow()
## - files_read_etc_runtime_files()
## - seutil_read_config()
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
files_read_etc_runtime_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_etc_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write generic files in /etc.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_files'($*)) dnl
')
########################################
##
## Read and write generic files in /etc.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_rw_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_etc_files'($*)) dnl
')
########################################
##
## Map and read generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_map_read_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_map_read_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
mmap_read_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_map_read_etc_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## files in /etc.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
manage_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_etc_files'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## access on etc files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_access_check_etc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_etc'($*)) dnl
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_etc'($*)) dnl
')
########################################
##
## Delete system configuration files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
delete_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_etc_files'($*)) dnl
')
########################################
##
## Remove entries from the etc directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_etc_dir_entry',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_etc_dir_entry'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir del_entry_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_etc_dir_entry'($*)) dnl
')
########################################
##
## Execute generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_exec_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_exec_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
read_lnk_files_pattern($1, etc_t, etc_t)
exec_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_exec_etc_files'($*)) dnl
')
#######################################
##
## Relabel from and to generic files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir list_dir_perms;
relabel_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_etc_files'($*)) dnl
')
########################################
##
## Read symbolic links in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_etc_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_etc_symlinks'($*)) dnl
gen_require(`
type etc_t;
')
read_lnk_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_etc_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_etc_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_etc_symlinks'($*)) dnl
gen_require(`
type etc_t;
')
manage_lnk_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_etc_symlinks'($*)) dnl
')
########################################
##
## Create objects in /etc with a private
## type using a type_transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Object classes to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_etc_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_etc_filetrans'($*)) dnl
gen_require(`
type etc_t;
')
filetrans_pattern($1, etc_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_etc_filetrans'($*)) dnl
')
##########################################
##
## Watch generic directories in /etc.
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_etc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_etc_dirs'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_etc_dirs'($*)) dnl
')
##########################################
##
## Watch generic files in /etc.
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_etc_files'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:file watch_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_etc_files'($*)) dnl
')
########################################
##
## Create a boot flag.
##
##
##
## Create a boot flag, such as
## /.autorelabel and /.autofsck.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
##
#
define(`files_create_boot_flag',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_boot_flag'($*)) dnl
gen_require(`
type root_t, etc_runtime_t;
')
allow $1 etc_runtime_t:file manage_file_perms;
filetrans_pattern($1, root_t, etc_runtime_t, file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_boot_flag'($*)) dnl
')
########################################
##
## Delete a boot flag.
##
##
##
## Delete a boot flag, such as
## /.autorelabel and /.autofsck.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_delete_boot_flag',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_boot_flag'($*)) dnl
gen_require(`
type root_t, etc_runtime_t;
')
delete_files_pattern($1, root_t, etc_runtime_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_boot_flag'($*)) dnl
')
########################################
##
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Allow the specified domain to read dynamically created
## configuration files in /etc. These files are typically
## general system configuration files that do
## not have more specific SELinux types. Some
## examples of these files are:
##
##
## - /etc/motd
## - /etc/mtab
## - /etc/nologin
##
##
## This interface does not include access to /etc/shadow.
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`files_read_etc_runtime_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_etc_runtime_files'($*)) dnl
gen_require(`
type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_runtime_t)
read_lnk_files_pattern($1, etc_t, etc_runtime_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_etc_runtime_files'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes of the etc_runtime files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_setattr_etc_runtime_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_etc_runtime_files'($*)) dnl
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_etc_runtime_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write etc_runtime files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_etc_runtime_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_runtime_files'($*)) dnl
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_runtime_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_etc_runtime_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_etc_runtime_files'($*)) dnl
gen_require(`
type etc_runtime_t;
')
dontaudit $1 etc_runtime_t:file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_etc_runtime_files'($*)) dnl
')
########################################
##
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_rw_etc_runtime_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_etc_runtime_files'($*)) dnl
gen_require(`
type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
read_lnk_files_pattern($1, etc_t, etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_etc_runtime_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in
## /etc that are dynamically created on boot,
## such as mtab.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_etc_runtime_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_etc_runtime_files'($*)) dnl
gen_require(`
type etc_t, etc_runtime_t;
')
manage_dirs_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
read_lnk_files_pattern($1, etc_t, etc_runtime_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_etc_runtime_files'($*)) dnl
')
########################################
##
## Create, etc runtime objects with an automatic
## type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_etc_filetrans_etc_runtime',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_etc_filetrans_etc_runtime'($*)) dnl
gen_require(`
type etc_t, etc_runtime_t;
')
filetrans_pattern($1, etc_t, etc_runtime_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_etc_filetrans_etc_runtime'($*)) dnl
')
########################################
##
## Getattr of directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_isid_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_isid_type_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_isid_type_dirs'($*)) dnl
')
########################################
##
## Getattr all file opbjects on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_isid_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_isid_type'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir_file_class_set getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_isid_type'($*)) dnl
')
########################################
##
## Setattr of directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_isid_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_isid_type_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_isid_type_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_isid_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_isid_type_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_isid_type_dirs'($*)) dnl
')
########################################
##
## List the contents of directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_isid_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_isid_type_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_isid_type_dirs'($*)) dnl
')
########################################
##
## Read and write directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_isid_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_isid_type_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_isid_type_dirs'($*)) dnl
')
########################################
##
## Delete directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
delete_dirs_pattern($1, unlabeled_t, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_dirs'($*)) dnl
')
########################################
##
## Execute files on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_exec_isid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_exec_isid_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
can_exec($1, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_exec_isid_files'($*)) dnl
')
########################################
##
## Moundon directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_isid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_isid'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_isid'($*)) dnl
')
########################################
##
## Relabelfrom all file opbjects on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelfrom_isid_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelfrom_isid_type'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelfrom_isid_type'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_dirs'($*)) dnl
')
########################################
##
## Mount a filesystem on a directory on new filesystems
## that has not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_isid_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_isid_type_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir { search_dir_perms mounton };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_isid_type_dirs'($*)) dnl
')
########################################
##
## Mount a filesystem on a new chr_file
## that has not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_isid_type_chr_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_isid_type_chr_file'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:chr_file mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_isid_type_chr_file'($*)) dnl
')
########################################
##
## Read files on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_isid_type_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_isid_type_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_isid_type_files'($*)) dnl
')
########################################
##
## Delete files on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
delete_files_pattern($1, unlabeled_t, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_files'($*)) dnl
')
########################################
##
## Delete symbolic links on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_symlinks'($*)) dnl
gen_require(`
type unlabeled_t;
')
delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_symlinks'($*)) dnl
')
########################################
##
## Delete named pipes on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_fifo_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_fifo_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_fifo_files'($*)) dnl
')
########################################
##
## Delete named sockets on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_sock_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_sock_files'($*)) dnl
')
########################################
##
## Delete block files on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_blk_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_blk_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write to character
## files that have not yet been labeled.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_isid_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_isid_chr_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:chr_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_isid_chr_files'($*)) dnl
')
########################################
##
## Delete chr files on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_isid_type_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_chr_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_isid_type_chr_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_symlinks'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_symlinks'($*)) dnl
')
########################################
##
## Read and write block device nodes on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_isid_type_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_isid_type_blk_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:blk_file rw_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_isid_type_blk_files'($*)) dnl
')
########################################
##
## rw any files inherited from another process
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_inherited_isid_type_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_inherited_isid_type_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_inherited_isid_type_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_blk_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:blk_file manage_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_blk_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete character device nodes
## on new filesystems that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_isid_type_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_chr_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:chr_file manage_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_isid_type_chr_files'($*)) dnl
')
########################################
##
## Dontaudit Moundon directories on new filesystems
## that have not yet been labeled.
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_mounton_isid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_mounton_isid'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_mounton_isid'($*)) dnl
')
########################################
##
## Get the attributes of the home directories root
## (/home).
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_home_dir'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir getattr;
allow $1 home_root_t:lnk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_home_dir'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the home directories root
## (/home).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_home_dir'($*)) dnl
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir getattr;
dontaudit $1 home_root_t:lnk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_home_dir'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## access on home root directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_access_check_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_home_dir'($*)) dnl
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_home_dir'($*)) dnl
')
########################################
##
## Create /home directories
##
##
##
## Domain allowed access
##
##
#
define(`files_create_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_home_dir'($*)) dnl
gen_require(`
type home_root_t;
')
create_dirs_pattern($1, home_root_t, home_root_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_home_dir'($*)) dnl
')
########################################
##
## Search home directories root (/home).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_home'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir search_dir_perms;
allow $1 home_root_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_home'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## home directories root (/home).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_home'($*)) dnl
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir search_dir_perms;
dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_home'($*)) dnl
')
########################################
##
## Do not audit attempts to list
## home directories root (/home).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_home'($*)) dnl
gen_require(`
type home_root_t;
')
dontaudit $1 home_root_t:dir list_dir_perms;
dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_home'($*)) dnl
')
########################################
##
## Get listing of home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_home'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir list_dir_perms;
allow $1 home_root_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_home'($*)) dnl
')
########################################
##
## Watch home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_home'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_home'($*)) dnl
')
########################################
##
## Watch_mount home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_mount_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_mount_home'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir watch_mount_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_mount_home'($*)) dnl
')
########################################
##
## Watch_with_perm home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_with_perm_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_with_perm_home'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir watch_with_perm_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_with_perm_home'($*)) dnl
')
########################################
##
## Relabel to user home root (/home).
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_home'($*)) dnl
gen_require(`
type home_root_t;
')
allow $1 home_root_t:dir relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_home'($*)) dnl
')
########################################
##
## Create objects in /home.
##
##
##
## Domain allowed access.
##
##
##
##
## The private type.
##
##
##
##
## The class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_home_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_home_filetrans'($*)) dnl
gen_require(`
type home_root_t;
')
filetrans_pattern($1, home_root_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_home_filetrans'($*)) dnl
')
########################################
##
## Get the attributes of lost+found directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_lost_found_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_lost_found_dirs'($*)) dnl
gen_require(`
type lost_found_t;
')
allow $1 lost_found_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_lost_found_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## lost+found directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_lost_found_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_lost_found_dirs'($*)) dnl
gen_require(`
type lost_found_t;
')
dontaudit $1 lost_found_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_lost_found_dirs'($*)) dnl
')
#######################################
##
## List the contents of lost+found directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_lost_found',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_lost_found'($*)) dnl
gen_require(`
type lost_found_t;
')
allow $1 lost_found_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_lost_found'($*)) dnl
')
########################################
##
## Create, read, write, and delete objects in
## lost+found directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_lost_found',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_lost_found'($*)) dnl
gen_require(`
type lost_found_t;
')
manage_dirs_pattern($1, lost_found_t, lost_found_t)
manage_files_pattern($1, lost_found_t, lost_found_t)
manage_lnk_files_pattern($1, lost_found_t, lost_found_t)
manage_fifo_files_pattern($1, lost_found_t, lost_found_t)
manage_sock_files_pattern($1, lost_found_t, lost_found_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_lost_found'($*)) dnl
')
########################################
##
## Search the contents of /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_mnt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_mnt'($*)) dnl
')
########################################
##
## Do not audit attempts to search /mnt.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_mnt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
dontaudit $1 mnt_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_mnt'($*)) dnl
')
########################################
##
## List the contents of /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_mnt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_mnt'($*)) dnl
')
######################################
##
## dontaudit List the contents of /mnt.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_mnt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
dontaudit $1 mnt_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_mnt'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## write access on mnt files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_access_check_mnt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
dontaudit $1 mnt_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_mnt'($*)) dnl
')
########################################
##
## Mount a filesystem on /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_mnt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_mnt'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir { search_dir_perms mounton };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_mnt'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories in /mnt.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_mnt_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_mnt_dirs'($*)) dnl
gen_require(`
type mnt_t;
')
allow $1 mnt_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_mnt_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_mnt_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_mnt_files'($*)) dnl
gen_require(`
type mnt_t;
')
manage_files_pattern($1, mnt_t, mnt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_mnt_files'($*)) dnl
')
########################################
##
## read files in /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_mnt_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_mnt_files'($*)) dnl
gen_require(`
type mnt_t;
')
read_files_pattern($1, mnt_t, mnt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_mnt_files'($*)) dnl
')
######################################
##
## Read symbolic links in /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_mnt_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_mnt_symlinks'($*)) dnl
gen_require(`
type mnt_t;
')
read_lnk_files_pattern($1, mnt_t, mnt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_mnt_symlinks'($*)) dnl
')
########################################
##
## Load kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_load_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_load_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
files_read_kernel_modules($1)
allow $1 modules_object_t:system module_load;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_load_kernel_modules'($*)) dnl
')
########################################
##
## Mmap kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_map_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_map_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_map_kernel_modules'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_mnt_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_mnt_symlinks'($*)) dnl
gen_require(`
type mnt_t;
')
manage_lnk_files_pattern($1, mnt_t, mnt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_mnt_symlinks'($*)) dnl
')
########################################
##
## Search the contents of the kernel module directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir search_dir_perms;
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_kernel_modules'($*)) dnl
')
########################################
##
## List the contents of the kernel module directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_kernel_modules'($*)) dnl
')
########################################
##
## Get the attributes of kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
getattr_files_pattern($1, modules_object_t, modules_object_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_kernel_modules'($*)) dnl
')
########################################
##
## Read kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_kernel_modules'($*)) dnl
')
########################################
##
## Write kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir list_dir_perms;
write_files_pattern($1, modules_object_t, modules_object_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_kernel_modules'($*)) dnl
')
########################################
##
## Delete kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
delete_files_pattern($1, modules_object_t, modules_object_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_kernel_modules'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## kernel module files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
manage_files_pattern($1, modules_object_t, modules_object_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_kernel_modules'($*)) dnl
')
########################################
##
## Relabel from and to kernel module files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_kernel_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_kernel_modules'($*)) dnl
gen_require(`
type modules_object_t;
')
relabel_files_pattern($1, modules_object_t, modules_object_t)
allow $1 modules_object_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_kernel_modules'($*)) dnl
')
########################################
##
## Create objects in the kernel module directories
## with a private type via an automatic type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_kernel_modules_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_kernel_modules_filetrans'($*)) dnl
gen_require(`
type modules_object_t;
')
filetrans_pattern($1, modules_object_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_kernel_modules_filetrans'($*)) dnl
')
########################################
##
## List world-readable directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_list_world_readable',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_world_readable'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_world_readable'($*)) dnl
')
########################################
##
## Read world-readable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_world_readable_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_world_readable_files'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_world_readable_files'($*)) dnl
')
########################################
##
## Read world-readable symbolic links.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_world_readable_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_world_readable_symlinks'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_world_readable_symlinks'($*)) dnl
')
########################################
##
## Read world-readable named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_world_readable_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_world_readable_pipes'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_world_readable_pipes'($*)) dnl
')
########################################
##
## Read world-readable sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_world_readable_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_world_readable_sockets'($*)) dnl
gen_require(`
type readable_t;
')
allow $1 readable_t:sock_file read_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_world_readable_sockets'($*)) dnl
')
#######################################
##
## Read manageable system configuration files in /etc
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_system_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_system_conf_files'($*)) dnl
gen_require(`
type etc_t, system_conf_t;
')
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, system_conf_t)
read_lnk_files_pattern($1, etc_t, system_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_system_conf_files'($*)) dnl
')
######################################
##
## Manage manageable system configuration files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_system_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_system_conf_files'($*)) dnl
gen_require(`
type etc_t, system_conf_t;
')
manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
files_filetrans_system_conf_named_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_system_conf_files'($*)) dnl
')
#####################################
##
## File name transition for system configuration files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_filetrans_system_conf_named_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_filetrans_system_conf_named_files'($*)) dnl
gen_require(`
type etc_t, system_conf_t, usr_t;
')
filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
filetrans_pattern($1, etc_t, system_conf_t, file, "iptables")
filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.save")
filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables")
filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old")
filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config")
filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_filetrans_system_conf_named_files'($*)) dnl
')
######################################
##
## Relabel manageable system configuration files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_system_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_system_conf_files'($*)) dnl
gen_require(`
type usr_t;
')
relabelto_files_pattern($1, system_conf_t, system_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_system_conf_files'($*)) dnl
')
######################################
##
## Relabel manageable system configuration files in /etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelfrom_system_conf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelfrom_system_conf_files'($*)) dnl
gen_require(`
type usr_t;
')
relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelfrom_system_conf_files'($*)) dnl
')
###################################
##
## Create files in /etc with the type used for
## the manageable system config files.
##
##
##
## The type of the process performing this action.
##
##
#
define(`files_etc_filetrans_system_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_etc_filetrans_system_conf'($*)) dnl
gen_require(`
type etc_t, system_conf_t;
')
filetrans_pattern($1, etc_t, system_conf_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_etc_filetrans_system_conf'($*)) dnl
')
######################################
##
## Manage manageable system db files in /var/lib.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_system_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_system_db_files'($*)) dnl
gen_require(`
type var_lib_t, system_db_t;
')
manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
files_filetrans_system_db_named_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_system_db_files'($*)) dnl
')
######################################
##
## Watch manageable system db files in /var/db.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_system_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_system_db_files'($*)) dnl
gen_require(`
type system_db_t;
')
allow $1 system_db_t:file watch_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_system_db_files'($*)) dnl
')
######################################
##
## Map manageable system db files in /var/lib.
##
##
##
## Domain allowed access.
##
##
#
define(`files_map_system_db_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_map_system_db_files'($*)) dnl
gen_require(`
type system_db_t;
')
allow $1 system_db_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_map_system_db_files'($*)) dnl
')
#####################################
##
## File name transition for system db files in /var/lib.
##
##
##
## Domain allowed access.
##
##
#
define(`files_filetrans_system_db_named_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_filetrans_system_db_named_files'($*)) dnl
gen_require(`
type var_lib_t, system_db_t;
')
filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_filetrans_system_db_named_files'($*)) dnl
')
#####################################
##
## File name transition for tmp files in /.
##
##
##
## Domain allowed access.
##
##
#
define(`files_filetrans_tmp_named_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_filetrans_tmp_named_files'($*)) dnl
gen_require(`
type tmp_t;
')
files_root_filetrans($1, tmp_t, dir, "tmp-inst")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_filetrans_tmp_named_files'($*)) dnl
')
########################################
##
## Allow the specified type to associate
## to a filesystem with the type of the
## temporary directory (/tmp).
##
##
##
## Type of the file to associate.
##
##
#
define(`files_associate_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_associate_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_associate_tmp'($*)) dnl
')
########################################
##
## Allow the specified type to associate
## to a filesystem with the type of the
## / file system
##
##
##
## Type of the file to associate.
##
##
#
define(`files_associate_rootfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_associate_rootfs'($*)) dnl
gen_require(`
type root_t;
')
allow $1 root_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_associate_rootfs'($*)) dnl
')
########################################
##
## Get the attributes of the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
read_lnk_files_pattern($1, tmp_t, tmp_t)
allow $1 tmp_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_tmp_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## access on tmp files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_access_check_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_tmp'($*)) dnl
gen_require(`
type etc_t;
')
dontaudit $1 tmp_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the tmp directory (/tmp).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_tmp_dirs'($*)) dnl
')
########################################
##
## Search the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
fs_search_tmpfs($1)
read_lnk_files_pattern($1, tmp_t, tmp_t)
allow $1 tmp_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to search the tmp directory (/tmp).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_tmp'($*)) dnl
')
########################################
##
## Read the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
read_lnk_files_pattern($1, tmp_t, tmp_t)
allow $1 tmp_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_tmp'($*)) dnl
')
########################################
##
## Do not audit listing of the tmp directory (/tmp).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_tmp'($*)) dnl
gen_require(`
type tmp_t;
')
dontaudit $1 tmp_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_tmp'($*)) dnl
')
#######################################
##
## Allow read and write to the tmp directory (/tmp).
##
##
##
## Domain not to audit.
##
##
#
define(`files_rw_generic_tmp_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_generic_tmp_dir'($*)) dnl
gen_require(`
type tmp_t;
')
files_search_tmp($1)
allow $1 tmp_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_generic_tmp_dir'($*)) dnl
')
########################################
##
## Delete generic tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_tmp_files'($*)) dnl
gen_require(`
type tmp_t;
')
delete_files_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_tmp_files'($*)) dnl
')
########################################
##
## Delete generic tmp sock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_tmp_sockets'($*)) dnl
gen_require(`
type tmp_t;
')
delete_sock_files_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_tmp_sockets'($*)) dnl
')
########################################
##
## Remove entries from the tmp directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_tmp_dir_entry',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_tmp_dir_entry'($*)) dnl
gen_require(`
type tmp_t;
')
files_search_tmp($1)
allow $1 tmp_t:dir del_entry_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_tmp_dir_entry'($*)) dnl
')
########################################
##
## Read files in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_generic_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_generic_tmp_files'($*)) dnl
gen_require(`
type tmp_t;
')
read_files_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_generic_tmp_files'($*)) dnl
')
########################################
##
## Manage temporary directories in /tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
manage_dirs_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_tmp_dirs'($*)) dnl
')
##########################################
##
## Watch generic directories in /tmp
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_generic_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_generic_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_generic_tmp_dirs'($*)) dnl
')
##########################################
##
## Watch_mount generic directories in /tmp
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_mount_generic_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_mount_generic_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir watch_mount_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_mount_generic_tmp_dirs'($*)) dnl
')
##########################################
##
## Watch_with_perm generic directories in /tmp
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_with_perm_generic_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_with_perm_generic_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir watch_with_perm_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_with_perm_generic_tmp_dirs'($*)) dnl
')
########################################
##
## Allow shared library text relocations in tmp files.
##
##
##
## Allow shared library text relocations in tmp files.
##
##
## This is added to support java policy.
##
##
##
##
## Domain allowed access.
##
##
#
define(`files_execmod_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_execmod_tmp'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:file execmod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_execmod_tmp'($*)) dnl
')
########################################
##
## Manage temporary files and directories in /tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_tmp_files'($*)) dnl
gen_require(`
type tmp_t;
')
manage_files_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_tmp_files'($*)) dnl
')
#######################################
##
## Mmap temporary files
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_map_generic_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_map_generic_tmp_files'($*)) dnl
gen_require(`
type tmp_t;
')
allow $1 tmp_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_map_generic_tmp_files'($*)) dnl
')
########################################
##
## Read symbolic links in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_generic_tmp_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_generic_tmp_symlinks'($*)) dnl
gen_require(`
type tmp_t;
')
read_lnk_files_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_generic_tmp_symlinks'($*)) dnl
')
########################################
##
## Read and write generic named sockets in the tmp directory (/tmp).
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_generic_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_generic_tmp_sockets'($*)) dnl
gen_require(`
type tmp_t;
')
rw_sock_files_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_generic_tmp_sockets'($*)) dnl
')
########################################
##
## Relabel a dir from the type used in /tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelfrom_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelfrom_tmp_dirs'($*)) dnl
gen_require(`
type tmp_t;
')
relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelfrom_tmp_dirs'($*)) dnl
')
########################################
##
## Relabel a file from the type used in /tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelfrom_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelfrom_tmp_files'($*)) dnl
gen_require(`
type tmp_t;
')
relabelfrom_files_pattern($1, tmp_t, tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelfrom_tmp_files'($*)) dnl
')
########################################
##
## Set the attributes of all tmp directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_all_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_all_tmp_dirs'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir { search_dir_perms setattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_all_tmp_dirs'($*)) dnl
')
########################################
##
## Allow caller to read inherited tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_inherited_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_inherited_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:file { append read_inherited_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_inherited_tmp_files'($*)) dnl
')
########################################
##
## Allow caller to append inherited tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_append_inherited_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_append_inherited_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:file append_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_append_inherited_tmp_files'($*)) dnl
')
########################################
##
## Allow caller to read and write inherited tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_inherited_tmp_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_inherited_tmp_file'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_inherited_tmp_file'($*)) dnl
')
########################################
##
## List all tmp directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_all_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_all_tmp'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_all_tmp'($*)) dnl
')
########################################
##
## Relabel to and from all temporary
## directory types.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_relabel_all_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_tmp_dirs'($*)) dnl
gen_require(`
attribute tmpfile;
type var_t;
')
allow $1 var_t:dir search_dir_perms;
relabel_dirs_pattern($1, tmpfile, tmpfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_tmp_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all tmp files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
')
dontaudit $1 tmpfile:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_tmp_files'($*)) dnl
')
########################################
##
## Allow attempts to get the attributes
## of all tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_all_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_all_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_all_tmp_files'($*)) dnl
')
########################################
##
## Relabel to and from all temporary
## file types.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_relabel_all_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
type var_t;
')
allow $1 var_t:dir search_dir_perms;
relabel_files_pattern($1, tmpfile, tmpfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all tmp sock_file.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_tmp_sockets'($*)) dnl
gen_require(`
attribute tmpfile;
')
dontaudit $1 tmpfile:sock_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_tmp_sockets'($*)) dnl
')
########################################
##
## Read all tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_tmp_files'($*)) dnl
gen_require(`
attribute tmpfile;
')
read_files_pattern($1, tmpfile, tmpfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## all leaked tmpfiles files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_tmp_file_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_tmp_file_leaks'($*)) dnl
gen_require(`
attribute tmpfile;
')
dontaudit $1 tmpfile:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_tmp_file_leaks'($*)) dnl
')
########################################
##
## Do allow attempts to read or write
## all leaked tmpfiles files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_rw_tmp_file_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_tmp_file_leaks'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_tmp_file_leaks'($*)) dnl
')
########################################
##
## Create an object in the tmp directories, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_tmp_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_tmp_filetrans'($*)) dnl
gen_require(`
type tmp_t;
')
filetrans_pattern($1, tmp_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_tmp_filetrans'($*)) dnl
')
########################################
##
## Delete the contents of /tmp.
##
##
##
## Domain allowed access.
##
##
#
define(`files_purge_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_purge_tmp'($*)) dnl
gen_require(`
attribute tmpfile;
')
allow $1 tmpfile:dir list_dir_perms;
delete_dirs_pattern($1, tmpfile, tmpfile)
delete_files_pattern($1, tmpfile, tmpfile)
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
delete_chr_files_pattern($1, tmpfile, tmpfile)
delete_blk_files_pattern($1, tmpfile, tmpfile)
files_list_isid_type_dirs($1)
files_delete_isid_type_dirs($1)
files_delete_isid_type_files($1)
files_delete_isid_type_symlinks($1)
files_delete_isid_type_fifo_files($1)
files_delete_isid_type_sock_files($1)
files_delete_isid_type_blk_files($1)
files_delete_isid_type_chr_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_purge_tmp'($*)) dnl
')
########################################
##
## Set the attributes of the /usr directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_usr_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_usr_dirs'($*)) dnl
')
########################################
##
## Search the content of /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_usr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_usr'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_usr'($*)) dnl
')
########################################
##
## List the contents of generic
## directories in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_usr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_usr'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_usr'($*)) dnl
')
########################################
##
## Do not audit write of /usr dirs
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_usr_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_usr_dirs'($*)) dnl
')
########################################
##
## Add and remove entries from /usr directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_usr_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_usr_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to add and remove
## entries from /usr directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_rw_usr_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_usr_dirs'($*)) dnl
')
########################################
##
## Delete generic directories in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_usr_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
delete_dirs_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_usr_dirs'($*)) dnl
')
########################################
##
## Manage generic directories in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_usr_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
manage_dirs_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_usr_dirs'($*)) dnl
')
########################################
##
## Delete generic files in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
delete_files_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_usr_files'($*)) dnl
')
########################################
##
## Map files in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mmap_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mmap_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mmap_usr_files'($*)) dnl
')
########################################
##
## Get the attributes of files in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
getattr_files_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_usr_files'($*)) dnl
')
########################################
##
## Read generic files in /usr.
##
##
##
## Allow the specified domain to read generic
## files in /usr. These files are various program
## files that do not have more specific SELinux types.
## Some examples of these files are:
##
##
## - /usr/include/*
## - /usr/share/doc/*
## - /usr/share/info/*
##
##
## Generally, it is safe for many domains to have
## this access.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_usr_files'($*)) dnl
')
########################################
##
## Execute generic programs in /usr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_exec_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_exec_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir list_dir_perms;
exec_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_exec_usr_files'($*)) dnl
')
########################################
##
## dontaudit write of /usr files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_usr_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in the /usr directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
manage_files_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_usr_files'($*)) dnl
')
########################################
##
## Relabel a file to the type used in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
relabelto_files_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_usr_files'($*)) dnl
')
########################################
##
## Relabel a file from the type used in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelfrom_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelfrom_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
relabelfrom_files_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelfrom_usr_files'($*)) dnl
')
########################################
##
## Read symbolic links in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_usr_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_usr_symlinks'($*)) dnl
gen_require(`
type usr_t;
')
read_lnk_files_pattern($1, usr_t, usr_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_usr_symlinks'($*)) dnl
')
########################################
##
## Create objects in the /usr directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_usr_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_usr_filetrans'($*)) dnl
gen_require(`
type usr_t;
')
filetrans_pattern($1, usr_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_usr_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to search /usr/src.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_src',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_src'($*)) dnl
gen_require(`
type src_t;
')
dontaudit $1 src_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_src'($*)) dnl
')
########################################
##
## Get the attributes of files in /usr/src.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_usr_src_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_usr_src_files'($*)) dnl
gen_require(`
type usr_t, src_t;
')
getattr_files_pattern($1, src_t, src_t)
# /usr/src/linux symlink:
read_lnk_files_pattern($1, usr_t, src_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_usr_src_files'($*)) dnl
')
########################################
##
## Read files in /usr/src.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_usr_src_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_usr_src_files'($*)) dnl
gen_require(`
type usr_t, src_t;
')
allow $1 usr_t:dir search_dir_perms;
read_files_pattern($1, { usr_t src_t }, src_t)
read_lnk_files_pattern($1, { usr_t src_t }, src_t)
allow $1 src_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_usr_src_files'($*)) dnl
')
########################################
##
## Execute programs in /usr/src in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_exec_usr_src_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_exec_usr_src_files'($*)) dnl
gen_require(`
type usr_t, src_t;
')
list_dirs_pattern($1, usr_t, src_t)
exec_files_pattern($1, src_t, src_t)
read_lnk_files_pattern($1, src_t, src_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_exec_usr_src_files'($*)) dnl
')
########################################
##
## Watch generic directories in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_usr_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_usr_dirs'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_usr_dirs'($*)) dnl
')
########################################
##
## Watch generic files in /usr.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_usr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_usr_files'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 usr_t:file watch_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_usr_files'($*)) dnl
')
########################################
##
## Install a system.map into the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_kernel_symbol_table',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_kernel_symbol_table'($*)) dnl
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
allow $1 system_map_t:file { create_file_perms rw_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_kernel_symbol_table'($*)) dnl
')
########################################
##
## Dontaudit getattr attempts on the system.map file
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_kernel_symbol_table',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_kernel_symbol_table'($*)) dnl
gen_require(`
type system_map_t;
')
dontaudit $1 system_map_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_kernel_symbol_table'($*)) dnl
')
########################################
##
## Read system.map in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_kernel_symbol_table',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_kernel_symbol_table'($*)) dnl
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir list_dir_perms;
read_files_pattern($1, boot_t, system_map_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_kernel_symbol_table'($*)) dnl
')
########################################
##
## Delete a system.map in the /boot directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_kernel_symbol_table',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_kernel_symbol_table'($*)) dnl
gen_require(`
type boot_t, system_map_t;
')
allow $1 boot_t:dir list_dir_perms;
delete_files_pattern($1, boot_t, system_map_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_kernel_symbol_table'($*)) dnl
')
########################################
##
## Mounton system_map directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_kernel_symbol_table',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_kernel_symbol_table'($*)) dnl
gen_require(`
type system_map_t;
')
allow $1 system_map_t:dir { mounton getattr };
allow $1 system_map_t:file { mounton getattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_kernel_symbol_table'($*)) dnl
')
########################################
##
## Search the contents of /var.
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_var',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_var'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_var'($*)) dnl
')
########################################
##
## Do not audit attempts to write to /var.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_var_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
dontaudit $1 var_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_var_dirs'($*)) dnl
')
########################################
##
## Allow attempts to write to /var.dirs
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_var_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_var_dirs'($*)) dnl
')
########################################
##
## Set the attributes of the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_var_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_var_dirs'($*)) dnl
gen_require(`
type usr_t;
')
allow $1 var_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_var_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## the contents of /var.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_var',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_var'($*)) dnl
gen_require(`
type var_t;
')
dontaudit $1 var_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_var'($*)) dnl
')
########################################
##
## List the contents of /var.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_var',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_var'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_var'($*)) dnl
')
########################################
##
## Do not audit listing of the var directory (/var).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_var',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_var'($*)) dnl
gen_require(`
type var_t;
')
dontaudit $1 var_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_var'($*)) dnl
')
########################################
##
## Create directories
## in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_var_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_var_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_var_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_var_dirs'($*)) dnl
')
########################################
##
## Watch generic directories in /var.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_var_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
watch_dirs_pattern($1, var_t, var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_var_dirs'($*)) dnl
')
########################################
##
## Read files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_var_files'($*)) dnl
gen_require(`
type var_t;
')
read_files_pattern($1, var_t, var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_var_files'($*)) dnl
')
########################################
##
## Append files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_append_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_append_var_files'($*)) dnl
gen_require(`
type var_t;
')
append_files_pattern($1, var_t, var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_append_var_files'($*)) dnl
')
########################################
##
## Read and write files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_var_files'($*)) dnl
gen_require(`
type var_t;
')
rw_files_pattern($1, var_t, var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_var_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## files in the /var directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_rw_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_var_files'($*)) dnl
gen_require(`
type var_t;
')
dontaudit $1 var_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_var_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_var_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_var_files'($*)) dnl
gen_require(`
type var_t;
')
manage_files_pattern($1, var_t, var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_var_files'($*)) dnl
')
########################################
##
## Read symbolic links in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_var_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_var_symlinks'($*)) dnl
gen_require(`
type var_t;
')
read_lnk_files_pattern($1, var_t, var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_var_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic
## links in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_var_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_var_symlinks'($*)) dnl
gen_require(`
type var_t;
')
manage_lnk_files_pattern($1, var_t, var_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_var_symlinks'($*)) dnl
')
########################################
##
## Create objects in the /var directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_var_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_var_filetrans'($*)) dnl
gen_require(`
type var_t;
')
filetrans_pattern($1, var_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_var_filetrans'($*)) dnl
')
########################################
##
## Relabel dirs in the /var directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_var_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_var_dirs'($*)) dnl
gen_require(`
type var_t;
')
allow $1 var_t:dir relabel_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_var_dirs'($*)) dnl
')
########################################
##
## Get the attributes of the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_var_lib_dirs'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
getattr_dirs_pattern($1, var_t, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_var_lib_dirs'($*)) dnl
')
########################################
##
## Search the /var/lib directory.
##
##
##
## Search the /var/lib directory. This is
## necessary to access files or directories under
## /var/lib that have a private type. For example, a
## domain accessing a private library file in the
## /var/lib directory:
##
##
## allow mydomain_t mylibfile_t:file read_file_perms;
## files_search_var_lib(mydomain_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_search_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_var_lib'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
search_dirs_pattern($1, var_t, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_var_lib'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## contents of /var/lib.
##
##
##
## Domain to not audit.
##
##
##
#
define(`files_dontaudit_search_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_var_lib'($*)) dnl
gen_require(`
type var_lib_t;
')
dontaudit $1 var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_var_lib'($*)) dnl
')
########################################
##
## List the contents of the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_var_lib'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
list_dirs_pattern($1, var_t, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_var_lib'($*)) dnl
')
###########################################
##
## Read-write /var/lib directories
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_var_lib_dirs'($*)) dnl
gen_require(`
type var_lib_t;
')
rw_dirs_pattern($1, var_lib_t, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_var_lib_dirs'($*)) dnl
')
###########################################
##
## Map /var/lib directories
##
##
##
## Domain allowed access.
##
##
#
define(`files_map_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_map_var_lib_files'($*)) dnl
gen_require(`
type var_lib_t;
')
allow $1 var_lib_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_map_var_lib_files'($*)) dnl
')
########################################
##
## Create directories in /var/lib
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_var_lib_dirs'($*)) dnl
gen_require(`
type var_lib_t;
')
allow $1 var_lib_t:dir { create rw_dir_perms setattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_var_lib_dirs'($*)) dnl
')
########################################
##
## Create symlinks in /var/lib
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_var_lib_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_var_lib_symlinks'($*)) dnl
gen_require(`
type var_lib_t;
')
allow $1 var_lib_t:lnk_file { create write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_var_lib_symlinks'($*)) dnl
')
########################################
##
## Create objects in the /var/lib directory
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_var_lib_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_var_lib_filetrans'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
filetrans_pattern($1, var_lib_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_var_lib_filetrans'($*)) dnl
')
########################################
##
## Read generic files in /var/lib.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_var_lib_files'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_lib_t:dir list_dir_perms;
read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_var_lib_files'($*)) dnl
')
########################################
##
## Read generic symbolic links in /var/lib
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_var_lib_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_var_lib_symlinks'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_var_lib_symlinks'($*)) dnl
')
########################################
##
## manage generic symbolic links
## in the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_var_lib_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_var_lib_symlinks'($*)) dnl
gen_require(`
type var_lib_t;
')
manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_var_lib_symlinks'($*)) dnl
')
########################################
##
## Watch generic directories in /var/lib.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_var_lib_dirs'($*)) dnl
gen_require(`
type var_lib_t;
')
watch_dirs_pattern($1, var_lib_t, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_var_lib_dirs'($*)) dnl
')
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
########################################
##
## Create, read, write, and delete the
## pseudorandom number generator seed.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_urandom_seed',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_urandom_seed'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
manage_files_pattern($1, var_lib_t, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_urandom_seed'($*)) dnl
')
########################################
##
## Relabel to dirs in the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabelto_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabelto_var_lib_dirs'($*)) dnl
gen_require(`
type var_lib_t;
')
allow $1 var_lib_t:dir relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabelto_var_lib_dirs'($*)) dnl
')
########################################
##
## Relabel dirs in the /var/lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_var_lib_dirs'($*)) dnl
gen_require(`
type var_lib_t;
')
allow $1 var_lib_t:dir relabel_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_var_lib_dirs'($*)) dnl
')
########################################
##
## Allow domain to manage mount tables
## necessary for rpcd, nfsd, etc.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_mounttab',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_mounttab'($*)) dnl
gen_require(`
type var_t, var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
manage_files_pattern($1, var_lib_t, var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_mounttab'($*)) dnl
')
########################################
##
## List generic lock directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_locks'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
files_search_locks($1)
list_dirs_pattern($1, var_t, var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_locks'($*)) dnl
')
########################################
##
## Search the locks directory (/var/lock).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_locks'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
files_search_pids($1)
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_locks'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## locks directory (/var/lock).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_locks'($*)) dnl
gen_require(`
type var_lock_t;
')
dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
dontaudit $1 var_lock_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_locks'($*)) dnl
')
########################################
##
## Do not audit attempts to read/write inherited
## locks (/var/lock).
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_rw_inherited_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_inherited_locks'($*)) dnl
gen_require(`
type var_lock_t;
')
dontaudit $1 var_lock_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_inherited_locks'($*)) dnl
')
########################################
##
## Set the attributes of the /var/lock directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_lock_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_lock_dirs'($*)) dnl
gen_require(`
type var_lock_t;
')
allow $1 var_lock_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_lock_dirs'($*)) dnl
')
########################################
##
## Add and remove entries in the /var/lock
## directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_lock_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_lock_dirs'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
files_search_locks($1)
rw_dirs_pattern($1, var_t, var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_lock_dirs'($*)) dnl
')
########################################
##
## Create lock directories
##
##
##
## Domain allowed access
##
##
#
define(`files_create_lock_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_lock_dirs'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
create_dirs_pattern($1, var_lock_t, var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_lock_dirs'($*)) dnl
')
########################################
##
## Relabel to and from all lock directory types.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_all_lock_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_lock_dirs'($*)) dnl
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
relabel_dirs_pattern($1, lockfile, lockfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_lock_dirs'($*)) dnl
')
########################################
##
## Relabel to and from all lock file types.
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_all_lock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_lock_files'($*)) dnl
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
relabel_files_pattern($1, lockfile, lockfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_lock_files'($*)) dnl
')
########################################
##
## Get the attributes of generic lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_getattr_generic_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_getattr_generic_locks'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
files_search_locks($1)
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_getattr_generic_locks'($*)) dnl
')
########################################
##
## Delete generic lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_generic_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_generic_locks'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
files_search_locks($1)
delete_files_pattern($1, var_lock_t, var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_generic_locks'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_locks'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
files_search_locks($1)
manage_files_pattern($1, var_lock_t, var_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_locks'($*)) dnl
')
########################################
##
## Delete all lock files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_delete_all_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_locks'($*)) dnl
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
delete_files_pattern($1, lockfile, lockfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_locks'($*)) dnl
')
########################################
##
## Read all lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_all_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_locks'($*)) dnl
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
files_search_locks($1)
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_locks'($*)) dnl
')
########################################
##
## manage all lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_all_locks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_all_locks'($*)) dnl
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
files_search_locks($1)
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_all_locks'($*)) dnl
')
########################################
##
## Create an object in the locks directory, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_lock_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_lock_filetrans'($*)) dnl
gen_require(`
type var_t, var_lock_t;
')
files_search_locks($1)
filetrans_pattern($1, var_lock_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_lock_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the /var/run directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_pid_dirs'($*)) dnl
gen_require(`
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 var_run_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_pid_dirs'($*)) dnl
')
########################################
##
## Set the attributes of the /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_setattr_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_setattr_pid_dirs'($*)) dnl
gen_require(`
type var_run_t;
')
files_search_pids($1)
allow $1 var_run_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_setattr_pid_dirs'($*)) dnl
')
########################################
##
## Search the contents of runtime process
## ID directories (/var/run).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_pids'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
allow $1 var_t:lnk_file read_lnk_file_perms;
allow $1 var_run_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_pids'($*)) dnl
')
######################################
##
## Add and remove entries from pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_pid_dirs'($*)) dnl
gen_require(`
type var_run_t;
')
allow $1 var_run_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_pid_dirs'($*)) dnl
')
#######################################
##
## Create generic pid directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_var_run_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_var_run_dirs'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_var_run_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## the /var/run directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_pids'($*)) dnl
gen_require(`
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 var_run_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_pids'($*)) dnl
')
########################################
##
## Do not audit attempts to search
## the all /var/run directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
')
dontaudit $1 pidfile:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_pids'($*)) dnl
')
########################################
##
## Allow search the all /var/run directory.
##
##
##
## Domain to not audit.
##
##
#
define(`files_search_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
')
allow $1 pidfile:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_all_pids'($*)) dnl
')
#######################################
##
## Watch generic pid directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_var_run_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_var_run_dirs'($*)) dnl
gen_require(`
type var_run_t;
')
allow $1 var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_var_run_dirs'($*)) dnl
')
#######################################
##
## Watch generic pid directory and its parents.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_var_run_path',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_var_run_path'($*)) dnl
gen_require(`
type var_run_t;
')
files_watch_root_dirs($1)
files_watch_var_run_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_var_run_path'($*)) dnl
')
########################################
##
## List the contents of the runtime process
## ID directories (/var/run).
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_pids'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_pids'($*)) dnl
')
########################################
##
## Read generic process ID files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_generic_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_generic_pids'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_generic_pids'($*)) dnl
')
########################################
##
## Write named generic process ID pipes
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_generic_pid_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_generic_pid_pipes'($*)) dnl
gen_require(`
type var_run_t;
')
files_search_pids($1)
allow $1 var_run_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_generic_pid_pipes'($*)) dnl
')
########################################
##
## Write named generic process ID sockets
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_generic_pid_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_generic_pid_sockets'($*)) dnl
gen_require(`
type var_run_t;
')
files_search_pids($1)
allow $1 var_run_t:sock_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_generic_pid_sockets'($*)) dnl
')
########################################
##
## Create an object in the process ID directory, with a private type.
##
##
##
## Create an object in the process ID directory (e.g., /var/run)
## with a private type. Typically this is used for creating
## private PID files in /var/run with the private type instead
## of the general PID file type. To accomplish this goal,
## either the program must be SELinux-aware, or use this interface.
##
##
## Related interfaces:
##
##
##
## Example usage with a domain that can create and
## write its PID file with a private PID file type in the
## /var/run directory:
##
##
## type mypidfile_t;
## files_pid_file(mypidfile_t)
## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
## files_pid_filetrans(mydomain_t, mypidfile_t, file)
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
##
#
define(`files_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_pid_filetrans'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
allow $1 var_t:dir search_dir_perms;
filetrans_pattern($1, var_run_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_pid_filetrans'($*)) dnl
')
########################################
##
## Create a generic lock directory within the run directories
##
##
##
## Domain allowed access
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_pid_filetrans_lock_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_pid_filetrans_lock_dir'($*)) dnl
gen_require(`
type var_lock_t;
')
files_pid_filetrans($1, var_lock_t, dir, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_pid_filetrans_lock_dir'($*)) dnl
')
########################################
##
## rw generic pid files inherited from another process
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_inherited_generic_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_inherited_generic_pid_files'($*)) dnl
gen_require(`
type var_run_t;
')
allow $1 var_run_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_inherited_generic_pid_files'($*)) dnl
')
########################################
##
## Read and write generic process ID files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_rw_generic_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_generic_pids'($*)) dnl
gen_require(`
type var_t, var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_generic_pids'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## daemon runtime data files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 pidfile:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_pids'($*)) dnl
')
########################################
##
## Do not audit attempts to write to daemon runtime data files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 pidfile:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_pids'($*)) dnl
')
########################################
##
## Do not audit attempts to ioctl daemon runtime data files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_ioctl_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_ioctl_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
type var_run_t;
')
dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
dontaudit $1 pidfile:file ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_ioctl_all_pids'($*)) dnl
')
########################################
##
## Relable all pid directories
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_all_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_pid_dirs'($*)) dnl
gen_require(`
attribute pidfile;
')
relabel_dirs_pattern($1, pidfile, pidfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_pid_dirs'($*)) dnl
')
########################################
##
## Delete all pid sockets
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_all_pid_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_pid_sockets'($*)) dnl
gen_require(`
attribute pidfile;
')
allow $1 pidfile:sock_file delete_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_pid_sockets'($*)) dnl
')
########################################
##
## Create all pid sockets
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_all_pid_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_all_pid_sockets'($*)) dnl
gen_require(`
attribute pidfile;
')
allow $1 pidfile:sock_file create_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_all_pid_sockets'($*)) dnl
')
########################################
##
## Create all pid named pipes
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_all_pid_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_all_pid_pipes'($*)) dnl
gen_require(`
attribute pidfile;
')
allow $1 pidfile:fifo_file create_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_all_pid_pipes'($*)) dnl
')
########################################
##
## Delete all pid named pipes
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_all_pid_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_pid_pipes'($*)) dnl
gen_require(`
attribute pidfile;
')
allow $1 pidfile:fifo_file delete_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_pid_pipes'($*)) dnl
')
########################################
##
## manage all pidfile directories
## in the /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_all_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_all_pid_dirs'($*)) dnl
gen_require(`
attribute pidfile;
')
manage_dirs_pattern($1,pidfile,pidfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_all_pid_dirs'($*)) dnl
')
########################################
##
## Read all process ID files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
type var_t;
')
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
read_lnk_files_pattern($1, pidfile, pidfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_pids'($*)) dnl
')
########################################
##
## mmap all process ID files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_map_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_map_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
type var_t;
')
allow $1 pidfile:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_map_all_pids'($*)) dnl
')
########################################
##
## Relable all pid files
##
##
##
## Domain allowed access.
##
##
#
define(`files_relabel_all_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_pid_files'($*)) dnl
gen_require(`
attribute pidfile;
')
relabel_files_pattern($1, pidfile, pidfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_pid_files'($*)) dnl
')
########################################
##
## Execute generic programs in /var/run in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`files_exec_generic_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_exec_generic_pid_files'($*)) dnl
gen_require(`
type var_run_t;
')
exec_files_pattern($1, var_run_t, var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_exec_generic_pid_files'($*)) dnl
')
########################################
##
## Write all sockets
## in the /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_write_all_pid_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_write_all_pid_sockets'($*)) dnl
gen_require(`
attribute pidfile;
')
allow $1 pidfile:sock_file write_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_write_all_pid_sockets'($*)) dnl
')
########################################
##
## manage all pidfiles
## in the /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
')
manage_files_pattern($1,pidfile,pidfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_all_pids'($*)) dnl
')
########################################
##
## Mount filesystems on all polyinstantiation
## member directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_mounton_all_poly_members',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_mounton_all_poly_members'($*)) dnl
gen_require(`
attribute polymember;
')
allow $1 polymember:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_mounton_all_poly_members'($*)) dnl
')
########################################
##
## Delete all process IDs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_delete_all_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_pids'($*)) dnl
gen_require(`
attribute pidfile;
type var_t, var_run_t;
')
files_search_pids($1)
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir rmdir;
allow $1 var_run_t:lnk_file delete_lnk_file_perms;
delete_files_pattern($1, pidfile, pidfile)
delete_fifo_files_pattern($1, pidfile, pidfile)
delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_pids'($*)) dnl
')
########################################
##
## Delete all process ID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_all_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_pid_dirs'($*)) dnl
gen_require(`
attribute pidfile;
type var_t, var_run_t;
')
files_search_pids($1)
allow $1 var_t:dir search_dir_perms;
delete_dirs_pattern($1, pidfile, pidfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_pid_dirs'($*)) dnl
')
########################################
##
## Make the specified type a file
## used for spool files.
##
##
##
## Make the specified type usable for spool files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a spool file may result in problems with
## purging spool files.
##
##
## Related interfaces:
##
##
## - files_spool_filetrans()
##
##
## Example usage with a domain that can create and
## write its spool file in the system spool file
## directories (/var/spool):
##
##
## type myspoolfile_t;
## files_spool_file(myfile_spool_t)
## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
##
##
##
##
## Type of the file to be used as a
## spool file.
##
##
##
#
define(`files_spool_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_spool_file'($*)) dnl
gen_require(`
attribute spoolfile;
')
files_type($1)
typeattribute $1 spoolfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_spool_file'($*)) dnl
')
########################################
##
## Create all spool sockets
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_all_spool_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_all_spool_sockets'($*)) dnl
gen_require(`
attribute spoolfile;
')
allow $1 spoolfile:sock_file create_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_all_spool_sockets'($*)) dnl
')
########################################
##
## Delete all spool sockets
##
##
##
## Domain allowed access.
##
##
#
define(`files_delete_all_spool_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_spool_sockets'($*)) dnl
gen_require(`
attribute spoolfile;
')
allow $1 spoolfile:sock_file delete_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_spool_sockets'($*)) dnl
')
########################################
##
## Relabel to and from all spool
## directory types.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_relabel_all_spool_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_relabel_all_spool_dirs'($*)) dnl
gen_require(`
attribute spoolfile;
type var_t;
')
relabel_dirs_pattern($1, spoolfile, spoolfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_relabel_all_spool_dirs'($*)) dnl
')
########################################
##
## Search the contents of generic spool
## directories (/var/spool).
##
##
##
## Domain allowed access.
##
##
#
define(`files_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_search_spool'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
search_dirs_pattern($1, var_t, var_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_search_spool'($*)) dnl
')
########################################
##
## Do not audit attempts to search generic
## spool directories.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_spool'($*)) dnl
gen_require(`
type var_spool_t;
')
dontaudit $1 var_spool_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_spool'($*)) dnl
')
########################################
##
## List the contents of generic spool
## (/var/spool) directories.
##
##
##
## Domain allowed access.
##
##
#
define(`files_list_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_list_spool'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
list_dirs_pattern($1, var_t, var_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_list_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## spool directories (/var/spool).
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_spool_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_spool_dirs'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
manage_dirs_pattern($1, var_spool_t, var_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_spool_dirs'($*)) dnl
')
########################################
##
## Read generic spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_read_generic_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_generic_spool'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
list_dirs_pattern($1, var_t, var_spool_t)
read_files_pattern($1, var_spool_t, var_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_generic_spool'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_spool'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
manage_files_pattern($1, var_spool_t, var_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_spool'($*)) dnl
')
########################################
##
## Create objects in the spool directory
## with a private type with a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Type to which the created node will be transitioned.
##
##
##
##
## Object class(es) (single or set including {}) for which this
## the transition will occur.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_spool_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_spool_filetrans'($*)) dnl
gen_require(`
type var_t, var_spool_t;
')
allow $1 var_t:dir search_dir_perms;
filetrans_pattern($1, var_spool_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_spool_filetrans'($*)) dnl
')
########################################
##
## Allow access to manage all polyinstantiated
## directories on the system.
##
##
##
## Domain allowed access.
##
##
#
define(`files_polyinstantiate_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_polyinstantiate_all'($*)) dnl
gen_require(`
attribute polydir, polymember, polyparent;
type poly_t;
')
# Need to give access to /selinux/member
selinux_compute_member($1)
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin fowner };
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
allow $1 polyparent:dir { getattr mounton };
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr relabelto };
allow $1 polydir: dir { write add_name open };
allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
fs_mount_tmpfs($1)
fs_unmount_tmpfs($1)
ifdef(`distro_redhat',`
# namespace.init
files_search_tmp($1)
files_search_home($1)
corecmd_exec_bin($1)
seutil_domtrans_setfiles($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_polyinstantiate_all'($*)) dnl
')
########################################
##
## Unconfined access to files.
##
##
##
## Domain allowed access.
##
##
#
define(`files_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_unconfined'($*)) dnl
gen_require(`
attribute files_unconfined_type;
')
typeattribute $1 files_unconfined_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_unconfined'($*)) dnl
')
########################################
##
## Create a core files in /
##
##
##
## Create a core file in /,
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_manage_root_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_root_files'($*)) dnl
gen_require(`
type root_t;
')
manage_files_pattern($1, root_t, root_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_root_files'($*)) dnl
')
########################################
##
## Create a default directory
##
##
##
## Create a default_t direcrory
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_create_default_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_default_dir'($*)) dnl
gen_require(`
type default_t;
')
allow $1 default_t:dir create;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_default_dir'($*)) dnl
')
########################################
##
## Create, default_t objects with an automatic
## type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object being created.
##
##
#
define(`files_root_filetrans_default',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_root_filetrans_default'($*)) dnl
gen_require(`
type root_t, default_t;
')
filetrans_pattern($1, root_t, default_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_root_filetrans_default'($*)) dnl
')
########################################
##
## Create, lib_t objects with an automatic
## type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Type of the directory to be transitioned from
##
##
##
##
## The class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`files_filetrans_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_filetrans_lib'($*)) dnl
gen_require(`
type lib_t, lib_t;
')
filetrans_pattern($1, $2, lib_t, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_filetrans_lib'($*)) dnl
')
########################################
##
## Watch generic directories in /lib.
##
##
##
## Domain allowed access.
##
##
#
define(`files_watch_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_lib_dirs'($*)) dnl
gen_require(`
type lib_t;
')
allow $1 lib_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_lib_dirs'($*)) dnl
')
########################################
##
## manage generic symbolic links
## in the /var/run directory.
##
##
##
## Domain allowed access.
##
##
#
define(`files_manage_generic_pids_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_manage_generic_pids_symlinks'($*)) dnl
gen_require(`
type var_run_t;
')
manage_lnk_files_pattern($1,var_run_t,var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_manage_generic_pids_symlinks'($*)) dnl
')
##########################################
##
## Watch the pidfile files and directories
##
##
##
## Domain allowed access
##
##
#
define(`files_watch_all_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_watch_all_pid'($*)) dnl
gen_require(`
attribute pidfile;
')
allow $1 pidfile:dir watch_dir_perms;
allow $1 pidfile:file watch_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_watch_all_pid'($*)) dnl
')
########################################
##
## Do not audit attempts to getattr
## all tmpfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_getattr_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_tmpfs_files'($*)) dnl
gen_require(`
attribute tmpfsfile;
')
allow $1 tmpfsfile:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_tmpfs_files'($*)) dnl
')
########################################
##
## Allow delete all tmpfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_delete_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_tmpfs_files'($*)) dnl
gen_require(`
attribute tmpfsfile;
')
allow $1 tmpfsfile:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_tmpfs_files'($*)) dnl
')
########################################
##
## Allow read write all tmpfs files
##
##
##
## Domain to not audit.
##
##
#
define(`files_rw_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_tmpfs_files'($*)) dnl
gen_require(`
attribute tmpfsfile;
')
allow $1 tmpfsfile:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_tmpfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read security files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_read_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_security_files'($*)) dnl
gen_require(`
attribute security_file_type;
')
dontaudit $1 security_file_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_read_security_files'($*)) dnl
')
########################################
##
## Do not audit attempts to search security files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_search_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_security_files'($*)) dnl
gen_require(`
attribute security_file_type;
')
dontaudit $1 security_file_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_search_security_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read security dirs
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_list_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_security_dirs'($*)) dnl
gen_require(`
attribute security_file_type;
')
dontaudit $1 security_file_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_list_security_dirs'($*)) dnl
')
########################################
##
## rw any files inherited from another process
##
##
##
## Domain allowed access.
##
##
##
##
## Object type.
##
##
#
define(`files_rw_all_inherited_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_rw_all_inherited_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 { file_type $2 }:file rw_inherited_file_perms;
allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_rw_all_inherited_files'($*)) dnl
')
########################################
##
## Allow any file point to be the entrypoint of this domain
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_entrypoint_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_entrypoint_all_files'($*)) dnl
gen_require(`
attribute file_type;
type unlabeled_t;
')
allow $1 {file_type -unlabeled_t} :file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_entrypoint_all_files'($*)) dnl
')
########################################
##
## Do not audit attempts to rw inherited file perms
## of non security files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_all_non_security_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_all_non_security_leaks'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_all_non_security_leaks'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## all leaked files.
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_leaks'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:file rw_inherited_file_perms;
dontaudit $1 file_type:lnk_file { read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_leaks'($*)) dnl
')
########################################
##
## Allow domain to create_file_ass all types
##
##
##
## Domain allowed access.
##
##
#
define(`files_create_as_is_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_create_as_is_all_files'($*)) dnl
gen_require(`
attribute file_type;
class kernel_service create_files_as;
')
allow $1 file_type:kernel_service create_files_as;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_create_as_is_all_files'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## access on all files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_all_access_check',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_all_access_check'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_all_access_check'($*)) dnl
')
########################################
##
## Do not audit attempts to write to all files
##
##
##
## Domain to not audit.
##
##
#
define(`files_dontaudit_write_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
dontaudit $1 file_type:dir_file_class_set write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_files'($*)) dnl
')
########################################
##
## Allow domain to delete to all files
##
##
##
## Domain to not audit.
##
##
#
define(`files_delete_all_non_security_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_non_security_files'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir del_entry_dir_perms;
allow $1 non_security_file_type:file_class_set delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_non_security_files'($*)) dnl
')
########################################
##
## Allow domain to delete to all dirs
##
##
##
## Domain to not audit.
##
##
#
define(`files_delete_all_non_security_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_delete_all_non_security_dirs'($*)) dnl
gen_require(`
attribute non_security_file_type;
')
allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_delete_all_non_security_dirs'($*)) dnl
')
########################################
##
## Transition named content in the var_run_t directory
##
##
##
## Domain allowed access.
##
##
#
define(`files_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_filetrans_named_content'($*)) dnl
gen_require(`
type etc_t;
type mnt_t;
type usr_t;
type tmp_t;
type var_t;
type var_run_t;
type var_lock_t;
type tmp_t;
type system_conf_t;
')
files_pid_filetrans($1, mnt_t, dir, "media")
files_root_filetrans($1, etc_runtime_t, file, ".readahead")
files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
files_root_filetrans($1, etc_runtime_t, dir, "oldroot")
files_root_filetrans($1, etc_runtime_t, file, ".profile")
files_root_filetrans($1, mnt_t, dir, "afs")
files_root_filetrans($1, mnt_t, dir, "misc")
files_root_filetrans($1, mnt_t, dir, "net")
files_root_filetrans($1, usr_t, dir, "export")
files_root_filetrans($1, usr_t, dir, "opt")
files_root_filetrans($1, usr_t, dir, "ostree")
files_root_filetrans($1, usr_t, dir, "emul")
files_root_filetrans($1, var_t, dir, "srv")
files_root_filetrans($1, var_run_t, dir, "run")
files_root_filetrans($1, var_run_t, lnk_file, "run")
files_root_filetrans($1, var_lock_t, lnk_file, "lock")
files_root_filetrans($1, tmp_t, dir, "sandbox")
files_root_filetrans($1, tmp_t, dir, "tmp")
files_root_filetrans($1, var_t, dir, "nsr")
files_etc_filetrans($1, etc_t, file, "system-auth-ac")
files_etc_filetrans($1, etc_t, file, "postlogin-ac")
files_etc_filetrans($1, etc_t, file, "password-auth-ac")
files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
files_etc_filetrans($1, etc_t, file, "hwdb.bin")
files_etc_filetrans_etc_runtime($1, file, ".updated")
files_etc_filetrans_etc_runtime($1, file, "runtime")
files_etc_filetrans_etc_runtime($1, dir, "blkid")
files_etc_filetrans_etc_runtime($1, dir, "cmtab")
files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
files_etc_filetrans_etc_runtime($1, file, "nologin")
files_etc_filetrans_etc_runtime($1, file, "securetty")
files_etc_filetrans_etc_runtime($1, file, "ifstate")
files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
files_etc_filetrans_etc_runtime($1, file, "hwconf")
filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.save")
files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
files_var_filetrans($1, tmp_t, dir, "tmp")
files_var_filetrans($1, var_run_t, dir, "run")
files_var_filetrans($1, etc_runtime_t, file, ".updated")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_filetrans_named_content'($*)) dnl
')
########################################
##
## Make the specified type a
## base file.
##
##
##
## Identify file type as base file type. Tools will use this attribute,
## to help users diagnose problems.
##
##
##
##
## Type to be used as a base files.
##
##
##
#
define(`files_base_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_base_file'($*)) dnl
gen_require(`
attribute base_file_type;
')
files_type($1)
typeattribute $1 base_file_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_base_file'($*)) dnl
')
########################################
##
## Make the specified type a
## base read only file.
##
##
##
## Make the specified type readable for all domains.
##
##
##
##
## Type to be used as a base read only files.
##
##
##
#
define(`files_ro_base_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_ro_base_file'($*)) dnl
gen_require(`
attribute base_ro_file_type;
')
files_base_file($1)
typeattribute $1 base_ro_file_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_ro_base_file'($*)) dnl
')
########################################
##
## Read all ro base files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_read_all_base_ro_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_read_all_base_ro_files'($*)) dnl
gen_require(`
attribute base_ro_file_type;
')
list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
read_files_pattern($1, base_ro_file_type, base_ro_file_type)
read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_read_all_base_ro_files'($*)) dnl
')
########################################
##
## Execute all base ro files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`files_exec_all_base_ro_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_exec_all_base_ro_files'($*)) dnl
gen_require(`
attribute base_ro_file_type;
')
can_exec($1, base_ro_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_exec_all_base_ro_files'($*)) dnl
')
########################################
##
## Allow the specified domain to modify the systemd configuration of
## any file.
##
##
##
## Domain allowed access.
##
##
#
define(`files_config_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_config_all_files'($*)) dnl
gen_require(`
attribute file_type;
')
allow $1 file_type:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_config_all_files'($*)) dnl
')
########################################
##
## Get the status of etc_t files
##
##
##
## Domain allowed access.
##
##
#
define(`files_status_etc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_status_etc'($*)) dnl
gen_require(`
type etc_t;
')
allow $1 etc_t:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_status_etc'($*)) dnl
')
########################################
##
## Dontaudit Mount a modules_object_t
##
##
##
## Domain allowed access.
##
##
#
define(`files_dontaudit_mounton_modules_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_dontaudit_mounton_modules_object'($*)) dnl
gen_require(`
type modules_object_t;
')
allow $1 modules_object_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_dontaudit_mounton_modules_object'($*)) dnl
')
## Policy for filesystems.
##
## Contains the initial SID for the filesystems.
##
########################################
##
## Transform specified type into a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_type'($*)) dnl
gen_require(`
attribute filesystem_type;
')
typeattribute $1 filesystem_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_type'($*)) dnl
')
########################################
##
## Transform specified type into a filesystem
## type which does not have extended attribute
## support.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_noxattr_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_noxattr_type'($*)) dnl
gen_require(`
attribute noxattrfs;
')
fs_type($1)
typeattribute $1 noxattrfs;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_noxattr_type'($*)) dnl
')
########################################
##
## Associate the specified file type to persistent
## filesystems with extended attributes. This
## allows a file of this type to be created on
## a filesystem such as ext3, JFS, and XFS.
##
##
##
## The type of the to be associated.
##
##
#
define(`fs_associate',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_associate'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_associate'($*)) dnl
')
########################################
##
## Associate the specified file type to
## filesystems which lack extended attributes
## support. This allows a file of this type
## to be created on a filesystem such as
## FAT32, and NFS.
##
##
##
## The type of the to be associated.
##
##
#
define(`fs_associate_noxattr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_associate_noxattr'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_associate_noxattr'($*)) dnl
')
########################################
##
## Execute files on a filesystem that does
## not support extended attributes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_exec_noxattr',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_noxattr'($*)) dnl
gen_require(`
attribute noxattrfs;
')
can_exec($1, noxattrfs)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_noxattr'($*)) dnl
')
########################################
##
## Mount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_xattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_xattr_fs'($*)) dnl
')
########################################
##
## Remount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_xattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_xattr_fs'($*)) dnl
')
########################################
##
## Unmount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_xattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_xattr_fs'($*)) dnl
')
########################################
##
## Mount, remount, unmount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_all_mount_fs_perms_xattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_all_mount_fs_perms_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem mount_fs_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_all_mount_fs_perms_xattr_fs'($*)) dnl
')
########################################
##
## Get the attributes of persistent
## filesystems which have extended
## attributes, such as ext3, JFS, or XFS.
##
##
##
## Allow the specified domain to
## get the attributes of a persistent
## filesystems which have extended
## attributes, such as ext3, JFS, or XFS.
## Example attributes:
##
##
## - Type of the file system (e.g., ext3)
## - Size of the file system
## - Available space on the file system
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`fs_getattr_xattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_xattr_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to
## get the attributes of a persistent
## filesystem which has extended
## attributes, such as ext3, JFS, or XFS.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_xattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
dontaudit $1 fs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_xattr_fs'($*)) dnl
')
########################################
##
## Allow changing of the label of a
## filesystem with extended attributes
## using the context= mount option.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_xattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_xattr_fs'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_xattr_fs'($*)) dnl
')
########################################
##
## Get the filesystem quotas of a filesystem
## with extended attributes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_get_xattr_fs_quotas',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_get_xattr_fs_quotas'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem quotaget;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_get_xattr_fs_quotas'($*)) dnl
')
########################################
##
## Set the filesystem quotas of a filesystem
## with extended attributes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_set_xattr_fs_quotas',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_set_xattr_fs_quotas'($*)) dnl
gen_require(`
type fs_t;
')
allow $1 fs_t:filesystem quotamod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_set_xattr_fs_quotas'($*)) dnl
')
########################################
##
## Read files on anon_inodefs file systems. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_anon_inodefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_anon_inodefs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_anon_inodefs_files'($*)) dnl
')
########################################
##
## Read and write files on anon_inodefs
## file systems. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_anon_inodefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_anon_inodefs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_anon_inodefs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write files on
## anon_inodefs file systems. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_rw_anon_inodefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_anon_inodefs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_anon_inodefs_files'($*)) dnl
')
########################################
##
## Mount an automount pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_autofs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_autofs'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_autofs'($*)) dnl
')
########################################
##
## Remount an automount pseudo filesystem
## This allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_autofs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_autofs'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_autofs'($*)) dnl
')
########################################
##
## Unmount an automount pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_autofs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_autofs'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_autofs'($*)) dnl
')
########################################
##
## Get the attributes of an automount
## pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_autofs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_autofs'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_autofs'($*)) dnl
')
########################################
##
## Search automount filesystem to use automatically
## mounted filesystems.
##
##
## Allow the specified domain to search mount points
## that have filesystems that are mounted by
## the automount service. Generally this will
## be required for any domain that accesses objects
## on these filesystems.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_search_auto_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_auto_mountpoints'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_auto_mountpoints'($*)) dnl
')
########################################
##
## Read directories of automatically
## mounted filesystems.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_list_auto_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_auto_mountpoints'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_auto_mountpoints'($*)) dnl
')
########################################
##
## Do not audit attempts to list directories of automatically
## mounted filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_auto_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_auto_mountpoints'($*)) dnl
gen_require(`
type autofs_t;
')
dontaudit $1 autofs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_auto_mountpoints'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## on an autofs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_autofs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_autofs_symlinks'($*)) dnl
gen_require(`
type autofs_t;
')
manage_lnk_files_pattern($1, autofs_t, autofs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_autofs_symlinks'($*)) dnl
')
########################################
##
## Get the attributes of directories on
## binfmt_misc filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_binfmt_misc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_binfmt_misc_dirs'($*)) dnl
gen_require(`
type binfmt_misc_fs_t;
')
allow $1 binfmt_misc_fs_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_binfmt_misc_dirs'($*)) dnl
')
########################################
##
## Read binfmt_misc filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_binfmt_misc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_binfmt_misc'($*)) dnl
gen_require(`
type binfmt_misc_fs_t;
')
read_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_binfmt_misc'($*)) dnl
')
########################################
##
## Register an interpreter for new binary
## file types, using the kernel binfmt_misc
## support.
##
##
##
## Register an interpreter for new binary
## file types, using the kernel binfmt_misc
## support.
##
##
## A common use for this is to
## register a JVM as an interpreter for
## Java byte code. Registered binaries
## can be directly executed on a command line
## without specifying the interpreter.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_register_binary_executable_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_register_binary_executable_type'($*)) dnl
gen_require(`
type binfmt_misc_fs_t;
')
rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_register_binary_executable_type'($*)) dnl
')
########################################
##
## Manage bpf directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_bpf_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_bpf_dirs'($*)) dnl
gen_require(`
type bpf_t;
')
manage_dirs_pattern($1, bpf_t, bpf_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_bpf_dirs'($*)) dnl
')
########################################
##
## Read bpf files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_bpf_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_bpf_files'($*)) dnl
gen_require(`
type bpf_t;
')
manage_files_pattern($1, bpf_t, bpf_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_bpf_files'($*)) dnl
')
########################################
##
## Mount cgroup filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_cgroup',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_cgroup'($*)) dnl
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_cgroup'($*)) dnl
')
########################################
##
## Allow the type to associate to cgroup filesystems.
##
##
##
## The type of the object to be associated.
##
##
#
define(`fs_associate_cgroupfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_associate_cgroupfs'($*)) dnl
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_associate_cgroupfs'($*)) dnl
')
########################################
##
## Remount cgroup filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_cgroup',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_cgroup'($*)) dnl
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_cgroup'($*)) dnl
')
########################################
##
## Unmount cgroup filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_cgroup',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_cgroup'($*)) dnl
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_cgroup'($*)) dnl
')
########################################
##
## Get attributes of cgroup filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_cgroup',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_cgroup'($*)) dnl
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_cgroup'($*)) dnl
')
########################################
##
## Get attributes of cgroup files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
getattr_files_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_cgroup_files'($*)) dnl
')
########################################
##
## Search cgroup directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_cgroup_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_cgroup_dirs'($*)) dnl
gen_require(`
type cgroup_t;
')
search_dirs_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_cgroup_dirs'($*)) dnl
')
########################################
##
## Relabel cgroup directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_cgroup_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_cgroup_dirs'($*)) dnl
gen_require(`
type cgroup_t;
')
relabel_dirs_pattern($1, cgroup_t, cgroup_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_cgroup_dirs'($*)) dnl
')
########################################
##
## list cgroup directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_cgroup_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_cgroup_dirs'($*)) dnl
gen_require(`
type cgroup_t;
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_cgroup_dirs'($*)) dnl
')
#######################################
##
## Do not audit attempts to search cgroup directories.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_search_cgroup_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_search_cgroup_dirs'($*)) dnl
gen_require(`
type cgroup_t;
')
dontaudit $1 cgroup_t:dir search_dir_perms;
dev_dontaudit_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_search_cgroup_dirs'($*)) dnl
')
########################################
##
## Delete cgroup directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_delete_cgroup_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_delete_cgroup_dirs'($*)) dnl
gen_require(`
type cgroup_t;
')
delete_dirs_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_delete_cgroup_dirs'($*)) dnl
')
########################################
##
## Manage cgroup directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_cgroup_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cgroup_dirs'($*)) dnl
gen_require(`
type cgroup_t;
')
manage_dirs_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cgroup_dirs'($*)) dnl
')
########################################
##
## Watch cgroup directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_watch_cgroup_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_watch_cgroup_dirs'($*)) dnl
gen_require(`
type cgroup_t;
')
watch_dirs_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_watch_cgroup_dirs'($*)) dnl
')
########################################
##
## Read cgroup files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
read_files_pattern($1, cgroup_t, cgroup_t)
read_lnk_files_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_cgroup_files'($*)) dnl
')
########################################
##
## Write cgroup files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_write_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_write_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
write_files_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_write_cgroup_files'($*)) dnl
')
########################################
##
## Read and write cgroup files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
read_lnk_files_pattern($1, cgroup_t, cgroup_t)
rw_files_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_cgroup_files'($*)) dnl
')
########################################
##
## Do not audit attempts to open,
## get attributes, read and write
## cgroup files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_rw_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
dontaudit $1 cgroup_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_cgroup_files'($*)) dnl
')
########################################
##
## Relabel cgroup files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
relabel_files_pattern($1, cgroup_t, cgroup_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_cgroup_files'($*)) dnl
')
########################################
##
## Create cgroup files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_create_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_create_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
dev_search_sysfs($1)
create_files_pattern($1, cgroup_t, cgroup_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_create_cgroup_files'($*)) dnl
')
########################################
##
## Manage cgroup files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
manage_files_pattern($1, cgroup_t, cgroup_t)
manage_lnk_files_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cgroup_files'($*)) dnl
')
########################################
##
## Watch cgroup files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_watch_cgroup_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_watch_cgroup_files'($*)) dnl
gen_require(`
type cgroup_t;
')
watch_files_pattern($1, cgroup_t, cgroup_t)
watch_lnk_files_pattern($1, cgroup_t, cgroup_t)
fs_search_tmpfs($1)
dev_search_sysfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_watch_cgroup_files'($*)) dnl
')
########################################
##
## Mount on cgroup directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mounton_cgroup',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mounton_cgroup'($*)) dnl
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mounton_cgroup'($*)) dnl
')
########################################
##
## Read and write ceph files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_cephfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_cephfs_files'($*)) dnl
gen_require(`
type cephfs_t;
')
rw_files_pattern($1, cephfs_t, cephfs_t)
rw_lnk_files_pattern($1, cephfs_t, cephfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_cephfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## dirs on a CIFS or SMB filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_cifs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_cifs_dirs'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_cifs_dirs'($*)) dnl
')
########################################
##
## Mount a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_cifs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_cifs'($*)) dnl
')
########################################
##
## Remount a CIFS or SMB network filesystem.
## This allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_cifs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_cifs'($*)) dnl
')
########################################
##
## Unmount a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_cifs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_cifs'($*)) dnl
')
########################################
##
## Get the attributes of a CIFS or
## SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_cifs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_cifs'($*)) dnl
')
########################################
##
## Set the attributes of cifs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_setattr_cifs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_setattr_cifs_dirs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_setattr_cifs_dirs'($*)) dnl
')
########################################
##
## Search directories on a CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_cifs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_cifs'($*)) dnl
')
########################################
##
## List the contents of directories on a
## CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_cifs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_cifs'($*)) dnl
')
########################################
##
## Do not audit attempts to list the contents
## of directories on a CIFS or SMB filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_cifs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_cifs'($*)) dnl
')
########################################
##
## Mounton a CIFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mounton_cifs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mounton_cifs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mounton_cifs'($*)) dnl
')
########################################
##
## Read files on a CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir list_dir_perms;
read_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_cifs_files'($*)) dnl
')
########################################
##
## Get the attributes of filesystems that
## do not have extended attribute support.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_noxattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_noxattr_fs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_noxattr_fs'($*)) dnl
')
########################################
##
## Read all noxattrfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_noxattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_noxattr_fs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_noxattr_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to list all
## noxattrfs directories.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_noxattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_noxattr_fs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
dontaudit $1 noxattrfs:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_noxattr_fs'($*)) dnl
')
########################################
##
## Create, read, write, and delete all noxattrfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_noxattr_fs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_dirs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_dirs'($*)) dnl
')
########################################
##
## Read all noxattrfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_noxattr_fs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_noxattr_fs_files'($*)) dnl
gen_require(`
attribute noxattrfs;
')
read_files_pattern($1, noxattrfs, noxattrfs)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_noxattr_fs_files'($*)) dnl
')
########################################
##
## Read/Write all inherited noxattrfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_inherited_noxattr_fs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_noxattr_fs_files'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_inherited_noxattr_fs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read all
## noxattrfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_noxattr_fs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_noxattr_fs_files'($*)) dnl
gen_require(`
attribute noxattrfs;
')
dontaudit $1 noxattrfs:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_noxattr_fs_files'($*)) dnl
')
########################################
##
## Dont audit attempts to write to noxattrfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_write_noxattr_fs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_noxattr_fs_files'($*)) dnl
gen_require(`
attribute noxattrfs;
')
dontaudit $1 noxattrfs:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_noxattr_fs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete all noxattrfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_noxattr_fs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_files'($*)) dnl
gen_require(`
attribute noxattrfs;
')
manage_files_pattern($1, noxattrfs, noxattrfs)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_files'($*)) dnl
')
########################################
##
## Read all noxattrfs symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_noxattr_fs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_noxattr_fs_symlinks'($*)) dnl
gen_require(`
attribute noxattrfs;
')
read_lnk_files_pattern($1, noxattrfs, noxattrfs)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_noxattr_fs_symlinks'($*)) dnl
')
########################################
##
## Relabel all objets from filesystems that
## do not support extended attributes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_noxattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_noxattr_fs'($*)) dnl
gen_require(`
attribute noxattrfs;
')
allow $1 noxattrfs:dir list_dir_perms;
relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs)
relabelfrom_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_noxattr_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## files on a CIFS or SMB filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_cifs_files'($*)) dnl
')
########################################
##
## Append files
## on a CIFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_append_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_append_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
append_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_append_cifs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to append files
## on a CIFS filesystem.
##
##
##
## Domain to not audit.
##
##
##
#
define(`fs_dontaudit_append_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_append_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_append_cifs_files'($*)) dnl
')
########################################
##
## Read inherited files on a CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_inherited_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_inherited_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_inherited_cifs_files'($*)) dnl
')
########################################
##
## Read/Write inherited files on a CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_inherited_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_inherited_cifs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_rw_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_cifs_files'($*)) dnl
')
########################################
##
## Read symbolic links on a CIFS or SMB filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_cifs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_cifs_symlinks'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir list_dir_perms;
read_lnk_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_cifs_symlinks'($*)) dnl
')
########################################
##
## Read named pipes
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_cifs_named_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_cifs_named_pipes'($*)) dnl
gen_require(`
type cifs_t;
')
read_fifo_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_cifs_named_pipes'($*)) dnl
')
########################################
##
## Read named pipes
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_cifs_named_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_cifs_named_sockets'($*)) dnl
gen_require(`
type cifs_t;
')
read_sock_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_cifs_named_sockets'($*)) dnl
')
########################################
##
## Execute files on a CIFS or SMB
## network filesystem, in the caller
## domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_exec_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir list_dir_perms;
exec_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_cifs_files'($*)) dnl
')
########################################
##
## Mmap files on a CIFS or SMB
## network filesystem, in the caller
## domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_map_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_map_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_map_cifs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_cifs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_dirs'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete directories
## on a CIFS or SMB network filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_cifs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_cifs_dirs'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_cifs_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
manage_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete files
## on a CIFS or SMB network filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_cifs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_cifs_files'($*)) dnl
gen_require(`
type cifs_t;
')
dontaudit $1 cifs_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_cifs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_cifs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_symlinks'($*)) dnl
gen_require(`
type cifs_t;
')
manage_lnk_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete named pipes
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_cifs_named_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_named_pipes'($*)) dnl
gen_require(`
type cifs_t;
')
manage_fifo_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_named_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete named sockets
## on a CIFS or SMB network filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_cifs_named_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_named_sockets'($*)) dnl
gen_require(`
type cifs_t;
')
manage_sock_files_pattern($1, cifs_t, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_cifs_named_sockets'($*)) dnl
')
########################################
##
## Execute a file on a CIFS or SMB filesystem
## in the specified domain.
##
##
##
## Execute a file on a CIFS or SMB filesystem
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## home directories on CIFS/SMB filesystems,
## in particular used by the ssh-agent policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`fs_cifs_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_cifs_domtrans'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:dir search_dir_perms;
domain_auto_transition_pattern($1, cifs_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_cifs_domtrans'($*)) dnl
')
########################################
##
## Make general progams in cifs an entrypoint for
## the specified domain.
##
##
##
## The domain for which cifs_t is an entrypoint.
##
##
#
define(`fs_cifs_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_cifs_entry_type'($*)) dnl
gen_require(`
type cifs_t;
')
domain_entry_file($1, cifs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_cifs_entry_type'($*)) dnl
')
########################################
##
## Make general progams in CIFS an entrypoint for
## the specified domain.
##
##
##
## The domain for which cifs_t is an entrypoint.
##
##
#
define(`fs_cifs_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_cifs_entrypoint'($*)) dnl
gen_require(`
type cifs_t;
')
allow $1 cifs_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_cifs_entrypoint'($*)) dnl
')
#######################################
##
## dontaudit write dirs
## on a configfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_write_configfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_configfs_dirs'($*)) dnl
gen_require(`
type configfs_t;
')
dontaudit $1 configfs_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_configfs_dirs'($*)) dnl
')
#######################################
##
## Read dirs
## on a configfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_configfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_configfs_dirs'($*)) dnl
gen_require(`
type configfs_t;
')
list_dirs_pattern($1, configfs_t, configfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_configfs_dirs'($*)) dnl
')
#######################################
##
## Create, read, write, and delete dirs
## on a configfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_configfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_configfs_dirs'($*)) dnl
gen_require(`
type configfs_t;
')
manage_dirs_pattern($1, configfs_t, configfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_configfs_dirs'($*)) dnl
')
#######################################
##
## Read files
## on a configfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_configfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_configfs_files'($*)) dnl
gen_require(`
type configfs_t;
')
read_files_pattern($1, configfs_t, configfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_configfs_files'($*)) dnl
')
#######################################
##
## Create, read, write, and delete files
## on a configfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_configfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_configfs_files'($*)) dnl
gen_require(`
type configfs_t;
')
manage_files_pattern($1, configfs_t, configfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_configfs_files'($*)) dnl
')
#######################################
##
## Create, read, write, and delete files
## on a configfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_configfs_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_configfs_lnk_files'($*)) dnl
gen_require(`
type configfs_t;
')
manage_lnk_files_pattern($1, configfs_t, configfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_configfs_lnk_files'($*)) dnl
')
########################################
##
## Unmount a configfs filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_configfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_configfs'($*)) dnl
gen_require(`
type configfs_t;
')
allow $1 configfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_configfs'($*)) dnl
')
########################################
##
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_dos_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_dos_fs'($*)) dnl
')
########################################
##
## Remount a DOS filesystem, such as
## FAT32 or NTFS. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_dos_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_dos_fs'($*)) dnl
')
########################################
##
## Unmount a DOS filesystem, such as
## FAT32 or NTFS.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_dos_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_dos_fs'($*)) dnl
')
########################################
##
## Get the attributes of a DOS
## filesystem, such as FAT32 or NTFS.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_dos_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_dos_fs'($*)) dnl
')
########################################
##
## Allow changing of the label of a
## DOS filesystem using the context= mount option.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_dos_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_dos_fs'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:filesystem relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_dos_fs'($*)) dnl
')
########################################
##
## Search dosfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_dos',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_dos'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_dos'($*)) dnl
')
########################################
##
## List dirs DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_dos',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_dos'($*)) dnl
gen_require(`
type dosfs_t;
')
list_dirs_pattern($1, dosfs_t, dosfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_dos'($*)) dnl
')
########################################
##
## Create, read, write, and delete dirs
## on a DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_dos_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_dos_dirs'($*)) dnl
gen_require(`
type dosfs_t;
')
manage_dirs_pattern($1, dosfs_t, dosfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_dos_dirs'($*)) dnl
')
########################################
##
## Watch_mount dirs on a DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_watch_mount_dos_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_watch_mount_dos_dirs'($*)) dnl
gen_require(`
type dosfs_t;
')
watch_mount_dirs_pattern($1, dosfs_t, dosfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_watch_mount_dos_dirs'($*)) dnl
')
########################################
##
## Watch_with_perm dirs on a DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_watch_with_perm_dos_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_watch_with_perm_dos_dirs'($*)) dnl
gen_require(`
type dosfs_t;
')
watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_watch_with_perm_dos_dirs'($*)) dnl
')
########################################
##
## Mmap files on a DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_map_dos_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_map_dos_files'($*)) dnl
gen_require(`
type dosfs_t;
')
allow $1 dosfs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_map_dos_files'($*)) dnl
')
########################################
##
## Read files on a DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_dos_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_dos_files'($*)) dnl
gen_require(`
type dosfs_t;
')
read_files_pattern($1, dosfs_t, dosfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_dos_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a DOS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_dos_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_dos_files'($*)) dnl
gen_require(`
type dosfs_t;
')
manage_files_pattern($1, dosfs_t, dosfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_dos_files'($*)) dnl
')
########################################
##
## Read eventpollfs files.
##
##
##
## Read eventpollfs files
##
##
## This interface has been deprecated, and will
## be removed in the future.
##
##
##
##
## Domain allowed access.
##
##
#
# eventpollfs was changed to task SID 20060628
define(`fs_read_eventpollfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_eventpollfs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_eventpollfs'($*)) dnl
')
#######################################
##
## Search directories
## on a ecrypt filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_ecryptfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_ecryptfs'($*)) dnl
gen_require(`
type ecryptfs_t;
')
allow $1 ecryptfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_ecryptfs'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_ecryptfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ecryptfs_dirs'($*)) dnl
gen_require(`
type ecryptfs_t;
')
manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
allow $1 ecryptfs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ecryptfs_dirs'($*)) dnl
')
#######################################
##
## Create, read, write, and delete files
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_ecryptfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_ecryptfs_files'($*)) dnl
gen_require(`
type ecryptfs_t;
')
read_files_pattern($1, ecryptfs_t, ecryptfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_ecryptfs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_ecryptfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ecryptfs_files'($*)) dnl
gen_require(`
type ecryptfs_t;
')
manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
allow $1 ecryptfs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ecryptfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create,
## read, write, and delete files
## on a FUSEFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_ecryptfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_ecryptfs_files'($*)) dnl
gen_require(`
type ecryptfs_t;
')
dontaudit $1 ecryptfs_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_ecryptfs_files'($*)) dnl
')
########################################
##
## Read symbolic links on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_ecryptfs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_ecryptfs_symlinks'($*)) dnl
gen_require(`
type ecryptfs_t;
')
allow $1 ecryptfs_t:dir list_dir_perms;
read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_ecryptfs_symlinks'($*)) dnl
')
#######################################
##
## Dontaudit append files on ecrypt filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_append_ecryptfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_append_ecryptfs_files'($*)) dnl
gen_require(`
type ecryptfs_t;
')
dontaudit $1 ecryptfs_t:file append;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_append_ecryptfs_files'($*)) dnl
')
########################################
##
## Manage symbolic links on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ecryptfs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ecryptfs_symlinks'($*)) dnl
gen_require(`
type ecryptfs_t;
')
manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ecryptfs_symlinks'($*)) dnl
')
########################################
##
## Execute a file on a FUSE filesystem
## in the specified domain.
##
##
##
## Execute a file on a FUSE filesystem
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## home directories on FUSE filesystems,
## in particular used by the ssh-agent policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`fs_ecryptfs_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_ecryptfs_domtrans'($*)) dnl
gen_require(`
type ecryptfs_t;
')
allow $1 ecryptfs_t:dir search_dir_perms;
domain_auto_transition_pattern($1, ecryptfs_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_ecryptfs_domtrans'($*)) dnl
')
########################################
##
## Mount a FUSE filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_fusefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_fusefs'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_fusefs'($*)) dnl
')
########################################
##
## Unmount a FUSE filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_fusefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_fusefs'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_fusefs'($*)) dnl
')
########################################
##
## Mounton a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mounton_fusefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mounton_fusefs'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mounton_fusefs'($*)) dnl
')
########################################
##
## Search directories
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_search_fusefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_fusefs'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_fusefs'($*)) dnl
')
########################################
##
## Do not audit attempts to list the contents
## of directories on a FUSEFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_fusefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_fusefs'($*)) dnl
gen_require(`
type fusefs_t;
')
dontaudit $1 fusefs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_fusefs'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_fusefs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_dirs'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete directories
## on a FUSEFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_fusefs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_fusefs_dirs'($*)) dnl
gen_require(`
type fusefs_t;
')
dontaudit $1 fusefs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_fusefs_dirs'($*)) dnl
')
########################################
##
## Read, a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_fusefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_fusefs_files'($*)) dnl
gen_require(`
type fusefs_t;
')
read_files_pattern($1, fusefs_t, fusefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_fusefs_files'($*)) dnl
')
########################################
##
## Execute files on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_exec_fusefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_fusefs_files'($*)) dnl
gen_require(`
type fusefs_t;
')
exec_files_pattern($1, fusefs_t, fusefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_fusefs_files'($*)) dnl
')
########################################
##
## mmap files on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_mmap_fusefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mmap_fusefs_files'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mmap_fusefs_files'($*)) dnl
')
#########################################
##
## Create, read, write, and delete named sockets
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_fusefs_named_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_named_sockets'($*)) dnl
gen_require(`
type fusefs_t;
')
manage_sock_files_pattern($1, fusefs_t, fusefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_named_sockets'($*)) dnl
')
#########################################
##
## Create, read, write, and delete named pipes
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
define(`fs_manage_fusefs_named_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_named_pipes'($*)) dnl
gen_require(`
type fusefs_t;
')
manage_fifo_files_pattern($1, fusefs_t, fusefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_named_pipes'($*)) dnl
')
########################################
##
## Make general progams in FUSEFS an entrypoint for
## the specified domain.
##
##
##
## The domain for which fusefs_t is an entrypoint.
##
##
#
define(`fs_fusefs_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_fusefs_entry_type'($*)) dnl
gen_require(`
type fusefs_t;
')
domain_entry_file($1, fusefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_fusefs_entry_type'($*)) dnl
')
########################################
##
## Make general progams in FUSEFS an entrypoint for
## the specified domain.
##
##
##
## The domain for which fusefs_t is an entrypoint.
##
##
#
define(`fs_fusefs_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_fusefs_entrypoint'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_fusefs_entrypoint'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_fusefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_files'($*)) dnl
gen_require(`
type fusefs_t;
')
manage_files_pattern($1, fusefs_t, fusefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create,
## read, write, and delete files
## on a FUSEFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_fusefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_fusefs_files'($*)) dnl
gen_require(`
type fusefs_t;
')
dontaudit $1 fusefs_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_fusefs_files'($*)) dnl
')
########################################
##
## Read symbolic links on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_fusefs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_fusefs_symlinks'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:dir list_dir_perms;
read_lnk_files_pattern($1, fusefs_t, fusefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_fusefs_symlinks'($*)) dnl
')
########################################
##
## Manage symbolic links on a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_fusefs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_symlinks'($*)) dnl
gen_require(`
type fusefs_t;
')
manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_symlinks'($*)) dnl
')
########################################
##
## Execute a file on a FUSE filesystem
## in the specified domain.
##
##
##
## Execute a file on a FUSE filesystem
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## home directories on FUSE filesystems,
## in particular used by the ssh-agent policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`fs_fusefs_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_fusefs_domtrans'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:dir search_dir_perms;
domain_auto_transition_pattern($1, fusefs_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_fusefs_domtrans'($*)) dnl
')
########################################
##
## Get the attributes of a FUSEFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_fusefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_fusefs'($*)) dnl
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_fusefs'($*)) dnl
')
########################################
##
## Get the attributes of an hugetlbfs
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_hugetlbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_hugetlbfs'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
allow $1 hugetlbfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_hugetlbfs'($*)) dnl
')
########################################
##
## List hugetlbfs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_hugetlbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_hugetlbfs'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
allow $1 hugetlbfs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_hugetlbfs'($*)) dnl
')
########################################
##
## Manage hugetlbfs dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_hugetlbfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_hugetlbfs_dirs'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_hugetlbfs_dirs'($*)) dnl
')
########################################
##
## Read hugetlbfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_hugetlbfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_hugetlbfs_files'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_hugetlbfs_files'($*)) dnl
')
########################################
##
## Read and write hugetlbfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_hugetlbfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_hugetlbfs_files'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
allow $1 hugetlbfs_t:file map;
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_hugetlbfs_files'($*)) dnl
')
########################################
##
## Manage hugetlbfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_hugetlbfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_hugetlbfs_files'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_hugetlbfs_files'($*)) dnl
')
########################################
##
## Execute hugetlbfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_exec_hugetlbfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_hugetlbfs_files'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
allow $1 hugetlbfs_t:dir list_dir_perms;
exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_hugetlbfs_files'($*)) dnl
')
########################################
##
## Allow the type to associate to hugetlbfs filesystems.
##
##
##
## The type of the object to be associated.
##
##
#
define(`fs_associate_hugetlbfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_associate_hugetlbfs'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
allow $1 hugetlbfs_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_associate_hugetlbfs'($*)) dnl
')
########################################
##
## List oracleasmfs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_oracleasmfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_oracleasmfs'($*)) dnl
gen_require(`
type oracleasmfs_t;
')
allow $1 oracleasmfs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_oracleasmfs'($*)) dnl
')
########################################
##
## Get the attributes of an oracleasmfs
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_oracleasmfs_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_oracleasmfs_fs'($*)) dnl
gen_require(`
type oracleasmfs_t;
')
allow $1 oracleasmfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_oracleasmfs_fs'($*)) dnl
')
########################################
##
## Get the attributes of an oracleasmfs
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_oracleasmfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_oracleasmfs'($*)) dnl
gen_require(`
type oracleasmfs_t;
')
allow $1 oracleasmfs_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_oracleasmfs'($*)) dnl
')
########################################
##
## Get the attributes of an oracleasmfs
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_setattr_oracleasmfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_setattr_oracleasmfs'($*)) dnl
gen_require(`
type oracleasmfs_t;
')
allow $1 oracleasmfs_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_setattr_oracleasmfs'($*)) dnl
')
########################################
##
## Get the attributes of an oracleasmfs
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_setattr_oracleasmfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_setattr_oracleasmfs_dirs'($*)) dnl
gen_require(`
type oracleasmfs_t;
')
allow $1 oracleasmfs_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_setattr_oracleasmfs_dirs'($*)) dnl
')
########################################
##
## Read and write the oracleasm device.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_oracleasm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_oracleasm'($*)) dnl
gen_require(`
type oracleasmfs_t;
')
manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t)
manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t)
dev_filetrans($1, oracleasmfs_t, dir, "oracleasm")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_oracleasm'($*)) dnl
')
########################################
##
## Search inotifyfs filesystem. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_inotifyfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_inotifyfs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_inotifyfs'($*)) dnl
')
########################################
##
## List inotifyfs filesystem. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_inotifyfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_inotifyfs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_inotifyfs'($*)) dnl
')
########################################
##
## Do not audit attempts to list inotifyfs filesystem. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_inotifyfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_inotifyfs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_inotifyfs'($*)) dnl
')
########################################
##
## Create an object in a hugetlbfs filesystem, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`fs_hugetlbfs_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_hugetlbfs_filetrans'($*)) dnl
gen_require(`
type hugetlbfs_t;
')
allow $2 hugetlbfs_t:filesystem associate;
filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_hugetlbfs_filetrans'($*)) dnl
')
########################################
##
## Mount an iso9660 filesystem, which
## is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_iso9660_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_iso9660_fs'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_iso9660_fs'($*)) dnl
')
########################################
##
## Remount an iso9660 filesystem, which
## is usually used on CDs. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_iso9660_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_iso9660_fs'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_iso9660_fs'($*)) dnl
')
########################################
##
## Unmount an iso9660 filesystem, which
## is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_iso9660_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_iso9660_fs'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_iso9660_fs'($*)) dnl
')
########################################
##
## Get the attributes of an iso9660
## filesystem, which is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_iso9660_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_iso9660_fs'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_iso9660_fs'($*)) dnl
')
########################################
##
## Read files on an iso9660 filesystem, which
## is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_iso9660_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_iso9660_files'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:dir list_dir_perms;
allow $1 iso9660_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_iso9660_files'($*)) dnl
')
########################################
##
## Read files on an iso9660 filesystem, which
## is usually used on CDs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_iso9660_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_iso9660_files'($*)) dnl
gen_require(`
type iso9660_t;
')
allow $1 iso9660_t:dir list_dir_perms;
read_files_pattern($1, iso9660_t, iso9660_t)
read_lnk_files_pattern($1, iso9660_t, iso9660_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_iso9660_files'($*)) dnl
')
########################################
##
## Mount a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_nfs'($*)) dnl
')
########################################
##
## Remount a NFS filesystem. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_nfs'($*)) dnl
')
########################################
##
## Unmount a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_nfs'($*)) dnl
')
########################################
##
## Get the attributes of a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_nfs'($*)) dnl
')
########################################
##
## Set the attributes of nfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_setattr_nfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_setattr_nfs_dirs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_setattr_nfs_dirs'($*)) dnl
')
########################################
##
## Search directories on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_nfs'($*)) dnl
')
########################################
##
## List NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_nfs'($*)) dnl
')
########################################
##
## Do not audit attempts to list the contents
## of directories on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_nfs'($*)) dnl
')
########################################
##
## Mounton a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mounton_nfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mounton_nfs'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mounton_nfs'($*)) dnl
')
########################################
##
## Read files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_nfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## files on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_nfs_files'($*)) dnl
')
########################################
##
## Read files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_write_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_write_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_write_nfs_files'($*)) dnl
')
########################################
##
## Execute files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_exec_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir list_dir_perms;
exec_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_nfs_files'($*)) dnl
')
########################################
##
## Make general progams in nfs an entrypoint for
## the specified domain.
##
##
##
## The domain for which nfs_t is an entrypoint.
##
##
#
define(`fs_nfs_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_nfs_entry_type'($*)) dnl
gen_require(`
type nfs_t;
')
domain_entry_file($1, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_nfs_entry_type'($*)) dnl
')
########################################
##
## Make general progams in NFS an entrypoint for
## the specified domain.
##
##
##
## The domain for which nfs_t is an entrypoint.
##
##
#
define(`fs_nfs_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_nfs_entrypoint'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_nfs_entrypoint'($*)) dnl
')
########################################
##
## Append files
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_append_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_append_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
append_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_append_nfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to append files
## on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
##
#
define(`fs_dontaudit_append_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_append_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_append_nfs_files'($*)) dnl
')
########################################
##
## Read inherited files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_inherited_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_inherited_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_inherited_nfs_files'($*)) dnl
')
########################################
##
## Read/write inherited files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_inherited_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_inherited_nfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or
## write files on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_rw_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_nfs_files'($*)) dnl
')
########################################
##
## Read symbolic links on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_nfs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_nfs_symlinks'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir list_dir_perms;
read_lnk_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_nfs_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to read symbolic links on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_nfs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_nfs_symlinks'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_nfs_symlinks'($*)) dnl
')
#########################################
##
## Read named sockets on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_nfs_named_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_nfs_named_sockets'($*)) dnl
gen_require(`
type nfs_t;
')
read_sock_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_nfs_named_sockets'($*)) dnl
')
#########################################
##
## Read named pipes on a NFS network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_nfs_named_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_nfs_named_pipes'($*)) dnl
gen_require(`
type nfs_t;
')
read_fifo_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_nfs_named_pipes'($*)) dnl
')
########################################
##
## Read directories of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_rpc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_rpc_dirs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_rpc_dirs'($*)) dnl
')
########################################
##
## Watch directories of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_watch_rpc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_watch_rpc_dirs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_watch_rpc_dirs'($*)) dnl
')
########################################
##
## Search directories of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_rpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_rpc'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_rpc'($*)) dnl
')
########################################
##
## Do not audit attempts to list removable storage directories.
##
##
##
## Do not audit attempts to list removable storage directories
##
##
## This interface has been deprecated, and will
## be removed in the future.
##
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_pstorefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_pstorefs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_pstorefs'($*)) dnl
')
########################################
##
## Do not audit attempts to list removable storage directories.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_list_pstore',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_pstore'($*)) dnl
gen_require(`
type pstore_t;
')
allow $1 pstore_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_pstore'($*)) dnl
')
########################################
##
## Relabel directory on removable storage.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_pstore_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_pstore_dirs'($*)) dnl
gen_require(`
type pstore_t;
')
relabel_dirs_pattern($1, pstore_t, pstore_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_pstore_dirs'($*)) dnl
')
########################################
##
## Search removable storage directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_removable',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_removable'($*)) dnl
gen_require(`
type removable_t;
')
allow $1 removable_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_removable'($*)) dnl
')
########################################
##
## Do not audit attempts to list removable storage directories.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_removable',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_removable'($*)) dnl
gen_require(`
type removable_t;
')
dontaudit $1 removable_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_removable'($*)) dnl
')
########################################
##
## Read removable storage files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_removable_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_removable_files'($*)) dnl
gen_require(`
type removable_t;
')
read_files_pattern($1, removable_t, removable_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_removable_files'($*)) dnl
')
########################################
##
## mmap files on a removable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_mmap_removable_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mmap_removable_files'($*)) dnl
gen_require(`
type removable_t;
')
allow $1 removable_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mmap_removable_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read removable storage files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_removable_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_removable_files'($*)) dnl
gen_require(`
type removable_t;
')
dontaudit $1 removable_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_removable_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write removable storage files.
##
##
##
## Domain not to audit.
##
##
#
define(`fs_dontaudit_write_removable_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_removable_files'($*)) dnl
gen_require(`
type removable_t;
')
dontaudit $1 removable_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_removable_files'($*)) dnl
')
########################################
##
## Read removable storage symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_removable_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_removable_symlinks'($*)) dnl
gen_require(`
type removable_t;
')
read_lnk_files_pattern($1, removable_t, removable_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_removable_symlinks'($*)) dnl
')
######################################
##
## Read block nodes on removable filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_removable_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_removable_blk_files'($*)) dnl
gen_require(`
type removable_t;
')
allow $1 removable_t:dir list_dir_perms;
read_blk_files_pattern($1, removable_t, removable_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_removable_blk_files'($*)) dnl
')
########################################
##
## Read and write block nodes on removable filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_removable_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_removable_blk_files'($*)) dnl
gen_require(`
type removable_t;
')
allow $1 removable_t:dir list_dir_perms;
rw_blk_files_pattern($1, removable_t, removable_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_removable_blk_files'($*)) dnl
')
########################################
##
## Read directories of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_rpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_rpc'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_rpc'($*)) dnl
')
########################################
##
## Read files of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_rpc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_rpc_files'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
read_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_rpc_files'($*)) dnl
')
########################################
##
## Read symbolic links of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_rpc_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_rpc_symlinks'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
read_lnk_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_rpc_symlinks'($*)) dnl
')
########################################
##
## Read sockets of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_rpc_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_rpc_sockets'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:sock_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_rpc_sockets'($*)) dnl
')
########################################
##
## Read and write sockets of RPC file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_rpc_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_rpc_sockets'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:sock_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_rpc_sockets'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_nfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_dirs'($*)) dnl
gen_require(`
type nfs_t;
')
fs_search_auto_mountpoints($1)
allow $1 nfs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete directories
## on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_nfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_nfs_dirs'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_nfs_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
fs_search_auto_mountpoints($1)
manage_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_files'($*)) dnl
')
########################################
##
## mmap files on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_mmap_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mmap_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mmap_nfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create,
## read, write, and delete files
## on a NFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_nfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_nfs_files'($*)) dnl
gen_require(`
type nfs_t;
')
dontaudit $1 nfs_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_nfs_files'($*)) dnl
')
#########################################
##
## Create, read, write, and delete symbolic links
## on a NFS network filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_nfs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_symlinks'($*)) dnl
gen_require(`
type nfs_t;
')
fs_search_auto_mountpoints($1)
manage_lnk_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_symlinks'($*)) dnl
')
#########################################
##
## Create, read, write, and delete named pipes
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_nfs_named_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_named_pipes'($*)) dnl
gen_require(`
type nfs_t;
')
manage_fifo_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_named_pipes'($*)) dnl
')
#########################################
##
## Create, read, write, and delete named sockets
## on a NFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_nfs_named_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_named_sockets'($*)) dnl
gen_require(`
type nfs_t;
')
manage_sock_files_pattern($1, nfs_t, nfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfs_named_sockets'($*)) dnl
')
########################################
##
## Execute a file on a NFS filesystem
## in the specified domain.
##
##
##
## Execute a file on a NFS filesystem
## in the specified domain. This allows
## the specified domain to execute any file
## on a NFS filesystem in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## home directories on NFS filesystems,
## in particular used by the ssh-agent policy.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`fs_nfs_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_nfs_domtrans'($*)) dnl
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir search_dir_perms;
domain_auto_transition_pattern($1, nfs_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_nfs_domtrans'($*)) dnl
')
########################################
##
## Mount on nfsd_fs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mounton_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mounton_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mounton_nfsd_fs'($*)) dnl
')
########################################
##
## Mount a NFS server pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_nfsd_fs'($*)) dnl
')
########################################
##
## Mount a NFS server pseudo filesystem.
## This allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_nfsd_fs'($*)) dnl
')
########################################
##
## Unmount a NFS server pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_nfsd_fs'($*)) dnl
')
########################################
##
## Get the attributes of a NFS server
## pseudo filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_nfsd_fs'($*)) dnl
')
########################################
##
## Search NFS server directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_nfsd_fs'($*)) dnl
')
########################################
##
## List NFS server directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_nfsd_fs'($*)) dnl
')
########################################
##
## Getattr files on an nfsd filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_nfsd_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_nfsd_files'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_nfsd_files'($*)) dnl
')
#######################################
##
## read files on an nfsd filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_nfsd_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_nfsd_files'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_nfsd_files'($*)) dnl
')
#######################################
##
## Read and write NFS server files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_nfsd_fs'($*)) dnl
')
########################################
##
## Getattr files on an nsfs filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_getattr_nsfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_nsfs_files'($*)) dnl
gen_require(`
type nsfs_t;
')
dontaudit $1 nsfs_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_nsfs_files'($*)) dnl
')
########################################
##
## Getattr files on an nsfs filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_nsfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_nsfs_files'($*)) dnl
gen_require(`
type nsfs_t;
')
getattr_files_pattern($1, nsfs_t, nsfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_nsfs_files'($*)) dnl
')
#######################################
##
## Read nsfs inodes (e.g. /proc/pid/ns/uts)
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_nsfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_nsfs_files'($*)) dnl
gen_require(`
type nsfs_t;
')
allow $1 nsfs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_nsfs_files'($*)) dnl
')
#######################################
##
## Read and write nsfs inodes (e.g. /proc/pid/ns/uts)
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_nsfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_nsfs_files'($*)) dnl
gen_require(`
type nsfs_t;
')
rw_files_pattern($1, nsfs_t, nsfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_nsfs_files'($*)) dnl
')
########################################
##
## Mount a nsfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_nsfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_nsfs'($*)) dnl
gen_require(`
type nsfs_t;
')
allow $1 nsfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_nsfs'($*)) dnl
')
########################################
##
## Remount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_nsfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_nsfs'($*)) dnl
gen_require(`
type nsfs_t;
')
allow $1 nsfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_nsfs'($*)) dnl
')
########################################
##
## Unmount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_nsfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_nsfs'($*)) dnl
gen_require(`
type nsfs_t;
')
allow $1 nsfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_nsfs'($*)) dnl
')
########################################
##
## Manage NFS server files and directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_nfsd_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_nfsd_fs'($*)) dnl
gen_require(`
type nfsd_fs_t;
')
manage_dirs_pattern($1, nfsd_fs_t, nfsd_fs_t)
manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_nfsd_fs'($*)) dnl
')
########################################
##
## Allow the type to associate to ramfs filesystems.
##
##
##
## The type of the object to be associated.
##
##
#
define(`fs_associate_ramfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_associate_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_associate_ramfs'($*)) dnl
')
########################################
##
## Allow the type to associate to proc filesystems.
##
##
##
## The type of the object to be associated.
##
##
#
define(`fs_associate_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_associate_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_associate_proc'($*)) dnl
')
########################################
##
## Mount a RAM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_ramfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_ramfs'($*)) dnl
')
########################################
##
## Remount a RAM filesystem. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_ramfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_ramfs'($*)) dnl
')
########################################
##
## Unmount a RAM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_ramfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_ramfs'($*)) dnl
')
########################################
##
## Get the attributes of a RAM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_ramfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_ramfs'($*)) dnl
')
########################################
##
## Search directories on a ramfs
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_ramfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_ramfs'($*)) dnl
')
########################################
##
## Do not audit attempts to search directories on a ramfs
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_search_ramfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_search_ramfs'($*)) dnl
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_search_ramfs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## directories on a ramfs.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ramfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_dirs'($*)) dnl
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to read on a ramfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_ramfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_ramfs_files'($*)) dnl
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_ramfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read on a ramfs fifo_files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_ramfs_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:fifo_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_ramfs_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## files on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ramfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_files'($*)) dnl
gen_require(`
type ramfs_t;
')
manage_files_pattern($1, ramfs_t, ramfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_files'($*)) dnl
')
########################################
##
## Write to named pipe on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_write_ramfs_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_write_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
write_fifo_files_pattern($1, ramfs_t, ramfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_write_ramfs_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to write to named
## pipes on a ramfs filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_write_ramfs_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
dontaudit $1 ramfs_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_ramfs_pipes'($*)) dnl
')
########################################
##
## Read and write a named pipe on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_ramfs_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
rw_fifo_files_pattern($1, ramfs_t, ramfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_ramfs_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## named pipes on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ramfs_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_pipes'($*)) dnl
gen_require(`
type ramfs_t;
')
manage_fifo_files_pattern($1, ramfs_t, ramfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_pipes'($*)) dnl
')
########################################
##
## Write to named socket on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_write_ramfs_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_write_ramfs_sockets'($*)) dnl
gen_require(`
type ramfs_t;
')
write_sock_files_pattern($1, ramfs_t, ramfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_write_ramfs_sockets'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## named sockets on a ramfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_ramfs_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_sockets'($*)) dnl
gen_require(`
type ramfs_t;
')
manage_sock_files_pattern($1, ramfs_t, ramfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_sockets'($*)) dnl
')
########################################
##
## Mount a ROM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_romfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_romfs'($*)) dnl
gen_require(`
type romfs_t;
')
allow $1 romfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_romfs'($*)) dnl
')
########################################
##
## Remount a ROM filesystem. This allows
## some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_romfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_romfs'($*)) dnl
gen_require(`
type romfs_t;
')
allow $1 romfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_romfs'($*)) dnl
')
########################################
##
## Unmount a ROM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_romfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_romfs'($*)) dnl
gen_require(`
type romfs_t;
')
allow $1 romfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_romfs'($*)) dnl
')
########################################
##
## Get the attributes of a ROM
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_romfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_romfs'($*)) dnl
gen_require(`
type romfs_t;
')
allow $1 romfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_romfs'($*)) dnl
')
########################################
##
## Mount a RPC pipe filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_rpc_pipefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_rpc_pipefs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_rpc_pipefs'($*)) dnl
')
########################################
##
## Remount a RPC pipe filesystem. This
## allows some mount option to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_rpc_pipefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_rpc_pipefs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_rpc_pipefs'($*)) dnl
')
########################################
##
## Unmount a RPC pipe filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_rpc_pipefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_rpc_pipefs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_rpc_pipefs'($*)) dnl
')
########################################
##
## Get the attributes of a RPC pipe
## filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_rpc_pipefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_rpc_pipefs'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_rpc_pipefs'($*)) dnl
')
#########################################
##
## Read and write RPC pipe filesystem named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_rpc_named_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_rpc_named_pipes'($*)) dnl
gen_require(`
type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_rpc_named_pipes'($*)) dnl
')
########################################
##
## Mount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_tmpfs'($*)) dnl
')
########################################
##
## Dontaudit remount a tmpfs filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_remount_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_remount_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_remount_tmpfs'($*)) dnl
')
########################################
##
## Remount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_tmpfs'($*)) dnl
')
########################################
##
## Unmount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_tmpfs'($*)) dnl
')
########################################
##
## Mount, remount, unmount a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_all_mount_fs_perms_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_all_mount_fs_perms_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem mount_fs_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_all_mount_fs_perms_tmpfs'($*)) dnl
')
########################################
##
## Mount on tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mounton_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mounton_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mounton_tmpfs'($*)) dnl
')
########################################
##
## Get the attributes of a tmpfs
## filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_getattr_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs'($*)) dnl
')
########################################
##
## Allow the type to associate to tmpfs filesystems.
##
##
##
## The type of the object to be associated.
##
##
#
define(`fs_associate_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_associate_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem associate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_associate_tmpfs'($*)) dnl
')
########################################
##
## Relabel from tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:filesystem relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_tmpfs'($*)) dnl
')
########################################
##
## Get the attributes of tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of tmpfs directories.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs_dirs'($*)) dnl
')
########################################
##
## Set the attributes of tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_setattr_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_setattr_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_setattr_tmpfs_dirs'($*)) dnl
')
########################################
##
## Search tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_tmpfs'($*)) dnl
')
########################################
##
## List the contents of generic tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_tmpfs'($*)) dnl
')
########################################
##
## Do not audit attempts to list the
## contents of generic tmpfs directories.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_list_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_tmpfs'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_tmpfs'($*)) dnl
')
########################################
##
## Relabel directory on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_dirs'($*)) dnl
')
########################################
##
## Watch_mount directory on the tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_watch_mount_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_watch_mount_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 tmpfs_t:dir watch_mount_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_watch_mount_tmpfs_dirs'($*)) dnl
')
########################################
##
## Watch_with_perm directory on the tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_watch_with_perm_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_watch_with_perm_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
fs_search_tmpfs($1)
allow $1 tmpfs_t:dir watch_with_perm_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_watch_with_perm_tmpfs_dirs'($*)) dnl
')
########################################
##
## Relabel fifo_file on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_tmpfs_fifo_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_fifo_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_fifo_files'($*)) dnl
')
########################################
##
## Relabel files on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
relabel_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_files'($*)) dnl
')
########################################
##
## Delete tmpfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_delete_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_delete_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
delete_dirs_pattern($1, tmpfs_t, tmpfs_t)
fs_search_tmpfs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_delete_tmpfs_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## tmpfs directories
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to write
## tmpfs directories
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_write_tmpfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_tmpfs_dirs'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_tmpfs_dirs'($*)) dnl
')
########################################
##
## Create an object in a tmpfs filesystem, with a private
## type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`fs_tmpfs_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_tmpfs_filetrans'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $2 tmpfs_t:filesystem associate;
filetrans_pattern($1, tmpfs_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_tmpfs_filetrans'($*)) dnl
')
########################################
##
## Do not audit attempts to getattr
## generic tmpfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## generic tmpfs files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_rw_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_tmpfs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## auto moutpoints.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_auto_mountpoints',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_auto_mountpoints'($*)) dnl
gen_require(`
type autofs_t;
')
allow $1 autofs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_auto_mountpoints'($*)) dnl
')
########################################
##
## Read generic tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
read_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_tmpfs_files'($*)) dnl
')
########################################
##
## Read and write generic tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
rw_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_files'($*)) dnl
')
########################################
##
## Read and write generic tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_inherited_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_inherited_tmpfs_files'($*)) dnl
')
########################################
##
## Read tmpfs link files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_tmpfs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_tmpfs_symlinks'($*)) dnl
gen_require(`
type tmpfs_t;
')
read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_tmpfs_symlinks'($*)) dnl
')
########################################
##
## Relabel from tmpfs lnk files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_tmpfs_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_tmpfs_lnk_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
relabelfrom_lnk_files_pattern($1,tmpfs_t,tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_tmpfs_lnk_files'($*)) dnl
')
########################################
##
## Read and write character nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_tmpfs_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_chr_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir list_dir_perms;
rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_chr_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write character nodes on tmpfs filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_use_tmpfs_chr_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_use_tmpfs_chr_dev'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:dir list_dir_perms;
dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_use_tmpfs_chr_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to create character nodes on tmpfs filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_create_tmpfs_chr_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_create_tmpfs_chr_dev'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:chr_file create;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_create_tmpfs_chr_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_tmpfs_blk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_tmpfs_blk_dev'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_tmpfs_blk_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to read files on tmpfs filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_read_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:blk_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_tmpfs_files'($*)) dnl
')
########################################
##
## Relabel character nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_tmpfs_chr_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_chr_file'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir list_dir_perms;
relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_chr_file'($*)) dnl
')
########################################
##
## Read and write block nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_tmpfs_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_blk_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir list_dir_perms;
rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_blk_files'($*)) dnl
')
########################################
##
## Relabel block nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_tmpfs_blk_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs_blk_file'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs_blk_file'($*)) dnl
')
########################################
##
## Relabel block nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_tmpfs_blk_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_blk_file'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir list_dir_perms;
relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_blk_file'($*)) dnl
')
########################################
##
## Relabel sock nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabel_tmpfs_sock_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_sock_file'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir list_dir_perms;
relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_sock_file'($*)) dnl
')
########################################
##
## Delete generic files in tmpfs directory.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_delete_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_delete_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
allow $1 tmpfs_t:dir del_entry_dir_perms;
allow $1 tmpfs_t:file_class_set delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_delete_tmpfs_files'($*)) dnl
')
########################################
##
## Read and write, create and delete generic
## files on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
manage_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_files'($*)) dnl
')
########################################
##
## Execute files on a tmpfs filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_exec_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_exec_tmpfs_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
exec_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_exec_tmpfs_files'($*)) dnl
')
########################################
##
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_symlinks'($*)) dnl
gen_require(`
type tmpfs_t;
')
manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_symlinks'($*)) dnl
')
########################################
##
## Read and write, create and delete socket
## files on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_sockets'($*)) dnl
gen_require(`
type tmpfs_t;
')
manage_sock_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_sockets'($*)) dnl
')
########################################
##
## Read and write, create and delete character
## nodes on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_chr_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
manage_chr_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_chr_files'($*)) dnl
')
########################################
##
## Read and write, create and delete block nodes
## on tmpfs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_manage_tmpfs_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_blk_files'($*)) dnl
gen_require(`
type tmpfs_t;
')
manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_blk_files'($*)) dnl
')
########################################
##
## Mount a XENFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_xenfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_xenfs'($*)) dnl
gen_require(`
type xenfs_t;
')
allow $1 xenfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_xenfs'($*)) dnl
')
########################################
##
## Search the XENFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_xenfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_xenfs'($*)) dnl
gen_require(`
type xenfs_t;
')
allow $1 xenfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_xenfs'($*)) dnl
')
########################################
##
## Read files on a XENFS filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_read_xenfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_xenfs_files'($*)) dnl
gen_require(`
type xenfs_t;
')
allow $1 xenfs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_xenfs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## on a XENFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_xenfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_xenfs_dirs'($*)) dnl
gen_require(`
type xenfs_t;
')
allow $1 xenfs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_xenfs_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, and delete directories
## on a XENFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_xenfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_xenfs_dirs'($*)) dnl
gen_require(`
type xenfs_t;
')
dontaudit $1 xenfs_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_xenfs_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## on a XENFS filesystem.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_xenfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_xenfs_files'($*)) dnl
gen_require(`
type xenfs_t;
')
manage_files_pattern($1, xenfs_t, xenfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_xenfs_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create,
## read, write, and delete files
## on a XENFS filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_manage_xenfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_xenfs_files'($*)) dnl
gen_require(`
type xenfs_t;
')
dontaudit $1 xenfs_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_xenfs_files'($*)) dnl
')
########################################
##
## Mount all filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_all_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem mount;
# Mount checks write access on the dir
allow $1 filesystem_type:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_all_fs'($*)) dnl
')
########################################
##
## Remount all filesystems. This
## allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_all_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_all_fs'($*)) dnl
')
########################################
##
## Unmount all filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_all_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_all_fs'($*)) dnl
')
########################################
##
## Get the attributes of all filesystems.
##
##
##
## Allow the specified domain to
## get the attributes of all filesystems.
## Example attributes:
##
##
## - Type of the file system (e.g., ext3)
## - Size of the file system
## - Available space on the file system
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`fs_getattr_all_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem getattr;
files_getattr_all_file_type_fs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## all filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_all_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## access on all filesystems.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_all_access_check',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_all_access_check'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_all_access_check'($*)) dnl
')
########################################
##
## Get the quotas of all filesystems.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_get_all_fs_quotas',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_get_all_fs_quotas'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem quotaget;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_get_all_fs_quotas'($*)) dnl
')
########################################
##
## Set the quotas of all filesystems.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_set_all_quotas',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_set_all_quotas'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem quotamod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_set_all_quotas'($*)) dnl
')
########################################
##
## Relabelfrom all filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_relabelfrom_all_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_all_fs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:filesystem relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_relabelfrom_all_fs'($*)) dnl
')
########################################
##
## Get the attributes of all directories
## with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_dirs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_dirs'($*)) dnl
')
########################################
##
## Dontaudit Get the attributes of all directories
## with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_dontaudit_getattr_all_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_dirs'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_dirs'($*)) dnl
')
########################################
##
## Search all directories with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_all'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_all'($*)) dnl
')
########################################
##
## List all directories with a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_list_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_list_all'($*)) dnl
gen_require(`
attribute filesystem_type;
')
allow $1 filesystem_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_list_all'($*)) dnl
')
########################################
##
## Get the attributes of all files with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_files'($*)) dnl
gen_require(`
attribute filesystem_type;
')
getattr_files_pattern($1, filesystem_type, filesystem_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_files'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_all_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_files'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_files'($*)) dnl
')
########################################
##
## Get the attributes of all symbolic links with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_symlinks'($*)) dnl
gen_require(`
attribute filesystem_type;
')
getattr_lnk_files_pattern($1, filesystem_type, filesystem_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all symbolic links with a filesystem type.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_all_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_symlinks'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:lnk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_symlinks'($*)) dnl
')
########################################
##
## Get the attributes of all named pipes with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_pipes'($*)) dnl
gen_require(`
attribute filesystem_type;
')
getattr_fifo_files_pattern($1, filesystem_type, filesystem_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all named pipes with a filesystem type.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_all_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_pipes'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_pipes'($*)) dnl
')
########################################
##
## Get the attributes of all named sockets with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_sockets'($*)) dnl
gen_require(`
attribute filesystem_type;
')
getattr_sock_files_pattern($1, filesystem_type, filesystem_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all named sockets with a filesystem type.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_getattr_all_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_sockets'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:sock_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_sockets'($*)) dnl
')
########################################
##
## Get the attributes of all block device nodes with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_blk_files'($*)) dnl
gen_require(`
attribute filesystem_type;
')
getattr_blk_files_pattern($1, filesystem_type, filesystem_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_blk_files'($*)) dnl
')
########################################
##
## Get the attributes of all character device nodes with
## a filesystem type.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_getattr_all_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_getattr_all_chr_files'($*)) dnl
gen_require(`
attribute filesystem_type;
')
getattr_chr_files_pattern($1, filesystem_type, filesystem_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_getattr_all_chr_files'($*)) dnl
')
########################################
##
## Unconfined access to filesystems
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unconfined'($*)) dnl
gen_require(`
attribute filesystem_unconfined_type;
')
typeattribute $1 filesystem_unconfined_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unconfined'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## all leaked filesystems files.
##
##
##
## Domain to not audit.
##
##
#
define(`fs_dontaudit_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_dontaudit_leaks'($*)) dnl
gen_require(`
attribute filesystem_type;
')
dontaudit $1 filesystem_type:file rw_inherited_file_perms;
dontaudit $1 filesystem_type:lnk_file { read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_dontaudit_leaks'($*)) dnl
')
########################################
##
## Transition named content in tmpfs_t directory
##
##
##
## Domain allowed access.
##
##
#
define(`fs_tmpfs_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_tmpfs_filetrans_named_content'($*)) dnl
gen_require(`
type cgroup_t;
type devlog_t;
')
fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
fs_tmpfs_filetrans($1, devlog_t, lnk_file, "log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_tmpfs_filetrans_named_content'($*)) dnl
')
#######################################
##
## Read files in efivarfs
## - contains Linux Kernel configuration options for UEFI systems
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_read_efivarfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_read_efivarfs_files'($*)) dnl
gen_require(`
type efivarfs_t;
')
read_files_pattern($1, efivarfs_t, efivarfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_read_efivarfs_files'($*)) dnl
')
#######################################
##
## Manage efivarfs files
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_efivarfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_efivarfs_files'($*)) dnl
gen_require(`
type efivarfs_t;
')
manage_files_pattern($1, efivarfs_t, efivarfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_efivarfs_files'($*)) dnl
')
########################################
##
## Search efivarfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_search_efivarfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_search_efivarfs_dirs'($*)) dnl
gen_require(`
type efivarfs_t;
')
search_dirs_pattern($1, efivarfs_t, efivarfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_search_efivarfs_dirs'($*)) dnl
')
########################################
##
## Set the attributes of efivarfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_setattr_efivarfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_setattr_efivarfs_files'($*)) dnl
gen_require(`
type efivarfs_t;
')
allow $1 efivarfs_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_setattr_efivarfs_files'($*)) dnl
')
########################################
##
## Read and write sockets of ONLOAD file system pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_onload_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_onload_sockets'($*)) dnl
gen_require(`
type onload_fs_t;
')
rw_files_pattern($1, onload_fs_t, onload_fs_t)
rw_fifo_files_pattern($1, onload_fs_t, onload_fs_t)
rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
allow $1 onload_fs_t:sock_file ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_onload_sockets'($*)) dnl
')
########################################
##
## Read and write tracefs_t files
##
##
##
## Domain allowed access.
##
##
#
define(`fs_rw_tracefs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_rw_tracefs_files'($*)) dnl
gen_require(`
type tracefs_t;
')
rw_files_pattern($1, tracefs_t, tracefs_t)
allow $1 self:lockdown confidentiality;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_rw_tracefs_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete dirs
## labeled as tracefs_t.
##
##
##
## Domain allowed access.
##
##
##
#
define(`fs_manage_tracefs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_manage_tracefs_dirs'($*)) dnl
gen_require(`
type tracefs_t;
')
manage_dirs_pattern($1, tracefs_t, tracefs_t)
allow $1 self:lockdown confidentiality;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_manage_tracefs_dirs'($*)) dnl
')
########################################
##
## Mount tracefs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_mount_tracefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_mount_tracefs'($*)) dnl
gen_require(`
type tracefs_t;
')
allow $1 tracefs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_mount_tracefs'($*)) dnl
')
########################################
##
## Remount tracefs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_remount_tracefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_remount_tracefs'($*)) dnl
gen_require(`
type tracefs_t;
')
allow $1 tracefs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_remount_tracefs'($*)) dnl
')
########################################
##
## Unmount tracefs filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`fs_unmount_tracefs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fs_unmount_tracefs'($*)) dnl
gen_require(`
type tracefs_t;
')
allow $1 tracefs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fs_unmount_tracefs'($*)) dnl
')
##
## Policy for kernel threads, proc filesystem,
## and unlabeled processes and objects.
##
##
## This module has initial SIDs.
##
########################################
##
## Allows to start userland processes
## by transitioning to the specified domain.
##
##
##
## The process type entered by kernel.
##
##
##
##
## The executable type for the entrypoint.
##
##
#
define(`kernel_domtrans_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_domtrans_to'($*)) dnl
gen_require(`
type kernel_t;
')
domtrans_pattern(kernel_t, $2, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_domtrans_to'($*)) dnl
')
########################################
##
## Allows to start userland processes
## by transitioning to the specified domain,
## with a range transition.
##
##
##
## The process type entered by kernel.
##
##
##
##
## The executable type for the entrypoint.
##
##
##
##
## Range for the domain.
##
##
#
define(`kernel_ranged_domtrans_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_ranged_domtrans_to'($*)) dnl
gen_require(`
type kernel_t;
')
kernel_domtrans_to($1, $2)
ifdef(`enable_mcs',`
range_transition kernel_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition kernel_t $2:process $3;
mls_rangetrans_target($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_ranged_domtrans_to'($*)) dnl
')
########################################
##
## Allows the kernel to mount filesystems on
## the specified directory type.
##
##
##
## The type of the directory to use as a mountpoint.
##
##
#
define(`kernel_rootfs_mountpoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rootfs_mountpoint'($*)) dnl
gen_require(`
type kernel_t;
')
allow kernel_t $1:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rootfs_mountpoint'($*)) dnl
')
########################################
##
## Set the process group of kernel threads.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_setpgid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_setpgid'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process setpgid;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_setpgid'($*)) dnl
')
########################################
##
## Set the priority of kernel threads.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_setsched',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_setsched'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process setsched;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_setsched'($*)) dnl
')
########################################
##
## Dontaudit attempts to set the priority of kernel threads.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_setsched',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_setsched'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:process setsched;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_setsched'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to kernel threads.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_sigchld'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_sigchld'($*)) dnl
')
########################################
##
## Send a kill signal to kernel threads.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_kill'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_kill'($*)) dnl
')
########################################
##
## Send a generic signal to kernel threads.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_signal'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_signal'($*)) dnl
')
########################################
##
## Send signull to kernel threads.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_signull'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_signull'($*)) dnl
')
########################################
##
## Allows the kernel to share state information with
## the caller.
##
##
##
## The type of the process with which to share state information.
##
##
#
define(`kernel_share_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_share_state'($*)) dnl
gen_require(`
type kernel_t;
')
allow kernel_t $1:process share;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_share_state'($*)) dnl
')
########################################
##
## Permits caller to use kernel file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_use_fds'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## kernel file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_use_fds'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Read and write kernel unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_pipes'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:fifo_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_pipes'($*)) dnl
')
########################################
##
## Connect to kernel using a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_stream_connect'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_stream_socket { getattr connectto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_stream_connect'($*)) dnl
')
########################################
##
## Read and write kernel unix datagram sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unix_dgram_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unix_dgram_sockets'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unix_dgram_sockets'($*)) dnl
')
########################################
##
## Send messages to kernel unix datagram sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dgram_send'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dgram_send'($*)) dnl
')
########################################
##
## Receive messages from kernel TCP sockets. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_tcp_recvfrom',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_tcp_recvfrom'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_tcp_recvfrom'($*)) dnl
')
########################################
##
## Send UDP network traffic to the kernel. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_udp_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_udp_send'($*)) dnl
')
########################################
##
## Receive messages from kernel UDP sockets. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_udp_recvfrom',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_udp_recvfrom'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_udp_recvfrom'($*)) dnl
')
########################################
##
## Allows caller to load kernel modules
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_load_module',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_load_module'($*)) dnl
gen_require(`
attribute can_load_kernmodule;
')
typeattribute $1 can_load_kernmodule;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_load_module'($*)) dnl
')
########################################
##
## Allows caller to load unsigned kernel modules
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_load_unsigned_module',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_load_unsigned_module'($*)) dnl
allow $1 self:lockdown integrity;
kernel_load_module($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_load_unsigned_module'($*)) dnl
')
########################################
##
## Allow search the kernel key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_key'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_key'($*)) dnl
')
########################################
##
## dontaudit search the kernel key ring.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_search_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_key'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:key search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_key'($*)) dnl
')
########################################
##
## Allow link to the kernel key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_link_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_link_key'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key link;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_link_key'($*)) dnl
')
########################################
##
## dontaudit link to the kernel key ring.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_link_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_link_key'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:key link;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_link_key'($*)) dnl
')
########################################
##
## Allow read, view, and write the kernel key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_key'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key { read view write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_key'($*)) dnl
')
########################################
##
## Allow view the kernel key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_view_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_view_key'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:key view;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_view_key'($*)) dnl
')
########################################
##
## dontaudit view the kernel key ring.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_view_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_view_key'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:key view;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_view_key'($*)) dnl
')
########################################
##
## Allows caller to read the ring buffer.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_ring_buffer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_ring_buffer'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_ring_buffer'($*)) dnl
')
########################################
##
## Do not audit attempts to read the ring buffer.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_read_ring_buffer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_ring_buffer'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:system syslog_read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_ring_buffer'($*)) dnl
')
########################################
##
## Change the level of kernel messages logged to the console.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_change_ring_buffer_level',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_change_ring_buffer_level'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_console;
ifdef(`distro_rhel4',`
allow $1 self:capability sys_admin;
')
ifdef(`distro_rhel5',`
allow $1 self:capability sys_admin;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_change_ring_buffer_level'($*)) dnl
')
########################################
##
## Allows the caller to clear the ring buffer.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_clear_ring_buffer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_clear_ring_buffer'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 self:capability2 syslog;
allow $1 kernel_t:system syslog_mod;
ifdef(`distro_rhel4',`
allow $1 self:capability sys_admin;
')
ifdef(`distro_rhel5',`
allow $1 self:capability sys_admin;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_clear_ring_buffer'($*)) dnl
')
########################################
##
## Allows caller to request the kernel to load a module
##
##
##
## Allow the specified domain to request that the kernel
## load a kernel module. An example of this is the
## auto-loading of network drivers when doing an
## ioctl() on a network interface.
##
##
## In the specific case of a module loading request
## on a network interface, the domain will also
## need the net_admin capability.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_request_load_module',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_request_load_module'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system module_request;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_request_load_module'($*)) dnl
')
########################################
##
## Do not audit requests to the kernel to load a module.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_request_load_module',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_request_load_module'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:system module_request;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_request_load_module'($*)) dnl
')
########################################
##
## Get information on all System V IPC objects.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_get_sysvipc_info',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_get_sysvipc_info'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:system ipc_info;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_get_sysvipc_info'($*)) dnl
')
########################################
##
## Get the attributes of a kernel debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_getattr_debugfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_debugfs'($*)) dnl
')
########################################
##
## Mount a kernel debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mount_debugfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mount_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mount_debugfs'($*)) dnl
')
########################################
##
## Unmount a kernel debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_unmount_debugfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_unmount_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_unmount_debugfs'($*)) dnl
')
########################################
##
## Remount a kernel debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_remount_debugfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_remount_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 debugfs_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_remount_debugfs'($*)) dnl
')
########################################
##
## Search the contents of a kernel debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_debugfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
search_dirs_pattern($1, debugfs_t, debugfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_debugfs'($*)) dnl
')
########################################
##
## Do not audit attempts to search the kernel debugging filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_search_debugfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
dontaudit $1 debugfs_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_debugfs'($*)) dnl
')
########################################
##
## Read information from the debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_debugfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 self:lockdown integrity;
read_files_pattern($1, debugfs_t, debugfs_t)
read_lnk_files_pattern($1, debugfs_t, debugfs_t)
list_dirs_pattern($1, debugfs_t, debugfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_debugfs'($*)) dnl
')
########################################
##
## Do not audit attempts to write kernel debugging filesystem dirs.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_write_debugfs_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_debugfs_dirs'($*)) dnl
gen_require(`
type debugfs_t;
')
dontaudit $1 debugfs_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_debugfs_dirs'($*)) dnl
')
########################################
##
## Manage information from the debugging filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_manage_debugfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_manage_debugfs'($*)) dnl
gen_require(`
type debugfs_t;
')
allow $1 self:lockdown integrity;
manage_files_pattern($1, debugfs_t, debugfs_t)
manage_dirs_pattern($1,debugfs_t, debugfs_t)
read_lnk_files_pattern($1, debugfs_t, debugfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_manage_debugfs'($*)) dnl
')
########################################
##
## Mount a kernel VM filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mount_kvmfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mount_kvmfs'($*)) dnl
gen_require(`
type kvmfs_t;
')
allow $1 kvmfs_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mount_kvmfs'($*)) dnl
')
########################################
##
## Mount the proc filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mount_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mount_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mount_proc'($*)) dnl
')
########################################
##
## Unmount the proc filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_unmount_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_unmount_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_unmount_proc'($*)) dnl
')
########################################
##
## Mounton a proc filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mounton_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mounton_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mounton_proc'($*)) dnl
')
########################################
##
## Get the attributes of the proc filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_getattr_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_proc'($*)) dnl
gen_require(`
type proc_t;
')
allow $1 proc_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_proc'($*)) dnl
')
########################################
##
## Do not audit attempts to set the
## attributes of directories in /proc.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_setattr_proc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_setattr_proc_dirs'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_setattr_proc_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to set the
## attributes of files in /proc.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_setattr_proc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_setattr_proc_files'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_setattr_proc_files'($*)) dnl
')
########################################
##
## Search directories in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_proc'($*)) dnl
gen_require(`
type proc_t;
')
search_dirs_pattern($1, proc_t, proc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_proc'($*)) dnl
')
########################################
##
## List the contents of directories in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_list_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_list_proc'($*)) dnl
gen_require(`
type proc_t;
')
list_dirs_pattern($1, proc_t, proc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_list_proc'($*)) dnl
')
########################################
##
## Do not audit attempts to list the
## contents of directories in /proc.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_list_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_proc'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_proc'($*)) dnl
')
########################################
##
## Do not audit attempts to write the
## directories in /proc.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_write_proc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_proc_dirs'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_proc_dirs'($*)) dnl
')
########################################
##
## Get the attributes of files in /proc.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_getattr_proc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_proc_files'($*)) dnl
gen_require(`
type proc_t;
')
getattr_files_pattern($1, proc_t, proc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_proc_files'($*)) dnl
')
########################################
##
## Read generic symbolic links in /proc.
##
##
##
## Allow the specified domain to read (follow) generic
## symbolic links (symlinks) in the proc filesystem (/proc).
## This interface does not include access to the targets of
## these links. An example symlink is /proc/self.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_proc_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_proc_symlinks'($*)) dnl
gen_require(`
type proc_t;
')
read_lnk_files_pattern($1, proc_t, proc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_proc_symlinks'($*)) dnl
')
########################################
##
## Allows caller to read system state information in /proc.
##
##
##
## Allow the specified domain to read general system
## state information from the proc filesystem (/proc).
##
##
## Generally it should be safe to allow this access. Some
## example files that can be read based on this interface:
##
##
## - /proc/cpuinfo
## - /proc/meminfo
## - /proc/uptime
##
##
## This does not allow access to sysctl entries (/proc/sys/*)
## nor process state information (/proc/pid).
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`kernel_read_system_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_system_state'($*)) dnl
gen_require(`
attribute kernel_system_state_reader;
')
typeattribute $1 kernel_system_state_reader;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_system_state'($*)) dnl
')
########################################
##
## Write to generic proc entries.
##
##
##
## Domain allowed access.
##
##
##
#
# cjp: this should probably go away. any
# file thats writable in proc should really
# have its own label.
#
define(`kernel_write_proc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_write_proc_files'($*)) dnl
gen_require(`
type proc_t;
')
write_files_pattern($1, proc_t, proc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_write_proc_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write the
## file in /proc.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_write_proc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_proc_files'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_proc_files'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## access on generic proc entries.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_access_check_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_access_check_proc'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_access_check_proc'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to
## read system state information in proc.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_read_system_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_system_state'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_system_state'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to
## read system state information in proc.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_read_proc_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_proc_symlinks'($*)) dnl
gen_require(`
type proc_t;
')
dontaudit $1 proc_t:lnk_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_proc_symlinks'($*)) dnl
')
#######################################
##
## Allow caller to read state information for AFS.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_afs_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_afs_state'($*)) dnl
gen_require(`
type proc_t, proc_afs_t;
')
list_dirs_pattern($1, proc_t, proc_t)
read_files_pattern($1, proc_afs_t, proc_afs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_afs_state'($*)) dnl
')
#######################################
##
## Allow caller to read and write state information for AFS.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_afs_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_afs_state'($*)) dnl
gen_require(`
type proc_t, proc_afs_t;
')
list_dirs_pattern($1, proc_t, proc_t)
rw_files_pattern($1, proc_afs_t, proc_afs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_afs_state'($*)) dnl
')
#######################################
##
## Allow caller to read the state information for software raid.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_software_raid_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_software_raid_state'($*)) dnl
gen_require(`
type proc_t, proc_mdstat_t;
')
read_files_pattern($1, proc_t, proc_mdstat_t)
list_dirs_pattern($1, proc_t, proc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_software_raid_state'($*)) dnl
')
#######################################
##
## Allow caller to read and set the state information for software raid.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_software_raid_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_software_raid_state'($*)) dnl
gen_require(`
type proc_t, proc_mdstat_t;
')
rw_files_pattern($1, proc_t, proc_mdstat_t)
list_dirs_pattern($1, proc_t, proc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_software_raid_state'($*)) dnl
')
########################################
##
## Allows caller to get attribues of core kernel interface.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_getattr_core_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_core_if'($*)) dnl
gen_require(`
type proc_t, proc_kcore_t;
')
getattr_files_pattern($1, proc_t, proc_kcore_t)
list_dirs_pattern($1, proc_t, proc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_core_if'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## core kernel interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_core_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_core_if'($*)) dnl
gen_require(`
type proc_kcore_t;
')
dontaudit $1 proc_kcore_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_core_if'($*)) dnl
')
########################################
##
## Allows caller to read the core kernel interface.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_core_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_core_if'($*)) dnl
gen_require(`
type proc_t, proc_kcore_t;
attribute can_dump_kernel;
')
allow $1 self:capability sys_rawio;
allow $1 self:lockdown confidentiality;
read_files_pattern($1, proc_t, proc_kcore_t)
list_dirs_pattern($1, proc_t, proc_t)
typeattribute $1 can_dump_kernel;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_core_if'($*)) dnl
')
########################################
##
## Allow caller to mounton the kernel messages file
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mounton_core_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mounton_core_if'($*)) dnl
gen_require(`
type proc_kcore_t;
')
allow $1 proc_kcore_t:file mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mounton_core_if'($*)) dnl
')
########################################
##
## Allow caller to read kernel messages
## using the /proc/kmsg interface.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_messages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_messages'($*)) dnl
gen_require(`
attribute can_receive_kernel_messages;
type proc_kmsg_t, proc_t;
')
read_files_pattern($1, proc_t, proc_kmsg_t)
typeattribute $1 can_receive_kernel_messages;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_messages'($*)) dnl
')
########################################
##
## Allow caller to mounton the kernel messages file
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mounton_messages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mounton_messages'($*)) dnl
gen_require(`
type proc_kmsg_t;
')
allow $1 proc_kmsg_t:file mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mounton_messages'($*)) dnl
')
########################################
##
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_getattr_message_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_getattr_message_if'($*)) dnl
gen_require(`
type proc_kmsg_t, proc_t;
')
getattr_files_pattern($1, proc_t, proc_kmsg_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_getattr_message_if'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the attributes of kernel
## message interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_message_if',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_message_if'($*)) dnl
gen_require(`
type proc_kmsg_t, proc_t;
')
dontaudit $1 proc_kmsg_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_message_if'($*)) dnl
')
########################################
##
## Do not audit attempts to search the network
## state directory.
##
##
##
## Domain to not audit.
##
##
##
#
define(`kernel_dontaudit_search_network_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_network_state'($*)) dnl
gen_require(`
type proc_net_t;
')
dontaudit $1 proc_net_t:dir search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_network_state'($*)) dnl
')
########################################
##
## Allow searching of network state directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_search_network_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_network_state'($*)) dnl
gen_require(`
type proc_net_t;
')
search_dirs_pattern($1, proc_t, proc_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_network_state'($*)) dnl
')
########################################
##
## Read the network state information.
##
##
##
## Allow the specified domain to read the networking
## state information. This includes several pieces
## of networking information, such as network interface
## names, netfilter (iptables) statistics, protocol
## information, routes, and remote procedure call (RPC)
## information.
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`kernel_read_network_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_network_state'($*)) dnl
gen_require(`
type proc_t, proc_net_t;
')
read_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
list_dirs_pattern($1, proc_t, proc_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_network_state'($*)) dnl
')
########################################
##
## Allow caller to read the network state symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_network_state_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_network_state_symlinks'($*)) dnl
gen_require(`
type proc_t, proc_net_t;
')
read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
list_dirs_pattern($1, proc_t, proc_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_network_state_symlinks'($*)) dnl
')
########################################
##
## Allow searching of xen state directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_search_xen_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_xen_state'($*)) dnl
gen_require(`
type proc_t, proc_xen_t;
')
search_dirs_pattern($1, proc_t, proc_xen_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_xen_state'($*)) dnl
')
########################################
##
## Do not audit attempts to search the xen
## state directory.
##
##
##
## Domain to not audit.
##
##
##
#
define(`kernel_dontaudit_search_xen_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_xen_state'($*)) dnl
gen_require(`
type proc_xen_t;
')
dontaudit $1 proc_xen_t:dir search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_xen_state'($*)) dnl
')
########################################
##
## Allow caller to read the xen state information.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_xen_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_xen_state'($*)) dnl
gen_require(`
type proc_t, proc_xen_t;
')
read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
list_dirs_pattern($1, proc_t, proc_xen_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_xen_state'($*)) dnl
')
########################################
##
## Allow caller to read the xen state symbolic links.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_xen_state_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_xen_state_symlinks'($*)) dnl
gen_require(`
type proc_t, proc_xen_t;
')
read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
list_dirs_pattern($1, proc_t, proc_xen_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_xen_state_symlinks'($*)) dnl
')
########################################
##
## Allow caller to write xen state information.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_write_xen_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_write_xen_state'($*)) dnl
gen_require(`
type proc_t, proc_xen_t;
')
write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_write_xen_state'($*)) dnl
')
########################################
##
## Allow attempts to list all proc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_list_all_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_list_all_proc'($*)) dnl
gen_require(`
attribute proc_type;
')
allow $1 proc_type:dir list_dir_perms;
allow $1 proc_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_list_all_proc'($*)) dnl
')
########################################
##
## Allow attempts to mounton all proc directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mounton_all_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mounton_all_proc'($*)) dnl
gen_require(`
attribute proc_type;
')
allow $1 proc_type:dir mounton;
allow $1 proc_type:file mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mounton_all_proc'($*)) dnl
')
########################################
##
## Do not audit attempts to list all proc directories.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_list_all_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_all_proc'($*)) dnl
gen_require(`
attribute proc_type;
')
dontaudit $1 proc_type:dir list_dir_perms;
dontaudit $1 proc_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_all_proc'($*)) dnl
')
########################################
##
## Allow attempts to read all proc types.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_all_proc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_all_proc'($*)) dnl
gen_require(`
attribute proc_type;
attribute can_dump_kernel;
attribute can_receive_kernel_messages;
')
read_files_pattern($1, proc_type, proc_type)
typeattribute $1 can_dump_kernel;
typeattribute $1 can_receive_kernel_messages;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_all_proc'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
##
##
## Domain to not audit.
##
##
##
#
define(`kernel_dontaudit_search_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_sysctl'($*)) dnl
gen_require(`
type sysctl_t;
')
dontaudit $1 sysctl_t:dir search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_sysctl'($*)) dnl
')
########################################
##
## Allow access to read sysctl directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_sysctl'($*)) dnl
gen_require(`
type sysctl_t, proc_t;
')
list_dirs_pattern($1, proc_t, sysctl_t)
read_files_pattern($1, sysctl_t, sysctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_sysctl'($*)) dnl
')
########################################
##
## Allow caller to read the device sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_device_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_device_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_dev_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_device_sysctls'($*)) dnl
')
########################################
##
## Read and write device sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_device_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_device_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_dev_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_device_sysctls'($*)) dnl
')
########################################
##
## Allow caller to search virtual memory sysctls.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_vm_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_vm_sysctl'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_vm_sysctl'($*)) dnl
')
########################################
##
## Allow caller to read virtual memory sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_vm_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_vm_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_vm_sysctls'($*)) dnl
')
########################################
##
## Read and write virtual memory sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_vm_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_vm_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_vm_t;
')
rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
# hal needs this
allow $1 sysctl_vm_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_vm_sysctls'($*)) dnl
')
########################################
##
## Search network sysctl directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_network_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_network_sysctl'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_network_sysctl'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to search network sysctl directories.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_search_network_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_network_sysctl'($*)) dnl
gen_require(`
type sysctl_net_t;
')
dontaudit $1 sysctl_net_t:dir search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_network_sysctl'($*)) dnl
')
########################################
##
## Allow caller to read network sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_net_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_net_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_net_sysctls'($*)) dnl
')
########################################
##
## Allow caller to modiry contents of sysctl network files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_net_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_net_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_net_sysctls'($*)) dnl
')
########################################
##
## Allow caller to read unix domain
## socket sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_unix_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_unix_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_unix_sysctls'($*)) dnl
')
########################################
##
## Read and write unix domain
## socket sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_unix_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unix_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unix_sysctls'($*)) dnl
')
########################################
##
## Read the hotplug sysctl.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_hotplug_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_hotplug_sysctls'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_hotplug_sysctls'($*)) dnl
')
########################################
##
## Read and write the hotplug sysctl.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_hotplug_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_hotplug_sysctls'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_hotplug_sysctls'($*)) dnl
')
########################################
##
## Read the modprobe sysctl.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_modprobe_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_modprobe_sysctls'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_modprobe_sysctls'($*)) dnl
')
########################################
##
## Read and write the modprobe sysctl.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_modprobe_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_modprobe_sysctls'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_modprobe_sysctls'($*)) dnl
')
########################################
##
## Allow mounton generic kernel sysctls.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_mounton_kernel_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mounton_kernel_sysctl'($*)) dnl
gen_require(`
type sysctl_kernel_t;
')
allow $1 sysctl_kernel_t:dir mounton;
allow $1 sysctl_kernel_t:file mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mounton_kernel_sysctl'($*)) dnl
')
########################################
##
## Do not audit attempts to search generic kernel sysctls.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_search_kernel_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_kernel_sysctl'($*)) dnl
gen_require(`
type sysctl_kernel_t;
')
dontaudit $1 sysctl_kernel_t:dir search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_kernel_sysctl'($*)) dnl
')
########################################
##
## Read generic crypto sysctls.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_crypto_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_crypto_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_crypto_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_crypto_sysctls'($*)) dnl
')
########################################
##
## Read general kernel sysctls.
##
##
##
## Allow the specified domain to read general
## kernel sysctl settings. These settings are typically
## read using the sysctl program. The settings
## that are included by this interface are prefixed
## with "kernel.", for example, kernel.sysrq.
##
##
## This does not include access to the hotplug
## handler setting (kernel.hotplug)
## nor the module installer handler setting
## (kernel.modprobe).
##
##
## Related interfaces:
##
##
## - kernel_rw_kernel_sysctl()
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_kernel_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_kernel_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_kernel_sysctls'($*)) dnl
')
########################################
##
## Do not audit attempts to write generic kernel sysctls.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_write_kernel_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_kernel_sysctl'($*)) dnl
gen_require(`
type sysctl_kernel_t;
')
dontaudit $1 sysctl_kernel_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_kernel_sysctl'($*)) dnl
')
########################################
##
## Read and write generic kernel sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_kernel_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_kernel_sysctl'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_kernel_sysctl'($*)) dnl
')
########################################
##
## Read kernel ns lastpid sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_kernel_ns_lastpid_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_kernel_ns_lastpid_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_kernel_ns_lastpid_sysctls'($*)) dnl
')
########################################
##
## Do not audit attempts to write kernel ns lastpid sysctls.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_kernel_ns_lastpid_sysctl'($*)) dnl
gen_require(`
type sysctl_kernel_ns_last_pid_t;
')
dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_kernel_ns_lastpid_sysctl'($*)) dnl
')
########################################
##
## Read and write kernel ns lastpid sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_kernel_ns_lastpid_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_kernel_ns_lastpid_sysctl'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_kernel_ns_lastpid_sysctl'($*)) dnl
')
########################################
##
## Read filesystem sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_fs_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_fs_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_fs_t;
')
read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_fs_sysctls'($*)) dnl
')
########################################
##
## Read and write fileystem sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_fs_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_fs_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_t, sysctl_fs_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_fs_sysctls'($*)) dnl
')
########################################
##
## Read IRQ sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_irq_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_irq_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_irq_t;
')
read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
list_dirs_pattern($1, proc_t, sysctl_irq_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_irq_sysctls'($*)) dnl
')
########################################
##
## Read and write IRQ sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_irq_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_irq_sysctls'($*)) dnl
gen_require(`
type proc_t, sysctl_irq_t;
')
rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
list_dirs_pattern($1, proc_t, sysctl_irq_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_irq_sysctls'($*)) dnl
')
########################################
##
## Read RPC sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_rpc_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_rpc_sysctls'($*)) dnl
gen_require(`
type proc_t, proc_net_t, sysctl_rpc_t;
')
read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_rpc_sysctls'($*)) dnl
')
########################################
##
## Read RPC sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_rpc_sysctls_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_rpc_sysctls_dirs'($*)) dnl
gen_require(`
type proc_t, proc_net_t, sysctl_rpc_t;
')
rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_rpc_sysctls_dirs'($*)) dnl
')
########################################
##
## Read and write RPC sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_rpc_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_rpc_sysctls'($*)) dnl
gen_require(`
type proc_t, proc_net_t, sysctl_rpc_t;
')
rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_rpc_sysctls'($*)) dnl
')
########################################
##
## Read and write RPC sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_create_rpc_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_create_rpc_sysctls'($*)) dnl
gen_require(`
type proc_t, proc_net_t, sysctl_rpc_t;
')
create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_create_rpc_sysctls'($*)) dnl
')
########################################
##
## Do not audit attempts to list all sysctl directories.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_list_all_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_all_sysctls'($*)) dnl
gen_require(`
attribute sysctl_type;
')
dontaudit $1 sysctl_type:dir list_dir_perms;
dontaudit $1 sysctl_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_all_sysctls'($*)) dnl
')
########################################
##
## Allow attempts to mounton all sysctl directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mounton_all_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mounton_all_sysctls'($*)) dnl
gen_require(`
attribute sysctl_type;
')
allow $1 sysctl_type:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mounton_all_sysctls'($*)) dnl
')
########################################
##
## Allow attempts to mounton all filesystems used by ProtectKernelTunables systemd feature.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mounton_systemd_ProtectKernelTunables',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mounton_systemd_ProtectKernelTunables'($*)) dnl
gen_require(`
type sysctl_t;
type sysctl_irq_t;
type proc_t;
type mtrr_device_t;
type debugfs_t;
type cgroup_t;
')
allow $1 sysctl_t:dir mounton;
allow $1 sysctl_irq_t:dir mounton;
allow $1 proc_t:dir mounton;
allow $1 mtrr_device_t:dir mounton;
allow $1 debugfs_t:dir mounton;
allow $1 cgroup_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mounton_systemd_ProtectKernelTunables'($*)) dnl
')
########################################
##
## Allow caller to read all sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_all_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_all_sysctls'($*)) dnl
gen_require(`
attribute sysctl_type;
type proc_t, proc_net_t;
')
# proc_net_t for /proc/net/rpc sysctls
read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_all_sysctls'($*)) dnl
')
########################################
##
## Read and write all sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_all_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_all_sysctls'($*)) dnl
gen_require(`
attribute sysctl_type;
type proc_t, proc_net_t;
')
# proc_net_t for /proc/net/rpc sysctls
rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
allow $1 sysctl_type:dir list_dir_perms;
# why is setattr needed?
allow $1 sysctl_type:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_all_sysctls'($*)) dnl
')
########################################
##
## Send a kill signal to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_kill_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_kill_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_kill_unlabeled'($*)) dnl
')
########################################
##
## Mount a kernel unlabeled filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_mount_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_mount_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_mount_unlabeled'($*)) dnl
')
########################################
##
## Unmount a kernel unlabeled filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_unmount_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_unmount_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_unmount_unlabeled'($*)) dnl
')
########################################
##
## Send general signals to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_signal_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_signal_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_signal_unlabeled'($*)) dnl
')
########################################
##
## Send a null signal to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_signull_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_signull_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_signull_unlabeled'($*)) dnl
')
########################################
##
## Send a stop signal to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sigstop_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_sigstop_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigstop;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_sigstop_unlabeled'($*)) dnl
')
########################################
##
## Send a child terminated signal to unlabeled processes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sigchld_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_sigchld_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_sigchld_unlabeled'($*)) dnl
')
########################################
##
## List unlabeled directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_list_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_list_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_list_unlabeled'($*)) dnl
')
########################################
##
## Delete unlabeled files
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_delete_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir delete_dir_perms;
allow $1 unlabeled_t:dir_file_class_set delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_unlabeled_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_unlabeled_state'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir list_dir_perms;
read_files_pattern($1, unlabeled_t, unlabeled_t)
read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_unlabeled_state'($*)) dnl
')
########################################
##
## Do not audit attempts to list unlabeled directories.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_list_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_unlabeled'($*)) dnl
')
########################################
##
## Read and write unlabeled directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_dirs'($*)) dnl
')
########################################
##
## Read and write unlabeled files.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_files'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the
## attributes of an unlabeled file.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_files'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to
## read an unlabeled file.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_read_unlabeled_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_unlabeled_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_unlabeled_files'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the
## attributes of unlabeled symbolic links.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_symlinks'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:lnk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_symlinks'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the
## attributes of unlabeled named pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_pipes'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get the
## attributes of unlabeled named sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_sockets'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:sock_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_blk_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_blk_files'($*)) dnl
')
########################################
##
## Read and write unlabeled block device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_blk_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_blk_files'($*)) dnl
')
########################################
##
## Read and write unlabeled sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_socket'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_socket'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_unlabeled_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_chr_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_chr_files'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled directories.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_dirs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_dirs'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled filesystems.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_fs'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:filesystem relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_fs'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled files.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_files'($*)) dnl
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:file { getattr relabelfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_files'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_symlinks'($*)) dnl
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_symlinks'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_pipes'($*)) dnl
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_pipes'($*)) dnl
')
########################################
##
## Allow caller to relabel unlabeled named sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_sockets'($*)) dnl
gen_require(`
type unlabeled_t;
')
kernel_list_unlabeled($1)
allow $1 unlabeled_t:sock_file { getattr relabelfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_sockets'($*)) dnl
')
########################################
##
## Send and receive messages from an
## unlabeled IPSEC association.
##
##
##
## Send and receive messages from an
## unlabeled IPSEC association. Network
## connections that are not protected
## by IPSEC have use an unlabeled
## assocation.
##
##
## The corenetwork interface
## corenet_non_ipsec_sendrecv() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sendrecv_unlabeled_association',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_sendrecv_unlabeled_association'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:association { sendto recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_sendrecv_unlabeled_association'($*)) dnl
')
########################################
##
## Do not audit attempts to send and receive messages
## from an unlabeled IPSEC association.
##
##
##
## Do not audit attempts to send and receive messages
## from an unlabeled IPSEC association. Network
## connections that are not protected
## by IPSEC have use an unlabeled
## assocation.
##
##
## The corenetwork interface
## corenet_dontaudit_non_ipsec_sendrecv() should
## be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_sendrecv_unlabeled_association',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_sendrecv_unlabeled_association'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:association { sendto recvfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_sendrecv_unlabeled_association'($*)) dnl
')
########################################
##
## Receive DCCP packets from an unlabeled connection.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_dccp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dccp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dccp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dccp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive TCP packets from an unlabeled connection.
##
##
##
## Receive TCP packets from an unlabeled connection.
##
##
## The corenetwork interface corenet_tcp_recv_unlabeled() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_tcp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_tcp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:tcp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_tcp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive DCCP packets from an unlabeled
## connection.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_dccp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_dccp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:dccp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_dccp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
##
##
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
##
## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
## should be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_tcp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:tcp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive UDP packets from an unlabeled connection.
##
##
##
## Receive UDP packets from an unlabeled connection.
##
##
## The corenetwork interface corenet_udp_recv_unlabeled() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_udp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_udp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:udp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_udp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Do not audit attempts to receive UDP packets from an unlabeled
## connection.
##
##
##
## Do not audit attempts to receive UDP packets from an unlabeled
## connection.
##
##
## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
## should be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_udp_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_udp_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:udp_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_udp_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Receive Raw IP packets from an unlabeled connection.
##
##
##
## Receive Raw IP packets from an unlabeled connection.
##
##
## The corenetwork interface corenet_raw_recv_unlabeled() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_raw_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_raw_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:rawip_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_raw_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Read/Write Raw IP packets from an unlabeled connection.
##
##
##
## Receive Raw IP packets from an unlabeled connection.
##
##
## The corenetwork interface corenet_raw_recv_unlabeled() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_rawip_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_rawip_socket'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:rawip_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_rawip_socket'($*)) dnl
')
########################################
##
## Read/Write smc packets from an unlabeled connection.
##
##
##
## Receive smc packets from an unlabeled connection.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_smc_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_smc_socket'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:smc_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_smc_socket'($*)) dnl
')
########################################
##
## Read/Write vsock packets from an unlabeled connection.
##
##
##
## Receive vsock packets from an unlabeled connection.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_unlabeled_vsock_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_vsock_socket'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:vsock_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_vsock_socket'($*)) dnl
')
########################################
##
## Do not audit attempts to receive Raw IP packets from an unlabeled
## connection.
##
##
##
## Do not audit attempts to receive Raw IP packets from an unlabeled
## connection.
##
##
## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
## should be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_raw_recvfrom_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_raw_recvfrom_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:rawip_socket recvfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_raw_recvfrom_unlabeled'($*)) dnl
')
########################################
##
## Send and receive unlabeled packets.
##
##
##
## Send and receive unlabeled packets.
## These packets do not match any netfilter
## SECMARK rules.
##
##
## The corenetwork interface
## corenet_sendrecv_unlabeled_packets() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_sendrecv_unlabeled_packets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_sendrecv_unlabeled_packets'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:packet { send recv };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_sendrecv_unlabeled_packets'($*)) dnl
')
########################################
##
## Receive packets from an unlabeled peer.
##
##
##
## Receive packets from an unlabeled peer, these packets do not have any
## peer labeling information present.
##
##
## The corenetwork interface corenet_recvfrom_unlabeled_peer() should
## be used instead of this one.
##
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_recvfrom_unlabeled_peer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_recvfrom_unlabeled_peer'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_recvfrom_unlabeled_peer'($*)) dnl
')
########################################
##
## Do not audit attempts to receive packets from an unlabeled peer.
##
##
##
## Do not audit attempts to receive packets from an unlabeled peer,
## these packets do not have any peer labeling information present.
##
##
## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
## should be used instead of this one.
##
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_recvfrom_unlabeled_peer',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_recvfrom_unlabeled_peer'($*)) dnl
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_recvfrom_unlabeled_peer'($*)) dnl
')
########################################
##
## Relabel from unlabeled database objects.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_unlabeled_database',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_database'($*)) dnl
gen_require(`
type unlabeled_t;
class db_database { setattr relabelfrom };
class db_schema { setattr relabelfrom };
class db_table { setattr relabelfrom };
class db_sequence { setattr relabelfrom };
class db_view { setattr relabelfrom };
class db_procedure { setattr relabelfrom };
class db_language { setattr relabelfrom };
class db_column { setattr relabelfrom };
class db_tuple { update relabelfrom };
class db_blob { setattr relabelfrom };
')
allow $1 unlabeled_t:db_database { setattr relabelfrom };
allow $1 unlabeled_t:db_schema { setattr relabelfrom };
allow $1 unlabeled_t:db_table { setattr relabelfrom };
allow $1 unlabeled_t:db_sequence { setattr relabelfrom };
allow $1 unlabeled_t:db_view { setattr relabelfrom };
allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
allow $1 unlabeled_t:db_language { setattr relabelfrom };
allow $1 unlabeled_t:db_column { setattr relabelfrom };
allow $1 unlabeled_t:db_tuple { update relabelfrom };
allow $1 unlabeled_t:db_blob { setattr relabelfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_database'($*)) dnl
')
########################################
##
## Relabel to unlabeled context .
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelto_unlabeled',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelto_unlabeled'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:dir_file_class_set relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelto_unlabeled'($*)) dnl
')
########################################
##
## Unconfined access to kernel module resources.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_unconfined'($*)) dnl
gen_require(`
attribute kern_unconfined;
')
typeattribute $1 kern_unconfined;
kernel_load_module($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_unconfined'($*)) dnl
')
########################################
##
## Allow the specified domain to getattr on
## the kernel with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_stream_read',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_stream_read'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_stream_socket { read getattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_stream_read'($*)) dnl
')
#######################################
##
## Allow the specified domain to write on
## the kernel with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_stream_write',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_stream_write'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_stream_socket { write getattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_stream_write'($*)) dnl
')
#######################################
##
## Allow the specified domain to read/write on
## the kernel with a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_stream_socket_perms',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_stream_socket_perms'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:unix_stream_socket rw_socket_perms;
allow $1 kernel_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_stream_socket_perms'($*)) dnl
')
########################################
##
## Make the specified type usable for regular entries in proc
##
##
##
## Type to be used for /proc entries.
##
##
#
define(`kernel_proc_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_proc_type'($*)) dnl
gen_require(`
attribute proc_type;
')
typeattribute $1 proc_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_proc_type'($*)) dnl
')
########################################
##
## Do not audit attempts by caller to get attributes on all sysctls.
##
##
##
## Domain to not audit.
##
##
#
define(`kernel_dontaudit_getattr_all_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_all_sysctls'($*)) dnl
gen_require(`
attribute sysctl_type;
')
dontaudit $1 sysctl_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_all_sysctls'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of the kernel.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_state'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:dir search_dir_perms;
allow $1 kernel_t:file read_file_perms;
allow $1 kernel_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_state'($*)) dnl
')
########################################
##
## Dontaudit attempts to read the process state (/proc/pid) of the kernel.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_dontaudit_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_state'($*)) dnl
gen_require(`
type kernel_t;
')
dontaudit $1 kernel_t:dir search_dir_perms;
dontaudit $1 kernel_t:file read_file_perms;
dontaudit $1 kernel_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_state'($*)) dnl
')
########################################
##
## Allow searching of numa state directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_search_numa_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_numa_state'($*)) dnl
gen_require(`
type proc_t, proc_numa_t;
')
search_dirs_pattern($1, proc_t, proc_numa_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_numa_state'($*)) dnl
')
########################################
##
## Do not audit attempts to search the numa
## state directory.
##
##
##
## Domain to not audit.
##
##
##
#
define(`kernel_dontaudit_search_numa_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_numa_state'($*)) dnl
gen_require(`
type proc_numa_t;
')
dontaudit $1 proc_numa_t:dir search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_numa_state'($*)) dnl
')
########################################
##
## Allow caller to read the numa state information.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_numa_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_numa_state'($*)) dnl
gen_require(`
type proc_t, proc_numa_t;
')
read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
list_dirs_pattern($1, proc_t, proc_numa_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_numa_state'($*)) dnl
')
########################################
##
## Allow caller to read the numa state symbolic links.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_numa_state_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_numa_state_symlinks'($*)) dnl
gen_require(`
type proc_t, proc_numa_t;
')
read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
list_dirs_pattern($1, proc_t, proc_numa_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_numa_state_symlinks'($*)) dnl
')
########################################
##
## Allow caller to write numa state information.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_write_numa_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_write_numa_state'($*)) dnl
gen_require(`
type proc_t, proc_numa_t;
')
write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_write_numa_state'($*)) dnl
')
########################################
##
## Allow caller to search virtual memory overcommit sysctls.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_search_vm_overcommit_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_vm_overcommit_sysctl'($*)) dnl
gen_require(`
type sysctl_vm_overcommit_t;
')
kernel_search_vm_sysctl($1)
search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_vm_overcommit_sysctl'($*)) dnl
')
########################################
##
## Allow caller to read virtual memory overcommit sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_read_vm_overcommit_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_vm_overcommit_sysctls'($*)) dnl
gen_require(`
type sysctl_vm_overcommit_t;
')
kernel_search_vm_sysctl($1)
read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_vm_overcommit_sysctls'($*)) dnl
')
########################################
##
## Read and write virtual memory overcommit sysctls.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_vm_overcommit_sysctls',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_vm_overcommit_sysctls'($*)) dnl
gen_require(`
type sysctl_vm_overcommit_t;
')
kernel_search_vm_sysctl($1)
rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_vm_overcommit_sysctls'($*)) dnl
')
########################################
##
## Do not audit attempts to search the security
## state directory.
##
##
##
## Domain to not audit.
##
##
##
#
define(`kernel_dontaudit_search_security_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_security_state'($*)) dnl
gen_require(`
type proc_security_t;
')
dontaudit $1 proc_security_t:dir search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_security_state'($*)) dnl
')
########################################
##
## Allow searching of security state directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_search_security_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_security_state'($*)) dnl
gen_require(`
type proc_security_t;
')
search_dirs_pattern($1, proc_t, proc_security_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_security_state'($*)) dnl
')
########################################
##
## Read the security state information.
##
##
##
## Allow the specified domain to read the security
## state information.
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`kernel_read_security_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_security_state'($*)) dnl
gen_require(`
type proc_t, proc_security_t;
attribute sysctl_type;
')
read_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
list_dirs_pattern($1, proc_t, proc_security_t)
allow $1 sysctl_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_security_state'($*)) dnl
')
########################################
##
## Write the security state information.
##
##
##
## Allow the specified domain to write the security
## state information.
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`kernel_write_security_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_write_security_state'($*)) dnl
gen_require(`
type proc_t, proc_security_t;
')
write_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_write_security_state'($*)) dnl
')
########################################
##
## Allow caller to read the security state symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_security_state_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_security_state_symlinks'($*)) dnl
gen_require(`
type proc_t, proc_security_t;
')
read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
list_dirs_pattern($1, proc_t, proc_security_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_security_state_symlinks'($*)) dnl
')
########################################
##
## Access unlabeled infiniband pkeys.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_ib_access_unlabeled_pkeys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_ib_access_unlabeled_pkeys'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:infiniband_pkey access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_ib_access_unlabeled_pkeys'($*)) dnl
')
########################################
##
## Manage subnet on unlabeled Infiniband endports.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_ib_manage_subnet_unlabeled_endports',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_ib_manage_subnet_unlabeled_endports'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:infiniband_endport manage_subnet;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_ib_manage_subnet_unlabeled_endports'($*)) dnl
')
########################################
##
## Allow caller to read the security state symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_rw_security_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_security_state'($*)) dnl
gen_require(`
type proc_t, proc_security_t;
')
rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t)
list_dirs_pattern($1, proc_t, proc_security_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_security_state'($*)) dnl
')
########################################
##
## Do not audit attempts to search the usermodehelper
## state directory.
##
##
##
## Domain to not audit.
##
##
##
#
define(`kernel_dontaudit_search_usermodehelper_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_usermodehelper_state'($*)) dnl
gen_require(`
type usermodehelper_t;
')
dontaudit $1 usermodehelper_t:dir search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_usermodehelper_state'($*)) dnl
')
########################################
##
## Allow searching of usermodehelper state directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_search_usermodehelper_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_search_usermodehelper_state'($*)) dnl
gen_require(`
type usermodehelper_t;
')
search_dirs_pattern($1, proc_t, usermodehelper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_search_usermodehelper_state'($*)) dnl
')
########################################
##
## Read the usermodehelper state information.
##
##
##
## Allow the specified domain to read the usermodehelpering
## state information. This includes several pieces
## of usermodehelpering information, such as usermodehelper interface
## names, usermodehelperfilter (iptables) statistics, protocol
## information, routes, and remote procedure call (RPC)
## information.
##
##
##
##
## Domain allowed access.
##
##
##
##
#
define(`kernel_read_usermodehelper_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_usermodehelper_state'($*)) dnl
gen_require(`
type proc_t, usermodehelper_t;
')
read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
list_dirs_pattern($1, proc_t, usermodehelper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_usermodehelper_state'($*)) dnl
')
########################################
##
## Allow caller to read the usermodehelper state symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_usermodehelper_state_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_usermodehelper_state_symlinks'($*)) dnl
gen_require(`
type proc_t, usermodehelper_t;
')
read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t)
list_dirs_pattern($1, proc_t, usermodehelper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_usermodehelper_state_symlinks'($*)) dnl
')
########################################
##
## Read and write usermodehelper state
##
##
##
## Domain allowed access.
##
##
##
#
define(`kernel_rw_usermodehelper_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_rw_usermodehelper_state'($*)) dnl
gen_require(`
type proc_t, usermodehelper_t;
')
dev_search_sysfs($1)
rw_files_pattern($1, proc_t, usermodehelper_t)
list_dirs_pattern($1, proc_t, usermodehelper_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_rw_usermodehelper_state'($*)) dnl
')
########################################
##
## Dontaudit write usermodehelper state
##
##
##
## Domain to not audit.
##
##
##
#
define(`kernel_dontaudit_write_usermodehelper_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_usermodehelper_state'($*)) dnl
gen_require(`
type usermodehelper_t;
')
dontaudit $1 usermodehelper_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_usermodehelper_state'($*)) dnl
')
########################################
##
## Relabel to usermodehelper context .
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelto_usermodehelper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelto_usermodehelper'($*)) dnl
gen_require(`
type usermodehelper_t;
')
allow $1 usermodehelper_t:file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelto_usermodehelper'($*)) dnl
')
########################################
##
## Relabel from usermodehelper context .
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_relabelfrom_usermodehelper',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_usermodehelper'($*)) dnl
gen_require(`
type usermodehelper_t;
')
allow $1 usermodehelper_t:file { getattr relabelfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_usermodehelper'($*)) dnl
')
########################################
##
## Read netlink audit socket
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_read_netlink_audit_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_read_netlink_audit_socket'($*)) dnl
gen_require(`
type kernel_t;
')
allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_read_netlink_audit_socket'($*)) dnl
')
########################################
##
## Execute an unlabeled file in the specified domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the new process.
##
##
#
define(`kernel_unlabeled_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_unlabeled_domtrans'($*)) dnl
gen_require(`
type unlabeled_t;
')
read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
domain_transition_pattern($1, unlabeled_t, $2)
type_transition $1 unlabeled_t:process $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_unlabeled_domtrans'($*)) dnl
')
########################################
##
## Make general progams without labeles an entrypoint for
## the specified domain.
##
##
##
## The domain for which unlabeled_t is an entrypoint.
##
##
#
define(`kernel_unlabeled_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_unlabeled_entry_type'($*)) dnl
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:file entrypoint;
allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_unlabeled_entry_type'($*)) dnl
')
########################################
##
## Allow the caller load a new kernel
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_kexec_load',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_kexec_load'($*)) dnl
allow $1 self:capability sys_boot;
allow $1 self:lockdown integrity;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_kexec_load'($*)) dnl
')
########################################
##
## Allow the caller write perf_event
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_write_perf_event',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_write_perf_event'($*)) dnl
allow $1 self:capability2 perfmon;
# The confidentiality permission may not be needed soon if
# the kernel commit 08ef1af4de5f
# (perf/core: Fix unconditional security_locked_down() call)
# is backported to stable kernels
allow $1 self:lockdown confidentiality;
allow $1 self:perf_event write_perf_event_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_write_perf_event'($*)) dnl
')
########################################
##
## Allow the caller manage perf_event
##
##
##
## Domain allowed access.
##
##
#
define(`kernel_manage_perf_event',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `kernel_manage_perf_event'($*)) dnl
allow $1 self:capability2 perfmon;
# The confidentiality permission may not be needed, refer to kernel_write_perf_event()
allow $1 self:lockdown confidentiality;
allow $1 self:perf_event manage_perf_event_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `kernel_manage_perf_event'($*)) dnl
')
## Multicategory security policy
##
## Contains attributes used in MCS policy.
##
########################################
##
## Constrain by category access control (MCS).
##
##
##
## Constrain the specified type by category based
## access control (MCS) This prevents this domain from
## interacting with subjects and operating on objects
## that it otherwise would be able to interact
## with or operate on respectively.
##
##
##
##
## Type to be constrained by MCS.
##
##
##
#
define(`mcs_constrained',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcs_constrained'($*)) dnl
gen_require(`
attribute mcs_constrained_type;
')
typeattribute $1 mcs_constrained_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcs_constrained'($*)) dnl
')
########################################
##
## This domain is allowed to read files and directories
## regardless of their MCS category set.
##
##
##
## Domain target for user exemption.
##
##
##
#
define(`mcs_file_read_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcs_file_read_all'($*)) dnl
refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcs_file_read_all'($*)) dnl
')
########################################
##
## This domain is allowed to write files and directories
## regardless of their MCS category set.
##
##
##
## Domain target for user exemption.
##
##
##
#
define(`mcs_file_write_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcs_file_write_all'($*)) dnl
refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcs_file_write_all'($*)) dnl
')
########################################
##
## This domain is allowed to sigkill and sigstop
## all domains regardless of their MCS category set.
##
##
##
## Domain target for user exemption.
##
##
##
#
define(`mcs_killall',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcs_killall'($*)) dnl
refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcs_killall'($*)) dnl
')
########################################
##
## This domain is allowed to ptrace
## all domains regardless of their MCS
## category set.
##
##
##
## Domain target for user exemption.
##
##
#
define(`mcs_ptrace_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcs_ptrace_all'($*)) dnl
refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcs_ptrace_all'($*)) dnl
')
########################################
##
## Make specified domain MCS trusted
## for setting any category set for
## the processes it executes.
##
##
##
## Domain target for user exemption.
##
##
#
define(`mcs_process_set_categories',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcs_process_set_categories'($*)) dnl
gen_require(`
attribute mcssetcats;
')
typeattribute $1 mcssetcats;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcs_process_set_categories'($*)) dnl
')
########################################
##
## Make specified domain MCS trusted
## for writing to sockets at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mcs_socket_write_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mcs_socket_write_all_levels'($*)) dnl
refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mcs_socket_write_all_levels'($*)) dnl
')
## Multilevel security policy
##
##
## This module contains interfaces for handling multilevel
## security. The interfaces allow the specified subjects
## and objects to be allowed certain privileges in the
## MLS rules.
##
##
##
## Contains attributes used in MLS policy.
##
########################################
##
## Make specified domain MLS trusted
## for reading from files up to its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_read_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_read_to_clearance'($*)) dnl
gen_require(`
attribute mlsfilereadtoclr;
')
typeattribute $1 mlsfilereadtoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_read_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from files at all levels. (Deprecated)
##
##
##
## Make specified domain MLS trusted
## for reading from files at all levels.
##
##
## This interface has been deprecated, please use
## mls_file_read_all_levels() instead.
##
##
##
##
## Domain allowed access.
##
##
#
define(`mls_file_read_up',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_read_up'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.')
mls_file_read_all_levels($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_read_up'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from files at all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_read_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_read_all_levels'($*)) dnl
gen_require(`
attribute mlsfileread;
')
typeattribute $1 mlsfileread;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for write to files up to its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_write_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_write_to_clearance'($*)) dnl
gen_require(`
attribute mlsfilewritetoclr;
')
typeattribute $1 mlsfilewritetoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_write_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for relabelto to files up to its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_relabel_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_relabel_to_clearance'($*)) dnl
gen_require(`
attribute mlsfilerelabeltoclr;
')
typeattribute $1 mlsfilerelabeltoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_relabel_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to files at all levels. (Deprecated)
##
##
##
## Make specified domain MLS trusted
## for writing to files at all levels.
##
##
## This interface has been deprecated, please use
## mls_file_write_all_levels() instead.
##
##
##
##
## Domain allowed access.
##
##
#
define(`mls_file_write_down',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_write_down'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.')
mls_file_write_all_levels($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_write_down'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to files at all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_write_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_write_all_levels'($*)) dnl
gen_require(`
attribute mlsfilewrite;
')
typeattribute $1 mlsfilewrite;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_write_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for raising the level of files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_upgrade',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_upgrade'($*)) dnl
gen_require(`
attribute mlsfileupgrade;
')
typeattribute $1 mlsfileupgrade;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_upgrade'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for lowering the level of files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_downgrade',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_downgrade'($*)) dnl
gen_require(`
attribute mlsfiledowngrade;
')
typeattribute $1 mlsfiledowngrade;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_downgrade'($*)) dnl
')
########################################
##
## Make specified domain trusted to
## be written to within its MLS range.
## The subject's MLS range must be a
## proper subset of the object's MLS range.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_file_write_within_range',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_file_write_within_range'($*)) dnl
gen_require(`
attribute mlsfilewriteinrange;
')
typeattribute $1 mlsfilewriteinrange;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_file_write_within_range'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from sockets at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_socket_read_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_socket_read_all_levels'($*)) dnl
gen_require(`
attribute mlsnetread;
')
typeattribute $1 mlsnetread;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_socket_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from sockets at any level
## that is dominated by the process clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_socket_read_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_socket_read_to_clearance'($*)) dnl
gen_require(`
attribute mlsnetreadtoclr;
')
typeattribute $1 mlsnetreadtoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_socket_read_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to sockets up to
## its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_socket_write_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_socket_write_to_clearance'($*)) dnl
gen_require(`
attribute mlsnetwritetoclr;
')
typeattribute $1 mlsnetwritetoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_socket_write_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to sockets at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_socket_write_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_socket_write_all_levels'($*)) dnl
gen_require(`
attribute mlsnetwrite;
')
typeattribute $1 mlsnetwrite;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_socket_write_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for receiving network data from
## network interfaces or hosts at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_net_receive_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_net_receive_all_levels'($*)) dnl
gen_require(`
attribute mlsnetrecvall;
')
typeattribute $1 mlsnetrecvall;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_net_receive_all_levels'($*)) dnl
')
########################################
##
## Make specified domain trusted to
## write to network objects within its MLS range.
## The subject's MLS range must be a
## proper subset of the object's MLS range.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_net_write_within_range',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_net_write_within_range'($*)) dnl
gen_require(`
attribute mlsnetwriteranged;
')
typeattribute $1 mlsnetwriteranged;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_net_write_within_range'($*)) dnl
')
########################################
##
## Make specified domain trusted to
## write inbound packets regardless of the
## network's or node's MLS range.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_net_inbound_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_net_inbound_all_levels'($*)) dnl
gen_require(`
attribute mlsnetinbound;
')
typeattribute $1 mlsnetinbound;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_net_inbound_all_levels'($*)) dnl
')
########################################
##
## Make specified domain trusted to
## write outbound packets regardless of the
## network's or node's MLS range.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_net_outbound_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_net_outbound_all_levels'($*)) dnl
gen_require(`
attribute mlsnetoutbound;
')
typeattribute $1 mlsnetoutbound;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_net_outbound_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from System V IPC objects
## up to its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_sysvipc_read_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_sysvipc_read_to_clearance'($*)) dnl
gen_require(`
attribute mlsipcreadtoclr;
')
typeattribute $1 mlsipcreadtoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_sysvipc_read_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from System V IPC objects
## at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_sysvipc_read_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_sysvipc_read_all_levels'($*)) dnl
gen_require(`
attribute mlsipcread;
')
typeattribute $1 mlsipcread;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_sysvipc_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to System V IPC objects
## up to its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_sysvipc_write_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_sysvipc_write_to_clearance'($*)) dnl
gen_require(`
attribute mlsipcwritetoclr;
')
typeattribute $1 mlsipcwritetoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_sysvipc_write_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to System V IPC objects
## at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_sysvipc_write_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_sysvipc_write_all_levels'($*)) dnl
gen_require(`
attribute mlsipcwrite;
')
typeattribute $1 mlsipcwrite;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_sysvipc_write_all_levels'($*)) dnl
')
########################################
##
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_rangetrans_source',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_rangetrans_source'($*)) dnl
gen_require(`
attribute privrangetrans;
')
typeattribute $1 privrangetrans;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_rangetrans_source'($*)) dnl
')
########################################
##
## Make specified domain a target domain
## for MLS range transitions that change
## the current level.
##
##
##
## Domain allowed access.
##
##
#
define(`mls_rangetrans_target',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_rangetrans_target'($*)) dnl
gen_require(`
attribute mlsrangetrans;
')
typeattribute $1 mlsrangetrans;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_rangetrans_target'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from processes up to
## its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_process_read_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_process_read_to_clearance'($*)) dnl
gen_require(`
attribute mlsprocreadtoclr;
')
typeattribute $1 mlsprocreadtoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_process_read_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from processes at all levels. (Deprecated)
##
##
##
## Make specified domain MLS trusted
## for reading from processes at all levels.
##
##
## This interface has been deprecated, please use
## mls_process_read_all_levels() instead.
##
##
##
##
## Domain allowed access.
##
##
#
define(`mls_process_read_up',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_process_read_up'($*)) dnl
# refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.')
mls_process_read_all_levels($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_process_read_up'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from processes at all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_process_read_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_process_read_all_levels'($*)) dnl
gen_require(`
attribute mlsprocread;
')
typeattribute $1 mlsprocread;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_process_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to processes up to
## its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_process_write_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_process_write_to_clearance'($*)) dnl
gen_require(`
attribute mlsprocwritetoclr;
')
typeattribute $1 mlsprocwritetoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_process_write_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to processes at all levels. (Deprecated)
##
##
##
## Make specified domain MLS trusted
## for writing to processes at all levels.
##
##
## This interface has been deprecated, please use
## mls_process_write_all_levels() instead.
##
##
##
##
## Domain allowed access.
##
##
#
define(`mls_process_write_down',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_process_write_down'($*)) dnl
# refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.')
mls_process_write_all_levels($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_process_write_down'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to processes at all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_process_write_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_process_write_all_levels'($*)) dnl
gen_require(`
attribute mlsprocwrite;
')
typeattribute $1 mlsprocwrite;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_process_write_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for setting the level of processes
## it executes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_process_set_level',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_process_set_level'($*)) dnl
gen_require(`
attribute mlsprocsetsl;
')
typeattribute $1 mlsprocsetsl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_process_set_level'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from X objects up to its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_xwin_read_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_xwin_read_to_clearance'($*)) dnl
gen_require(`
attribute mlsxwinreadtoclr;
')
typeattribute $1 mlsxwinreadtoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_xwin_read_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from X objects at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_xwin_read_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_xwin_read_all_levels'($*)) dnl
gen_require(`
attribute mlsxwinread;
')
typeattribute $1 mlsxwinread;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_xwin_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for write to X objects up to its clearance.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_xwin_write_to_clearance',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_xwin_write_to_clearance'($*)) dnl
gen_require(`
attribute mlsxwinwritetoclr;
')
typeattribute $1 mlsxwinwritetoclr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_xwin_write_to_clearance'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to X objects at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_xwin_write_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_xwin_write_all_levels'($*)) dnl
gen_require(`
attribute mlsxwinwrite;
')
typeattribute $1 mlsxwinwrite;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_xwin_write_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from X colormaps at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_colormap_read_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_colormap_read_all_levels'($*)) dnl
gen_require(`
attribute mlsxwinreadcolormap;
')
typeattribute $1 mlsxwinreadcolormap;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_colormap_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to X colormaps at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_colormap_write_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_colormap_write_all_levels'($*)) dnl
gen_require(`
attribute mlsxwinwritecolormap;
')
typeattribute $1 mlsxwinwritecolormap;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_colormap_write_all_levels'($*)) dnl
')
########################################
##
## Make specified object MLS trusted.
##
##
##
## Make specified object MLS trusted. This
## allows all levels to read and write the
## object.
##
##
## This currently only applies to filesystem
## objects, for example, files and directories.
##
##
##
##
## The type of the object.
##
##
#
define(`mls_trusted_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_trusted_object'($*)) dnl
gen_require(`
attribute mlstrustedobject;
')
typeattribute $1 mlstrustedobject;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_trusted_object'($*)) dnl
')
########################################
##
## Make the specified domain trusted
## to inherit and use file descriptors
## from all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_fd_use_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_fd_use_all_levels'($*)) dnl
gen_require(`
attribute mlsfduse;
')
typeattribute $1 mlsfduse;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_fd_use_all_levels'($*)) dnl
')
########################################
##
## Make the file descriptors from the
## specifed domain inheritable by
## all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_fd_share_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_fd_share_all_levels'($*)) dnl
gen_require(`
attribute mlsfdshare;
')
typeattribute $1 mlsfdshare;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_fd_share_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for translating contexts at all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_context_translate_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_context_translate_all_levels'($*)) dnl
gen_require(`
attribute mlstranslate;
')
typeattribute $1 mlstranslate;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_context_translate_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for reading from databases at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_db_read_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_db_read_all_levels'($*)) dnl
gen_require(`
attribute mlsdbread;
')
typeattribute $1 mlsdbread;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_db_read_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for writing to databases at any level.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_db_write_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_db_write_all_levels'($*)) dnl
gen_require(`
attribute mlsdbwrite;
')
typeattribute $1 mlsdbwrite;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_db_write_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for raising the level of databases.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_db_upgrade',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_db_upgrade'($*)) dnl
gen_require(`
attribute mlsdbupgrade;
')
typeattribute $1 mlsdbupgrade;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_db_upgrade'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for lowering the level of databases.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_db_downgrade',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_db_downgrade'($*)) dnl
gen_require(`
attribute mlsdbdowngrade;
')
typeattribute $1 mlsdbdowngrade;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_db_downgrade'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for sending dbus messages to
## all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_dbus_send_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_dbus_send_all_levels'($*)) dnl
gen_require(`
attribute mlsdbussend;
')
typeattribute $1 mlsdbussend;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_dbus_send_all_levels'($*)) dnl
')
########################################
##
## Make specified domain MLS trusted
## for receiving dbus messages from
## all levels.
##
##
##
## Domain allowed access.
##
##
##
#
define(`mls_dbus_recv_all_levels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mls_dbus_recv_all_levels'($*)) dnl
gen_require(`
attribute mlsdbusrecv;
')
typeattribute $1 mlsdbusrecv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mls_dbus_recv_all_levels'($*)) dnl
')
##
## Policy for kernel security interface, in particular, selinuxfs.
##
##
## Contains the policy for the kernel SELinux security interface.
##
########################################
##
## Make the specified type used for labeling SELinux Booleans.
## This interface is only usable in the base module.
##
##
##
## Make the specified type used for labeling SELinux Booleans.
##
##
## This makes use of genfscon statements, which are only
## available in the base module. Thus any module which calls this
## interface must be included in the base module.
##
##
##
##
## Type used for labeling a Boolean.
##
##
##
##
## Name of the Boolean.
##
##
#
define(`selinux_labeled_boolean',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_labeled_boolean'($*)) dnl
gen_require(`
attribute boolean_type;
')
typeattribute $1 boolean_type;
# because of this statement, any module which
# calls this interface must be in the base module:
# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_labeled_boolean'($*)) dnl
')
########################################
##
## Get the mountpoint of the selinuxfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_get_fs_mount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_get_fs_mount'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:lnk_file read_lnk_file_perms;
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
allow $1 security_t:filesystem getattr;
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_read_system_state($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_get_fs_mount'($*)) dnl
')
########################################
##
## Do not audit attempts to get the mountpoint
## of the selinuxfs filesystem.
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_get_fs_mount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_get_fs_mount'($*)) dnl
gen_require(`
type security_t;
')
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:filesystem getattr;
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_dontaudit_read_system_state($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_get_fs_mount'($*)) dnl
')
########################################
##
## Mount the selinuxfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_mount_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_mount_fs'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_mount_fs'($*)) dnl
')
########################################
##
## Remount the selinuxfs filesystem.
## This allows some mount options to be changed.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_remount_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_remount_fs'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:filesystem remount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_remount_fs'($*)) dnl
')
########################################
##
## Unmount the selinuxfs filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_unmount_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_unmount_fs'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_unmount_fs'($*)) dnl
')
########################################
##
## Get the attributes of the selinuxfs filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_getattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_getattr_fs'($*)) dnl
gen_require(`
type security_t;
')
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_getattr_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the selinuxfs filesystem
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_getattr_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_getattr_fs'($*)) dnl
gen_require(`
type security_t;
')
dontaudit $1 security_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_getattr_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the selinuxfs directory.
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_getattr_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_getattr_dir'($*)) dnl
gen_require(`
type security_t;
')
dontaudit $1 security_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_getattr_dir'($*)) dnl
')
########################################
##
## Search selinuxfs.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_search_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_search_fs'($*)) dnl
gen_require(`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir search_dir_perms;
optional_policy(`
seutil_search_config($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_search_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to search selinuxfs.
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_search_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_search_fs'($*)) dnl
gen_require(`
type security_t;
')
dontaudit $1 security_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_search_fs'($*)) dnl
')
########################################
##
## Mount on selinuxfs directories.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_mounton_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_mounton_fs'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_mounton_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to read
## generic selinuxfs entries
##
##
##
## Domain to not audit.
##
##
#
define(`selinux_dontaudit_read_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_read_fs'($*)) dnl
gen_require(`
type security_t;
')
selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_read_fs'($*)) dnl
')
########################################
##
## Allows the caller to get the mode of policy enforcement
## (enforcing or permissive mode).
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_get_enforce_mode',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_get_enforce_mode'($*)) dnl
gen_require(`
type security_t;
')
dev_search_sysfs($1)
selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file mmap_read_file_perms;
allow $1 security_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_get_enforce_mode'($*)) dnl
')
########################################
##
## Allow caller to set the mode of policy enforcement
## (enforcing or permissive mode).
##
##
##
## Allow caller to set the mode of policy enforcement
## (enforcing or permissive mode).
##
##
## Since this is a security event, this action is
## always audited.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_set_enforce_mode',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_set_enforce_mode'($*)) dnl
gen_require(`
type security_t;
attribute can_setenforce;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_set_enforce_mode'($*)) dnl
')
########################################
##
## Allow caller to load the policy into the kernel.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_load_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_load_policy'($*)) dnl
gen_require(`
type security_t;
attribute can_load_policy;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:lnk_file read_lnk_file_perms;
typeattribute $1 can_load_policy;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_load_policy'($*)) dnl
')
########################################
##
## Allow caller to read the policy from the kernel.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_read_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_read_policy'($*)) dnl
gen_require(`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:security read_policy;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_read_policy'($*)) dnl
')
########################################
##
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy. (Deprecated)
##
##
##
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
##
##
## Since this is a security event, this action is
## always audited.
##
##
## This interface has been deprecated. Please use
## selinux_set_generic_booleans() or selinux_set_all_booleans()
## instead.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_set_boolean',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_set_boolean'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.')
selinux_set_generic_booleans($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_set_boolean'($*)) dnl
')
########################################
##
## Allow caller to set the state of generic Booleans to
## enable or disable conditional portions of the policy.
##
##
##
## Allow caller to set the state of generic Booleans to
## enable or disable conditional portions of the policy.
##
##
## Since this is a security event, this action is
## always audited.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_set_generic_booleans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_set_generic_booleans'($*)) dnl
gen_require(`
type security_t;
attribute can_setbool;
')
typeattribute $1 can_setbool;
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_set_generic_booleans'($*)) dnl
')
########################################
##
## Allow caller to set the state of all Booleans to
## enable or disable conditional portions of the policy.
##
##
##
## Allow caller to set the state of all Booleans to
## enable or disable conditional portions of the policy.
##
##
## Since this is a security event, this action is
## always audited.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_set_all_booleans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_set_all_booleans'($*)) dnl
gen_require(`
type security_t, secure_mode_policyload_t;
attribute boolean_type;
attribute can_setbool;
')
typeattribute $1 can_setbool;
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 boolean_type:dir list_dir_perms;
allow $1 boolean_type:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_set_all_booleans'($*)) dnl
')
########################################
##
## Allow caller to set SELinux access vector cache parameters.
##
##
##
## Allow caller to set SELinux access vector cache parameters.
## The allows the domain to set performance related parameters
## of the AVC, such as cache threshold.
##
##
## Since this is a security event, this action is
## always audited.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_set_parameters',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_set_parameters'($*)) dnl
gen_require(`
type security_t;
attribute can_setsecparam;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
auditallow $1 security_t:security setsecparam;
typeattribute $1 can_setsecparam;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_set_parameters'($*)) dnl
')
########################################
##
## Allows caller to validate security contexts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_validate_context',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_validate_context'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { map rw_file_perms };
allow $1 security_t:security check_context;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_validate_context'($*)) dnl
')
########################################
##
## Do not audit attempts to validate security contexts.
##
##
##
## Domain to not audit.
##
##
##
#
define(`selinux_dontaudit_validate_context',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_validate_context'($*)) dnl
gen_require(`
type security_t;
')
dontaudit $1 security_t:dir list_dir_perms;
dontaudit $1 security_t:file rw_file_perms;
dontaudit $1 security_t:security check_context;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_dontaudit_validate_context'($*)) dnl
')
########################################
##
## Allows caller to compute an access vector.
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_compute_access_vector',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_access_vector'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_access_vector'($*)) dnl
')
########################################
##
## Calculate the default type for object creation.
##
##
##
## Domain allowed access.
##
##
##
#
define(`selinux_compute_create_context',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_create_context'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_create_context'($*)) dnl
')
########################################
##
## Allows caller to compute polyinstatntiated
## directory members.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_compute_member',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_member'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_member'($*)) dnl
')
########################################
##
## Calculate the context for relabeling objects.
##
##
##
## Calculate the context for relabeling objects.
## This is determined by using the type_change
## rules in the policy, and is generally used
## for determining the context for relabeling
## a terminal when a user logs in.
##
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_compute_relabel_context',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_relabel_context'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_relabel_context'($*)) dnl
')
########################################
##
## Allows caller to setcheckreqprot
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_setcheckreqprot',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_setcheckreqprot'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setcheckreqprot;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_setcheckreqprot'($*)) dnl
')
########################################
##
## Allows caller to compute possible contexts for a user.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_compute_user_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_compute_user_contexts'($*)) dnl
gen_require(`
type security_t;
')
dev_getattr_sysfs_fs($1)
dev_search_sysfs($1)
allow $1 security_t:lnk_file read_lnk_file_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_compute_user_contexts'($*)) dnl
')
########################################
##
## Unconfined access to the SELinux kernel security server.
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_unconfined'($*)) dnl
gen_require(`
attribute selinux_unconfined_type;
')
typeattribute $1 selinux_unconfined_type;
selinux_set_all_booleans($1)
selinux_load_policy($1)
selinux_set_parameters($1)
selinux_set_enforce_mode($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_unconfined'($*)) dnl
')
########################################
##
## Generate a file context for a boolean type
##
##
##
## Domain allowed access.
##
##
#
define(`selinux_genbool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `selinux_genbool'($*)) dnl
gen_require(`
attribute boolean_type;
')
type $1;
typeattribute $1 boolean_type;
fs_type($1)
mls_trusted_object($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `selinux_genbool'($*)) dnl
')
## Policy controlling access to storage devices
########################################
##
## Allow the caller to get the attributes of fixed disk
## device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_getattr_fixed_disk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_fixed_disk_dev'($*)) dnl
')
########################################
##
## Allow the caller to read/write inherited fixed disk
## device nodes.
##
##
##
## The domain allowed access.
##
##
#
define(`storage_rw_inherited_fixed_disk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_rw_inherited_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
attribute fixed_disk_raw_read;
attribute fixed_disk_raw_write;
')
allow $1 fixed_disk_device_t:chr_file { read write };
allow $1 fixed_disk_device_t:blk_file { read write };
typeattribute $1 fixed_disk_raw_read;
typeattribute $1 fixed_disk_raw_write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_rw_inherited_fixed_disk_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_getattr_fixed_disk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_getattr_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file getattr;
dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_getattr_fixed_disk_dev'($*)) dnl
')
########################################
##
## Allow the caller to set the attributes of fixed disk
## device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_setattr_fixed_disk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_fixed_disk_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_setattr_fixed_disk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_setattr_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_setattr_fixed_disk_dev'($*)) dnl
')
########################################
##
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_raw_read_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_read_fixed_disk'($*)) dnl
gen_require(`
attribute fixed_disk_raw_read;
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
#577012
allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
typeattribute $1 fixed_disk_raw_read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_read_fixed_disk'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to read
## fixed disk device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_read_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_read_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_read_fixed_disk'($*)) dnl
')
########################################
##
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_raw_write_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_write_fixed_disk'($*)) dnl
gen_require(`
attribute fixed_disk_raw_write;
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
typeattribute $1 fixed_disk_raw_write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_write_fixed_disk'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to write
## fixed disk device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_write_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_write_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_write_fixed_disk'($*)) dnl
')
########################################
##
## Allow the caller to directly read and write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_raw_rw_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_rw_fixed_disk'($*)) dnl
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
dev_rw_generic_blk_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_rw_fixed_disk'($*)) dnl
')
########################################
##
## Allow the caller to watch fixed disk device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_watch_fixed_disk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_watch_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file watch_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_watch_fixed_disk_dev'($*)) dnl
')
########################################
##
## Allow the caller to create fixed disk device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_create_fixed_disk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_create_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
dev_add_entry_generic_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_create_fixed_disk_dev'($*)) dnl
')
########################################
##
## Allow the caller to create fixed disk device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_delete_fixed_disk_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_delete_fixed_disk_dev'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms;
dev_remove_entry_generic_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_delete_fixed_disk_dev'($*)) dnl
')
########################################
##
## Create, read, write, and delete fixed disk device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_manage_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_manage_fixed_disk'($*)) dnl
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_manage_fixed_disk'($*)) dnl
')
########################################
##
## Create block devices in /dev with the fixed disk type
## via an automatic type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Optional filename of the block device to be created
##
##
#
define(`storage_dev_filetrans_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dev_filetrans_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dev_filetrans_fixed_disk'($*)) dnl
')
#######################################
##
## Create block devices in /dev with the fixed disk type
## via an automatic type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_dev_filetrans_named_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dev_filetrans_named_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dev_filetrans_named_fixed_disk'($*)) dnl
')
########################################
##
## Create block devices in on a tmpfs filesystem with the
## fixed disk type via an automatic type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_tmpfs_filetrans_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_tmpfs_filetrans_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_tmpfs_filetrans_fixed_disk'($*)) dnl
')
########################################
##
## Create block devices in on a tmp filesystem with the
## fixed disk type via an automatic type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_tmp_filetrans_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_tmp_filetrans_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
files_tmp_filetrans($1, fixed_disk_device_t, blk_file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_tmp_filetrans_fixed_disk'($*)) dnl
')
########################################
##
## Relabel fixed disk device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_relabel_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_relabel_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_relabel_fixed_disk'($*)) dnl
')
########################################
##
## Enable a fixed disk device as swap space
##
##
##
## Domain allowed access.
##
##
#
define(`storage_swapon_fixed_disk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_swapon_fixed_disk'($*)) dnl
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_swapon_fixed_disk'($*)) dnl
')
########################################
##
## Allow the caller to get the attributes
## of device nodes of fuse devices.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_getattr_fuse_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_fuse_dev'($*)) dnl
gen_require(`
type fuse_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fuse_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_fuse_dev'($*)) dnl
')
########################################
##
## read or write fuse device interfaces.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_rw_fuse',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_rw_fuse'($*)) dnl
gen_require(`
type fuse_device_t;
')
allow $1 fuse_device_t:chr_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_rw_fuse'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## fuse device interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_rw_fuse',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_rw_fuse'($*)) dnl
gen_require(`
type fuse_device_t;
')
dontaudit $1 fuse_device_t:chr_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_rw_fuse'($*)) dnl
')
########################################
##
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_getattr_scsi_generic_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_scsi_generic_dev'($*)) dnl
gen_require(`
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_scsi_generic_dev'($*)) dnl
')
########################################
##
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_setattr_scsi_generic_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_scsi_generic_dev'($*)) dnl
gen_require(`
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_scsi_generic_dev'($*)) dnl
')
########################################
##
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_read_scsi_generic',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_read_scsi_generic'($*)) dnl
gen_require(`
attribute scsi_generic_read;
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
typeattribute $1 scsi_generic_read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_read_scsi_generic'($*)) dnl
')
########################################
##
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_write_scsi_generic',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_write_scsi_generic'($*)) dnl
gen_require(`
attribute scsi_generic_write;
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
typeattribute $1 scsi_generic_write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_write_scsi_generic'($*)) dnl
')
########################################
##
## Allow the caller to directly read and write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_rw_inherited_scsi_generic',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_rw_inherited_scsi_generic'($*)) dnl
gen_require(`
attribute scsi_generic_read;
attribute scsi_generic_write;
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file rw_inherited_chr_file_perms;
allow $1 scsi_generic_device_t:chr_file rw_inherited_blk_file_perms;
typeattribute $1 scsi_generic_write;
typeattribute $1 scsi_generic_read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_rw_inherited_scsi_generic'($*)) dnl
')
########################################
##
## Set attributes of the device nodes
## for the SCSI generic inerface.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_setattr_scsi_generic_dev_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_scsi_generic_dev_dev'($*)) dnl
gen_require(`
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_scsi_generic_dev_dev'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## SCSI generic device interfaces.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_rw_scsi_generic',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_rw_scsi_generic'($*)) dnl
gen_require(`
type scsi_generic_device_t;
')
dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_rw_scsi_generic'($*)) dnl
')
########################################
##
## Allow the caller to get the attributes of removable
## devices device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_getattr_removable_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_removable_dev'($*)) dnl
gen_require(`
type removable_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_removable_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_getattr_removable_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_getattr_removable_dev'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_getattr_removable_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to read
## removable devices device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_read_removable_device',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_read_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_read_removable_device'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to write
## removable devices device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_write_removable_device',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_write_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_write_removable_device'($*)) dnl
')
########################################
##
## Allow the caller to set the attributes of removable
## devices device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_setattr_removable_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_removable_dev'($*)) dnl
gen_require(`
type removable_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_removable_dev'($*)) dnl
')
########################################
##
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_setattr_removable_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_setattr_removable_dev'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_setattr_removable_dev'($*)) dnl
')
########################################
##
## Allow the caller to directly read from
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_raw_read_removable_device',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_read_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file read_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_read_removable_device'($*)) dnl
')
########################################
##
## Do not audit attempts to directly read removable devices.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_raw_read_removable_device',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_raw_read_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_raw_read_removable_device'($*)) dnl
')
########################################
##
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_raw_write_removable_device',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_raw_write_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file write_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_raw_write_removable_device'($*)) dnl
')
########################################
##
## Do not audit attempts to directly write removable devices.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_dontaudit_raw_write_removable_device',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_dontaudit_raw_write_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_dontaudit_raw_write_removable_device'($*)) dnl
')
#######################################
##
## Alow read and write inherited removable devices.
##
##
##
## Domain to not audit.
##
##
#
define(`storage_rw_inherited_removable_device',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_rw_inherited_removable_device'($*)) dnl
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_rw_inherited_removable_device'($*)) dnl
')
########################################
##
## Allow the caller to directly read
## a tape device.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_read_tape',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_read_tape'($*)) dnl
gen_require(`
type tape_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file read_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_read_tape'($*)) dnl
')
########################################
##
## Allow the caller to directly read
## a tape device.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_write_tape',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_write_tape'($*)) dnl
gen_require(`
type tape_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file write_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_write_tape'($*)) dnl
')
########################################
##
## Allow the caller to get the attributes
## of device nodes of tape devices.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_getattr_tape_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_getattr_tape_dev'($*)) dnl
gen_require(`
type tape_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_getattr_tape_dev'($*)) dnl
')
########################################
##
## Allow the caller to set the attributes
## of device nodes of tape devices.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_setattr_tape_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_setattr_tape_dev'($*)) dnl
gen_require(`
type tape_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_setattr_tape_dev'($*)) dnl
')
########################################
##
## Unconfined access to storage devices.
##
##
##
## Domain allowed access.
##
##
#
define(`storage_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_unconfined'($*)) dnl
gen_require(`
attribute storage_unconfined_type;
')
typeattribute $1 storage_unconfined_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_unconfined'($*)) dnl
')
########################################
##
## Create all named devices with the correct label
##
##
##
## Domain allowed access.
##
##
#
define(`storage_filetrans_all_named_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `storage_filetrans_all_named_dev'($*)) dnl
gen_require(`
type tape_device_t;
type fixed_disk_device_t;
type removable_device_t;
type scsi_generic_device_t;
type fuse_device_t;
')
dev_filetrans($1, tape_device_t, chr_file, "ht00")
dev_filetrans($1, tape_device_t, chr_file, "ht01")
dev_filetrans($1, tape_device_t, chr_file, "ht02")
dev_filetrans($1, tape_device_t, chr_file, "ht03")
dev_filetrans($1, tape_device_t, chr_file, "ht04")
dev_filetrans($1, tape_device_t, chr_file, "ht05")
dev_filetrans($1, tape_device_t, chr_file, "ht06")
dev_filetrans($1, tape_device_t, chr_file, "ht07")
dev_filetrans($1, tape_device_t, chr_file, "ht08")
dev_filetrans($1, tape_device_t, chr_file, "ht09")
dev_filetrans($1, tape_device_t, chr_file, "st00")
dev_filetrans($1, tape_device_t, chr_file, "st01")
dev_filetrans($1, tape_device_t, chr_file, "st02")
dev_filetrans($1, tape_device_t, chr_file, "st03")
dev_filetrans($1, tape_device_t, chr_file, "st04")
dev_filetrans($1, tape_device_t, chr_file, "st05")
dev_filetrans($1, tape_device_t, chr_file, "st06")
dev_filetrans($1, tape_device_t, chr_file, "st07")
dev_filetrans($1, tape_device_t, chr_file, "st08")
dev_filetrans($1, tape_device_t, chr_file, "st09")
dev_filetrans($1, tape_device_t, chr_file, "qft0")
dev_filetrans($1, tape_device_t, chr_file, "qft1")
dev_filetrans($1, tape_device_t, chr_file, "qft2")
dev_filetrans($1, tape_device_t, chr_file, "qft3")
dev_filetrans($1, tape_device_t, chr_file, "osst00")
dev_filetrans($1, tape_device_t, chr_file, "osst01")
dev_filetrans($1, tape_device_t, chr_file, "osst02")
dev_filetrans($1, tape_device_t, chr_file, "osst03")
dev_filetrans($1, tape_device_t, chr_file, "osst04")
dev_filetrans($1, tape_device_t, chr_file, "osst05")
dev_filetrans($1, tape_device_t, chr_file, "osst06")
dev_filetrans($1, tape_device_t, chr_file, "osst07")
dev_filetrans($1, tape_device_t, chr_file, "osst08")
dev_filetrans($1, tape_device_t, chr_file, "osst09")
dev_filetrans($1, tape_device_t, chr_file, "pt0")
dev_filetrans($1, tape_device_t, chr_file, "pt1")
dev_filetrans($1, tape_device_t, chr_file, "pt2")
dev_filetrans($1, tape_device_t, chr_file, "pt3")
dev_filetrans($1, tape_device_t, chr_file, "pt4")
dev_filetrans($1, tape_device_t, chr_file, "pt5")
dev_filetrans($1, tape_device_t, chr_file, "pt6")
dev_filetrans($1, tape_device_t, chr_file, "pt7")
dev_filetrans($1, tape_device_t, chr_file, "pt8")
dev_filetrans($1, tape_device_t, chr_file, "pt9")
dev_filetrans($1, tape_device_t, chr_file, "tpqic0")
dev_filetrans($1, tape_device_t, chr_file, "tpqic1")
dev_filetrans($1, tape_device_t, chr_file, "tpqic2")
dev_filetrans($1, tape_device_t, chr_file, "tpqic3")
dev_filetrans($1, tape_device_t, chr_file, "tpqic4")
dev_filetrans($1, tape_device_t, chr_file, "tpqic5")
dev_filetrans($1, tape_device_t, chr_file, "tpqic6")
dev_filetrans($1, tape_device_t, chr_file, "tpqic7")
dev_filetrans($1, tape_device_t, chr_file, "tpqic8")
dev_filetrans($1, tape_device_t, chr_file, "tpqic9")
dev_filetrans($1, removable_device_t, blk_file, "aztcd")
dev_filetrans($1, removable_device_t, blk_file, "bpcd")
dev_filetrans($1, removable_device_t, blk_file, "cdu0")
dev_filetrans($1, removable_device_t, blk_file, "cdu1")
dev_filetrans($1, removable_device_t, blk_file, "cdu2")
dev_filetrans($1, removable_device_t, blk_file, "cdu3")
dev_filetrans($1, removable_device_t, blk_file, "cdu4")
dev_filetrans($1, removable_device_t, blk_file, "cdu5")
dev_filetrans($1, removable_device_t, blk_file, "cdu6")
dev_filetrans($1, removable_device_t, blk_file, "cdu7")
dev_filetrans($1, removable_device_t, blk_file, "cdu8")
dev_filetrans($1, removable_device_t, blk_file, "cdu9")
dev_filetrans($1, removable_device_t, blk_file, "cm200")
dev_filetrans($1, removable_device_t, blk_file, "cm201")
dev_filetrans($1, removable_device_t, blk_file, "cm202")
dev_filetrans($1, removable_device_t, blk_file, "cm203")
dev_filetrans($1, removable_device_t, blk_file, "cm204")
dev_filetrans($1, removable_device_t, blk_file, "cm205")
dev_filetrans($1, removable_device_t, blk_file, "cm206")
dev_filetrans($1, removable_device_t, blk_file, "cm207")
dev_filetrans($1, removable_device_t, blk_file, "cm208")
dev_filetrans($1, removable_device_t, blk_file, "cm209")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9")
dev_filetrans($1, removable_device_t, blk_file, "gscd")
dev_filetrans($1, removable_device_t, blk_file, "hitcd")
dev_filetrans($1, tape_device_t, blk_file, "ht0")
dev_filetrans($1, tape_device_t, blk_file, "ht1")
dev_filetrans($1, removable_device_t, blk_file, "hwcdrom")
dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd")
dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd")
dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9")
dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
dev_filetrans($1, removable_device_t, blk_file, "mcd")
dev_filetrans($1, removable_device_t, blk_file, "mcdx")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk0")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk1")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk2")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk3")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk4")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk5")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk6")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk7")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk8")
dev_filetrans($1, removable_device_t, blk_file, "mmcblk9")
dev_filetrans($1, removable_device_t, blk_file, "mspblk0")
dev_filetrans($1, removable_device_t, blk_file, "mspblk1")
dev_filetrans($1, removable_device_t, blk_file, "mspblk2")
dev_filetrans($1, removable_device_t, blk_file, "mspblk3")
dev_filetrans($1, removable_device_t, blk_file, "mspblk4")
dev_filetrans($1, removable_device_t, blk_file, "mspblk5")
dev_filetrans($1, removable_device_t, blk_file, "mspblk6")
dev_filetrans($1, removable_device_t, blk_file, "mspblk7")
dev_filetrans($1, removable_device_t, blk_file, "mspblk8")
dev_filetrans($1, removable_device_t, blk_file, "mspblk9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd0")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd1")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd2")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd3")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd4")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd5")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd6")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd7")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd8")
dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd9")
dev_filetrans($1, removable_device_t, blk_file, "optcd")
dev_filetrans($1, removable_device_t, blk_file, "pf0")
dev_filetrans($1, removable_device_t, blk_file, "pf1")
dev_filetrans($1, removable_device_t, blk_file, "pf2")
dev_filetrans($1, removable_device_t, blk_file, "pf3")
dev_filetrans($1, removable_device_t, blk_file, "pg0")
dev_filetrans($1, removable_device_t, blk_file, "pg1")
dev_filetrans($1, removable_device_t, blk_file, "pg2")
dev_filetrans($1, removable_device_t, blk_file, "pg3")
dev_filetrans($1, removable_device_t, blk_file, "pcd0")
dev_filetrans($1, removable_device_t, blk_file, "pcd1")
dev_filetrans($1, removable_device_t, blk_file, "pcd2")
dev_filetrans($1, removable_device_t, blk_file, "pcd3")
dev_filetrans($1, removable_device_t, chr_file, "pg0")
dev_filetrans($1, removable_device_t, chr_file, "pg1")
dev_filetrans($1, removable_device_t, chr_file, "pg2")
dev_filetrans($1, removable_device_t, chr_file, "pg3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14")
dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8")
dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9")
dev_filetrans($1, fixed_disk_device_t, blk_file, "root")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd0")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd1")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd2")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd3")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd4")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd5")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd6")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd7")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd8")
dev_filetrans($1, removable_device_t, blk_file, "sbpcd9")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
dev_filetrans($1, removable_device_t, blk_file, "sr0")
dev_filetrans($1, removable_device_t, blk_file, "sr1")
dev_filetrans($1, removable_device_t, blk_file, "sr2")
dev_filetrans($1, removable_device_t, blk_file, "sr3")
dev_filetrans($1, removable_device_t, blk_file, "sr4")
dev_filetrans($1, removable_device_t, blk_file, "sr5")
dev_filetrans($1, removable_device_t, blk_file, "sr6")
dev_filetrans($1, removable_device_t, blk_file, "sr7")
dev_filetrans($1, removable_device_t, blk_file, "sr8")
dev_filetrans($1, removable_device_t, blk_file, "sr9")
dev_filetrans($1, removable_device_t, blk_file, "sjcd")
dev_filetrans($1, removable_device_t, blk_file, "sonycd")
dev_filetrans($1, tape_device_t, chr_file, "tape0")
dev_filetrans($1, tape_device_t, chr_file, "tape1")
dev_filetrans($1, tape_device_t, chr_file, "tape2")
dev_filetrans($1, tape_device_t, chr_file, "tape3")
dev_filetrans($1, tape_device_t, chr_file, "tape4")
dev_filetrans($1, tape_device_t, chr_file, "tape5")
dev_filetrans($1, tape_device_t, chr_file, "tape6")
dev_filetrans($1, tape_device_t, chr_file, "tape7")
dev_filetrans($1, tape_device_t, chr_file, "tape8")
dev_filetrans($1, tape_device_t, chr_file, "tape9")
dev_filetrans($1, fuse_device_t, chr_file, "fuse")
dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
dev_filetrans($1, removable_device_t, chr_file, "rio500")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8")
dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18")
dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19")
dev_filetrans($1, fixed_disk_device_t, blk_file, "zram0")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `storage_filetrans_all_named_dev'($*)) dnl
')
## Policy for terminals.
##
## Depended on by other required modules.
##
########################################
##
## Transform specified type into a pty type.
##
##
##
## An object type that will applied to a pty.
##
##
#
define(`term_pty',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_pty'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
dev_node($1)
allow $1 devpts_t:filesystem associate;
typeattribute $1 ptynode;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_pty'($*)) dnl
')
########################################
##
## Transform specified type into an user
## pty type. This allows it to be relabeled via
## type change by login programs such as ssh.
##
##
##
## The type of the user domain associated with
## this pty.
##
##
##
##
## An object type that will applied to a pty.
##
##
#
define(`term_user_pty',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_user_pty'($*)) dnl
gen_require(`
attribute server_ptynode;
')
term_pty($2)
type_change $1 server_ptynode:chr_file $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_user_pty'($*)) dnl
')
########################################
##
## Transform specified type into a pty type
## used by login programs, such as sshd.
##
##
##
## An object type that will applied to a pty.
##
##
#
define(`term_login_pty',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_login_pty'($*)) dnl
gen_require(`
attribute server_ptynode;
')
term_pty($1)
typeattribute $1 server_ptynode;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_login_pty'($*)) dnl
')
########################################
##
## Transform specified type into a tty type.
##
##
##
## An object type that will applied to a tty.
##
##
#
define(`term_tty',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_tty'($*)) dnl
gen_require(`
attribute ttynode, serial_device;
type tty_device_t;
')
typeattribute $1 ttynode, serial_device;
dev_node($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_tty'($*)) dnl
')
########################################
##
## Transform specified type into a user tty type.
##
##
##
## User domain that is related to this tty.
##
##
##
##
## An object type that will applied to a tty.
##
##
#
define(`term_user_tty',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_user_tty'($*)) dnl
gen_require(`
attribute ttynode;
type console_device_t;
type tty_device_t;
')
term_tty($2)
type_change $1 tty_device_t:chr_file $2;
# Debian login is from shadow utils and does not allow resetting the perms.
# have to fix this!
ifdef(`distro_debian',`
type_change $1 ttynode:chr_file $2;
')
tunable_policy(`login_console_enabled',`
# When user logs in from /dev/console, relabel it
# to user tty type as well.
type_change $1 console_device_t:chr_file $2;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_user_tty'($*)) dnl
')
########################################
##
## Create the /dev/pts directory.
##
##
##
## Domain allowed access.
##
##
#
define(`term_create_pty_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_create_pty_dir'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:dir create_dir_perms;
dev_filetrans($1, devpts_t, dir, "devpts")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_create_pty_dir'($*)) dnl
')
########################################
##
## Create a pty in the /dev/pts directory.
##
##
##
## The type of the process creating the pty.
##
##
##
##
## The type of the pty.
##
##
#
define(`term_create_pty',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_create_pty'($*)) dnl
gen_require(`
type bsdpty_device_t, devpts_t, ptmx_t;
')
dev_list_all_dev_nodes($1)
allow $1 ptmx_t:chr_file rw_file_perms;
allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:filesystem getattr;
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
type_transition $1 devpts_t:chr_file $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_create_pty'($*)) dnl
')
########################################
##
## Write the console, all
## ttys and all ptys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_write_all_terms',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_write_all_terms'($*)) dnl
gen_require(`
attribute ttynode, ptynode;
type console_device_t, devpts_t, tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file write_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_write_all_terms'($*)) dnl
')
########################################
##
## Read and write the console, all
## ttys and all ptys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_terms',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_terms'($*)) dnl
gen_require(`
attribute ttynode, ptynode;
type console_device_t, devpts_t, tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_terms'($*)) dnl
')
########################################
##
## Read and write the inherited console, all inherited
## ttys and ptys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_inherited_terms',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_inherited_terms'($*)) dnl
gen_require(`
attribute ttynode, ptynode;
type console_device_t, devpts_t, tty_device_t;
')
allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_inherited_terms'($*)) dnl
')
########################################
##
## Write to the console.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_write_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_write_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file write_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_write_console'($*)) dnl
')
########################################
##
## Read from the console.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_read_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_read_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file read_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_read_console'($*)) dnl
')
########################################
##
## Do not audit attempts to read from the console.
##
##
##
## Domain to not audit.
##
##
##
#
define(`term_dontaudit_read_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_read_console'($*)) dnl
gen_require(`
type console_device_t;
')
dontaudit $1 console_device_t:chr_file read_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_read_console'($*)) dnl
')
########################################
##
## Read from and write to the console.
##
##
##
## Domain allowed access.
##
##
#
define(`term_use_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_console'($*)) dnl
')
########################################
##
## Do not audit attemtps to read from
## or write to the console.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_use_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_console'($*)) dnl
gen_require(`
type console_device_t;
type tty_device_t;
')
init_dontaudit_use_fds($1)
dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_console'($*)) dnl
')
########################################
##
## Set the attributes of the console
## device node.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_console'($*)) dnl
')
########################################
##
## Relabel from and to the console type.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_console'($*)) dnl
gen_require(`
type console_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 console_device_t:chr_file relabel_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_console'($*)) dnl
')
########################################
##
## Create the console device (/dev/console).
##
##
##
## Domain allowed access.
##
##
#
define(`term_create_console_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_create_console_dev'($*)) dnl
gen_require(`
type console_device_t;
')
dev_add_entry_generic_dirs($1)
allow $1 console_device_t:chr_file create;
allow $1 self:capability mknod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_create_console_dev'($*)) dnl
')
########################################
##
## Watch the console device (/dev/console).
##
##
##
## Domain allowed access.
##
##
#
define(`term_watch_console_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_watch_console_dev'($*)) dnl
gen_require(`
type console_device_t;
')
allow $1 console_device_t:chr_file watch_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_watch_console_dev'($*)) dnl
')
########################################
##
## Watch_reads the console device (/dev/console).
##
##
##
## Domain allowed access.
##
##
#
define(`term_watch_reads_console_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_watch_reads_console_dev'($*)) dnl
gen_require(`
type console_device_t;
')
allow $1 console_device_t:chr_file watch_reads_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_watch_reads_console_dev'($*)) dnl
')
########################################
##
## Get the attributes of a pty filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`term_getattr_pty_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_pty_fs'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:filesystem getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_pty_fs'($*)) dnl
')
########################################
##
## Mount a pty filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`term_mount_pty_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_mount_pty_fs'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:filesystem mount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_mount_pty_fs'($*)) dnl
')
########################################
##
## Unmount a pty filesystem
##
##
##
## Domain allowed access.
##
##
#
define(`term_unmount_pty_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_unmount_pty_fs'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:filesystem unmount;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_unmount_pty_fs'($*)) dnl
')
########################################
##
## Relabel from and to pty filesystem.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_pty_fs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_pty_fs'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:filesystem { relabelto relabelfrom };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_pty_fs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_getattr_pty_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_pty_dirs'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_pty_dirs'($*)) dnl
')
########################################
##
## Search the contents of the /dev/pts directory.
##
##
##
## Domain allowed access.
##
##
#
define(`term_search_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_search_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_search_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to search the
## contents of the /dev/pts directory.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_search_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_search_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_dontaudit_list_all_dev_nodes($1)
dontaudit $1 devpts_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_search_ptys'($*)) dnl
')
########################################
##
## Read the /dev/pts directory to
## list all ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_list_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_list_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_list_ptys'($*)) dnl
')
########################################
##
## Relabel the /dev/pts directory
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_ptys_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_ptys_dirs'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:dir relabel_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_ptys_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to read the
## /dev/pts directory.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_list_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_list_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:dir { getattr search read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_list_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read,
## write, or delete the /dev/pts directory.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_manage_pty_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_manage_pty_dirs'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_manage_pty_dirs'($*)) dnl
')
########################################
##
## Get the attributes of generic pty devices.
##
##
##
## Domain to allow
##
##
#
define(`term_getattr_generic_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_generic_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of generic pty devices.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_getattr_generic_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_generic_ptys'($*)) dnl
')
########################################
##
## ioctl of generic pty devices.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for ppp
define(`term_ioctl_generic_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_ioctl_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
allow $1 devpts_t:chr_file ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_ioctl_generic_ptys'($*)) dnl
')
########################################
##
## Allow setting the attributes of
## generic pty devices.
##
##
##
## Domain allowed access.
##
##
#
# dwalsh: added for rhgb
define(`term_setattr_generic_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
allow $1 devpts_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_generic_ptys'($*)) dnl
')
########################################
##
## Dontaudit setting the attributes of
## generic pty devices.
##
##
##
## Domain to not audit.
##
##
#
# dwalsh: added for rhgb
define(`term_dontaudit_setattr_generic_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_setattr_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dontaudit $1 devpts_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_setattr_generic_ptys'($*)) dnl
')
########################################
##
## Read and write the generic pty
## type. This is generally only used in
## the targeted policy.
##
##
##
## Domain allowed access.
##
##
#
define(`term_use_generic_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:chr_file { rw_term_perms lock append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_generic_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write the generic pty type. This is
## generally only used in the targeted policy.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_use_generic_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_generic_ptys'($*)) dnl
gen_require(`
type devpts_t;
')
init_dontaudit_use_fds($1)
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_generic_ptys'($*)) dnl
')
#######################################
##
## Set the attributes of the tty device
##
##
##
## Domain allowed access.
##
##
#
define(`term_setattr_controlling_term',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_controlling_term'($*)) dnl
gen_require(`
type devtty_t;
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_controlling_term'($*)) dnl
')
########################################
##
## Read and write the controlling
## terminal (/dev/tty).
##
##
##
## Domain allowed access.
##
##
#
define(`term_use_controlling_term',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_controlling_term'($*)) dnl
gen_require(`
type devtty_t;
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file { rw_term_perms lock append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_controlling_term'($*)) dnl
')
#######################################
##
## Get the attributes of the pty multiplexor (/dev/ptmx).
##
##
##
## Domain to not audit.
##
##
#
define(`term_getattr_ptmx',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_ptmx'($*)) dnl
gen_require(`
type ptmx_t;
')
allow $1 ptmx_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_ptmx'($*)) dnl
')
########################################
##
## Do not audit attempts to get attributes
## on the pty multiplexor (/dev/ptmx).
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_getattr_ptmx',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_ptmx'($*)) dnl
gen_require(`
type ptmx_t;
')
dontaudit $1 ptmx_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_ptmx'($*)) dnl
')
########################################
##
## Read and write the pty multiplexor (/dev/ptmx).
##
##
##
## Domain allowed access.
##
##
#
define(`term_use_ptmx',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_ptmx'($*)) dnl
gen_require(`
type ptmx_t;
')
dev_list_all_dev_nodes($1)
allow $1 ptmx_t:chr_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_ptmx'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write the pty multiplexor (/dev/ptmx).
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_use_ptmx',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_ptmx'($*)) dnl
gen_require(`
type ptmx_t;
')
dontaudit $1 ptmx_t:chr_file { getattr read write ioctl };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_ptmx'($*)) dnl
')
########################################
##
## Get the attributes of all
## pty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_getattr_all_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_all_ptys'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_all_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of any pty
## device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_getattr_all_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
dontaudit $1 ptynode:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_ptys'($*)) dnl
')
########################################
##
## Set the attributes of all
## pty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_all_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_all_ptys'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_all_ptys'($*)) dnl
')
########################################
##
## Relabel to all ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabelto_all_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabelto_all_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
allow $1 ptynode:chr_file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabelto_all_ptys'($*)) dnl
')
########################################
##
## Write to all ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_write_all_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_write_all_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
dev_list_all_dev_nodes($1)
allow $1 ptynode:chr_file write_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_write_all_ptys'($*)) dnl
')
########################################
##
## Read and write all ptys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_ptys'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file { rw_term_perms lock append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_ptys'($*)) dnl
')
########################################
##
## Read and write all inherited ptys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_inherited_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_inherited_ptys'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
allow $1 ptynode:chr_file { rw_inherited_term_perms lock };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_inherited_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write any ptys.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_use_all_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_ptys'($*)) dnl
gen_require(`
attribute ptynode;
')
dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_ptys'($*)) dnl
')
########################################
##
## Relabel from and to all pty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_all_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_all_ptys'($*)) dnl
gen_require(`
attribute ptynode;
type devpts_t;
')
dev_list_all_dev_nodes($1)
relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_all_ptys'($*)) dnl
')
########################################
##
## Get the attributes of all user
## pty device nodes. (Deprecated)
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_getattr_all_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_all_user_ptys'($*)) dnl
refpolicywarn(`$0 has been deprecated, use term_getattr_all_ptys() instead.')
term_getattr_all_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_all_user_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of any user pty
## device nodes. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_getattr_all_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_user_ptys'($*)) dnl
refpolicywarn(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.')
term_dontaudit_getattr_all_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_user_ptys'($*)) dnl
')
########################################
##
## Set the attributes of all user
## pty device nodes. (Deprecated)
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_all_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_all_user_ptys'($*)) dnl
refpolicywarn(`$0 has been deprecated, use term_setattr_all_ptys() instead.')
term_setattr_all_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_all_user_ptys'($*)) dnl
')
########################################
##
## Relabel to all user ptys. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabelto_all_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabelto_all_user_ptys'($*)) dnl
refpolicywarn(`$0 has been deprecated, use term_relabelto_all_ptys() instead.')
term_relabelto_all_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabelto_all_user_ptys'($*)) dnl
')
########################################
##
## Write to all user ptys. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`term_write_all_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_write_all_user_ptys'($*)) dnl
refpolicywarn(`$0 has been deprecated, use term_write_all_ptys() instead.')
term_write_all_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_write_all_user_ptys'($*)) dnl
')
########################################
##
## Read and write all user ptys. (Deprecated)
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_user_ptys'($*)) dnl
refpolicywarn(`$0 has been deprecated, use term_use_all_ptys() instead.')
term_use_all_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_user_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to read any
## user ptys. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_use_all_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_user_ptys'($*)) dnl
refpolicywarn(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.')
term_dontaudit_use_all_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_user_ptys'($*)) dnl
')
########################################
##
## Relabel from and to all user
## user pty device nodes. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_all_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_all_user_ptys'($*)) dnl
refpolicywarn(`$0 has been deprecated, use term_relabel_all_ptys() instead.')
term_relabel_all_ptys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_all_user_ptys'($*)) dnl
')
########################################
##
## Get the attributes of all unallocated
## tty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_getattr_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_unallocated_ttys'($*)) dnl
')
########################################
##
## Allow open access for all unallocated
## tty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_open_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_open_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file open;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_open_unallocated_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of all unallocated tty device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_getattr_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_unallocated_ttys'($*)) dnl
')
########################################
##
## Set the attributes of all unallocated
## tty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_unallocated_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## of unallocated tty device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_setattr_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_setattr_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_setattr_unallocated_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to ioctl
## unallocated tty device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_ioctl_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_ioctl_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dontaudit $1 tty_device_t:chr_file ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_ioctl_unallocated_ttys'($*)) dnl
')
########################################
##
## Watch unallocated tty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_watch_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_watch_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
allow $1 tty_device_t:chr_file watch_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_watch_unallocated_ttys'($*)) dnl
')
########################################
##
## Watch_reads unallocated tty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_watch_reads_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_watch_reads_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
allow $1 tty_device_t:chr_file watch_reads_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_watch_reads_unallocated_ttys'($*)) dnl
')
########################################
##
## Relabel from and to the unallocated
## tty type.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file relabel_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_unallocated_ttys'($*)) dnl
')
########################################
##
## Mounton unallocated tty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_mounton_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_mounton_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
allow $1 tty_device_t:chr_file mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_mounton_unallocated_ttys'($*)) dnl
')
########################################
##
## Relabel from all user tty types to
## the unallocated tty type.
##
##
##
## Domain allowed access.
##
##
#
define(`term_reset_tty_labels',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_reset_tty_labels'($*)) dnl
gen_require(`
attribute ttynode;
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file relabelfrom;
allow $1 tty_device_t:chr_file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_reset_tty_labels'($*)) dnl
')
########################################
##
## Append to unallocated ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_append_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_append_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file append_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_append_unallocated_ttys'($*)) dnl
')
########################################
##
## Write to unallocated ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_write_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_write_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file write_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_write_unallocated_ttys'($*)) dnl
')
########################################
##
## Read and write unallocated ttys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 tty_device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_unallocated_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to read or
## write unallocated ttys.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_use_unallocated_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_unallocated_ttys'($*)) dnl
gen_require(`
type tty_device_t;
')
init_dontaudit_use_fds($1)
dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_unallocated_ttys'($*)) dnl
')
########################################
##
## Read and write USB tty character
## device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_use_usb_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_usb_ttys'($*)) dnl
gen_require(`
type usbtty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_usb_ttys'($*)) dnl
')
#######################################
##
## Setattr on USB tty character
## device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_setattr_usb_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_usb_ttys'($*)) dnl
gen_require(`
type usbtty_device_t;
')
allow $1 usbtty_device_t:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_usb_ttys'($*)) dnl
')
########################################
##
## Get the attributes of all tty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_getattr_all_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_all_ttys'($*)) dnl
gen_require(`
type tty_device_t;
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file getattr;
allow $1 tty_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_all_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of any tty device nodes.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_getattr_all_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_ttys'($*)) dnl
gen_require(`
attribute ttynode;
type tty_device_t;
')
dev_list_all_dev_nodes($1)
dontaudit $1 ttynode:chr_file getattr;
dontaudit $1 tty_device_t:chr_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_ttys'($*)) dnl
')
########################################
##
## Set the attributes of all tty device nodes.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_all_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_all_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_all_ttys'($*)) dnl
')
########################################
##
## Relabel from and to all tty device nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_all_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_all_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file relabel_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_all_ttys'($*)) dnl
')
########################################
##
## Write to all ttys.
##
##
##
## Domain allowed access.
##
##
#
define(`term_write_all_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_write_all_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file write_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_write_all_ttys'($*)) dnl
')
########################################
##
## Read and write all ttys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_ttys'($*)) dnl
')
########################################
##
## Read and write all inherited ttys.
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_inherited_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_inherited_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file rw_inherited_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_inherited_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## any ttys.
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_use_all_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_ttys'($*)) dnl
gen_require(`
attribute ttynode;
')
dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_ttys'($*)) dnl
')
########################################
##
## Get the attributes of all user tty
## device nodes. (Deprecated)
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_getattr_all_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_all_user_ttys'($*)) dnl
refpolicywarn(`$0() is deprecated, use term_getattr_all_ttys() instead.')
term_getattr_all_ttys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_all_user_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of any user tty
## device nodes. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_getattr_all_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_user_ttys'($*)) dnl
refpolicywarn(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.')
term_dontaudit_getattr_all_ttys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_user_ttys'($*)) dnl
')
########################################
##
## Set the attributes of all user tty
## device nodes. (Deprecated)
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_setattr_all_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_setattr_all_user_ttys'($*)) dnl
refpolicywarn(`$0() is deprecated, use term_setattr_all_ttys() instead.')
term_setattr_all_ttys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_setattr_all_user_ttys'($*)) dnl
')
########################################
##
## Relabel from and to all user
## user tty device nodes. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`term_relabel_all_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_relabel_all_user_ttys'($*)) dnl
refpolicywarn(`$0() is deprecated, use term_relabel_all_ttys() instead.')
term_relabel_all_ttys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_relabel_all_user_ttys'($*)) dnl
')
########################################
##
## Write to all user ttys. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`term_write_all_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_write_all_user_ttys'($*)) dnl
refpolicywarn(`$0() is deprecated, use term_write_all_ttys() instead.')
term_write_all_ttys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_write_all_user_ttys'($*)) dnl
')
########################################
##
## Read and write all user to all user ttys. (Deprecated)
##
##
##
## Domain allowed access.
##
##
##
#
define(`term_use_all_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_all_user_ttys'($*)) dnl
refpolicywarn(`$0() is deprecated, use term_use_all_ttys() instead.')
term_use_all_ttys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_all_user_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## any user ttys. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
define(`term_dontaudit_use_all_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_user_ttys'($*)) dnl
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_user_ttys'($*)) dnl
')
####################################
##
## Getattr on the virtio console.
##
##
##
## Domain allowed access.
##
##
#
define(`term_getattr_virtio_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_getattr_virtio_console'($*)) dnl
gen_require(`
type virtio_device_t;
')
allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_getattr_virtio_console'($*)) dnl
')
#####################################
##
## Read from and write to the virtio console.
##
##
##
## Domain allowed access.
##
##
#
define(`term_use_virtio_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_use_virtio_console'($*)) dnl
gen_require(`
type virtio_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 virtio_device_t:chr_file rw_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_use_virtio_console'($*)) dnl
')
########################################
##
## Create all named term devices with the correct label
##
##
##
## Domain allowed access.
##
##
#
define(`term_filetrans_all_named_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `term_filetrans_all_named_dev'($*)) dnl
gen_require(`
type tty_device_t;
type bsdpty_device_t;
type console_device_t;
type ptmx_t;
type devtty_t;
type virtio_device_t;
type devpts_t;
type usbtty_device_t;
')
dev_filetrans($1, devtty_t, chr_file, "tty")
dev_filetrans($1, tty_device_t, chr_file, "tty0")
dev_filetrans($1, tty_device_t, chr_file, "tty1")
dev_filetrans($1, tty_device_t, chr_file, "tty2")
dev_filetrans($1, tty_device_t, chr_file, "tty3")
dev_filetrans($1, tty_device_t, chr_file, "tty4")
dev_filetrans($1, tty_device_t, chr_file, "tty5")
dev_filetrans($1, tty_device_t, chr_file, "tty6")
dev_filetrans($1, tty_device_t, chr_file, "tty7")
dev_filetrans($1, tty_device_t, chr_file, "tty8")
dev_filetrans($1, tty_device_t, chr_file, "tty9")
dev_filetrans($1, tty_device_t, chr_file, "tty10")
dev_filetrans($1, tty_device_t, chr_file, "tty11")
dev_filetrans($1, tty_device_t, chr_file, "tty12")
dev_filetrans($1, tty_device_t, chr_file, "tty13")
dev_filetrans($1, tty_device_t, chr_file, "tty14")
dev_filetrans($1, tty_device_t, chr_file, "tty15")
dev_filetrans($1, tty_device_t, chr_file, "tty16")
dev_filetrans($1, tty_device_t, chr_file, "tty17")
dev_filetrans($1, tty_device_t, chr_file, "tty18")
dev_filetrans($1, tty_device_t, chr_file, "tty19")
dev_filetrans($1, tty_device_t, chr_file, "tty20")
dev_filetrans($1, tty_device_t, chr_file, "tty21")
dev_filetrans($1, tty_device_t, chr_file, "tty22")
dev_filetrans($1, tty_device_t, chr_file, "tty23")
dev_filetrans($1, tty_device_t, chr_file, "tty24")
dev_filetrans($1, tty_device_t, chr_file, "tty25")
dev_filetrans($1, tty_device_t, chr_file, "tty26")
dev_filetrans($1, tty_device_t, chr_file, "tty27")
dev_filetrans($1, tty_device_t, chr_file, "tty28")
dev_filetrans($1, tty_device_t, chr_file, "tty29")
dev_filetrans($1, tty_device_t, chr_file, "tty30")
dev_filetrans($1, tty_device_t, chr_file, "tty31")
dev_filetrans($1, tty_device_t, chr_file, "tty32")
dev_filetrans($1, tty_device_t, chr_file, "tty33")
dev_filetrans($1, tty_device_t, chr_file, "tty34")
dev_filetrans($1, tty_device_t, chr_file, "tty35")
dev_filetrans($1, tty_device_t, chr_file, "tty36")
dev_filetrans($1, tty_device_t, chr_file, "tty37")
dev_filetrans($1, tty_device_t, chr_file, "tty38")
dev_filetrans($1, tty_device_t, chr_file, "tty39")
dev_filetrans($1, tty_device_t, chr_file, "tty40")
dev_filetrans($1, tty_device_t, chr_file, "tty41")
dev_filetrans($1, tty_device_t, chr_file, "tty42")
dev_filetrans($1, tty_device_t, chr_file, "tty43")
dev_filetrans($1, tty_device_t, chr_file, "tty44")
dev_filetrans($1, tty_device_t, chr_file, "tty45")
dev_filetrans($1, tty_device_t, chr_file, "tty46")
dev_filetrans($1, tty_device_t, chr_file, "tty47")
dev_filetrans($1, tty_device_t, chr_file, "tty48")
dev_filetrans($1, tty_device_t, chr_file, "tty49")
dev_filetrans($1, tty_device_t, chr_file, "tty50")
dev_filetrans($1, tty_device_t, chr_file, "tty51")
dev_filetrans($1, tty_device_t, chr_file, "tty52")
dev_filetrans($1, tty_device_t, chr_file, "tty53")
dev_filetrans($1, tty_device_t, chr_file, "tty54")
dev_filetrans($1, tty_device_t, chr_file, "tty55")
dev_filetrans($1, tty_device_t, chr_file, "tty56")
dev_filetrans($1, tty_device_t, chr_file, "tty57")
dev_filetrans($1, tty_device_t, chr_file, "tty58")
dev_filetrans($1, tty_device_t, chr_file, "tty59")
dev_filetrans($1, tty_device_t, chr_file, "tty60")
dev_filetrans($1, tty_device_t, chr_file, "tty61")
dev_filetrans($1, tty_device_t, chr_file, "tty62")
dev_filetrans($1, tty_device_t, chr_file, "tty63")
dev_filetrans($1, tty_device_t, chr_file, "tty64")
dev_filetrans($1, tty_device_t, chr_file, "tty65")
dev_filetrans($1, tty_device_t, chr_file, "tty66")
dev_filetrans($1, tty_device_t, chr_file, "tty67")
dev_filetrans($1, tty_device_t, chr_file, "tty68")
dev_filetrans($1, tty_device_t, chr_file, "tty69")
dev_filetrans($1, tty_device_t, chr_file, "tty70")
dev_filetrans($1, tty_device_t, chr_file, "tty71")
dev_filetrans($1, tty_device_t, chr_file, "tty72")
dev_filetrans($1, tty_device_t, chr_file, "tty73")
dev_filetrans($1, tty_device_t, chr_file, "tty74")
dev_filetrans($1, tty_device_t, chr_file, "tty75")
dev_filetrans($1, tty_device_t, chr_file, "tty76")
dev_filetrans($1, tty_device_t, chr_file, "tty77")
dev_filetrans($1, tty_device_t, chr_file, "tty78")
dev_filetrans($1, tty_device_t, chr_file, "tty79")
dev_filetrans($1, tty_device_t, chr_file, "tty80")
dev_filetrans($1, tty_device_t, chr_file, "tty81")
dev_filetrans($1, tty_device_t, chr_file, "tty82")
dev_filetrans($1, tty_device_t, chr_file, "tty83")
dev_filetrans($1, tty_device_t, chr_file, "tty84")
dev_filetrans($1, tty_device_t, chr_file, "tty85")
dev_filetrans($1, tty_device_t, chr_file, "tty86")
dev_filetrans($1, tty_device_t, chr_file, "tty87")
dev_filetrans($1, tty_device_t, chr_file, "tty88")
dev_filetrans($1, tty_device_t, chr_file, "tty89")
dev_filetrans($1, tty_device_t, chr_file, "tty90")
dev_filetrans($1, tty_device_t, chr_file, "tty91")
dev_filetrans($1, tty_device_t, chr_file, "tty92")
dev_filetrans($1, tty_device_t, chr_file, "tty93")
dev_filetrans($1, tty_device_t, chr_file, "tty94")
dev_filetrans($1, tty_device_t, chr_file, "tty95")
dev_filetrans($1, tty_device_t, chr_file, "tty96")
dev_filetrans($1, tty_device_t, chr_file, "tty97")
dev_filetrans($1, tty_device_t, chr_file, "tty98")
dev_filetrans($1, tty_device_t, chr_file, "tty99")
dev_filetrans($1, tty_device_t, chr_file, "pty")
dev_filetrans($1, tty_device_t, chr_file, "pty0")
dev_filetrans($1, tty_device_t, chr_file, "pty1")
dev_filetrans($1, tty_device_t, chr_file, "pty2")
dev_filetrans($1, tty_device_t, chr_file, "pty3")
dev_filetrans($1, tty_device_t, chr_file, "pty4")
dev_filetrans($1, tty_device_t, chr_file, "pty5")
dev_filetrans($1, tty_device_t, chr_file, "pty6")
dev_filetrans($1, tty_device_t, chr_file, "pty7")
dev_filetrans($1, tty_device_t, chr_file, "pty8")
dev_filetrans($1, tty_device_t, chr_file, "pty9")
dev_filetrans($1, tty_device_t, chr_file, "pty10")
dev_filetrans($1, tty_device_t, chr_file, "pty11")
dev_filetrans($1, tty_device_t, chr_file, "pty12")
dev_filetrans($1, tty_device_t, chr_file, "pty13")
dev_filetrans($1, tty_device_t, chr_file, "pty14")
dev_filetrans($1, tty_device_t, chr_file, "pty15")
dev_filetrans($1, tty_device_t, chr_file, "pty16")
dev_filetrans($1, tty_device_t, chr_file, "pty17")
dev_filetrans($1, tty_device_t, chr_file, "pty18")
dev_filetrans($1, tty_device_t, chr_file, "pty19")
dev_filetrans($1, tty_device_t, chr_file, "pty20")
dev_filetrans($1, tty_device_t, chr_file, "pty21")
dev_filetrans($1, tty_device_t, chr_file, "pty22")
dev_filetrans($1, tty_device_t, chr_file, "pty23")
dev_filetrans($1, tty_device_t, chr_file, "pty24")
dev_filetrans($1, tty_device_t, chr_file, "pty25")
dev_filetrans($1, tty_device_t, chr_file, "pty26")
dev_filetrans($1, tty_device_t, chr_file, "pty27")
dev_filetrans($1, tty_device_t, chr_file, "pty28")
dev_filetrans($1, tty_device_t, chr_file, "pty29")
dev_filetrans($1, tty_device_t, chr_file, "pty30")
dev_filetrans($1, tty_device_t, chr_file, "pty31")
dev_filetrans($1, tty_device_t, chr_file, "pty32")
dev_filetrans($1, tty_device_t, chr_file, "pty33")
dev_filetrans($1, tty_device_t, chr_file, "pty34")
dev_filetrans($1, tty_device_t, chr_file, "pty35")
dev_filetrans($1, tty_device_t, chr_file, "pty36")
dev_filetrans($1, tty_device_t, chr_file, "pty37")
dev_filetrans($1, tty_device_t, chr_file, "pty38")
dev_filetrans($1, tty_device_t, chr_file, "pty39")
dev_filetrans($1, tty_device_t, chr_file, "pty40")
dev_filetrans($1, tty_device_t, chr_file, "pty41")
dev_filetrans($1, tty_device_t, chr_file, "pty42")
dev_filetrans($1, tty_device_t, chr_file, "pty43")
dev_filetrans($1, tty_device_t, chr_file, "pty44")
dev_filetrans($1, tty_device_t, chr_file, "pty45")
dev_filetrans($1, tty_device_t, chr_file, "pty46")
dev_filetrans($1, tty_device_t, chr_file, "pty47")
dev_filetrans($1, tty_device_t, chr_file, "pty48")
dev_filetrans($1, tty_device_t, chr_file, "pty49")
dev_filetrans($1, tty_device_t, chr_file, "pty50")
dev_filetrans($1, tty_device_t, chr_file, "pty51")
dev_filetrans($1, tty_device_t, chr_file, "pty52")
dev_filetrans($1, tty_device_t, chr_file, "pty53")
dev_filetrans($1, tty_device_t, chr_file, "pty54")
dev_filetrans($1, tty_device_t, chr_file, "pty55")
dev_filetrans($1, tty_device_t, chr_file, "pty56")
dev_filetrans($1, tty_device_t, chr_file, "pty57")
dev_filetrans($1, tty_device_t, chr_file, "pty58")
dev_filetrans($1, tty_device_t, chr_file, "pty59")
dev_filetrans($1, tty_device_t, chr_file, "pty60")
dev_filetrans($1, tty_device_t, chr_file, "pty61")
dev_filetrans($1, tty_device_t, chr_file, "pty62")
dev_filetrans($1, tty_device_t, chr_file, "pty63")
dev_filetrans($1, tty_device_t, chr_file, "pty64")
dev_filetrans($1, tty_device_t, chr_file, "pty65")
dev_filetrans($1, tty_device_t, chr_file, "pty66")
dev_filetrans($1, tty_device_t, chr_file, "pty67")
dev_filetrans($1, tty_device_t, chr_file, "pty68")
dev_filetrans($1, tty_device_t, chr_file, "pty69")
dev_filetrans($1, tty_device_t, chr_file, "pty70")
dev_filetrans($1, tty_device_t, chr_file, "pty71")
dev_filetrans($1, tty_device_t, chr_file, "pty72")
dev_filetrans($1, tty_device_t, chr_file, "pty73")
dev_filetrans($1, tty_device_t, chr_file, "pty74")
dev_filetrans($1, tty_device_t, chr_file, "pty75")
dev_filetrans($1, tty_device_t, chr_file, "pty76")
dev_filetrans($1, tty_device_t, chr_file, "pty77")
dev_filetrans($1, tty_device_t, chr_file, "pty78")
dev_filetrans($1, tty_device_t, chr_file, "pty79")
dev_filetrans($1, tty_device_t, chr_file, "pty80")
dev_filetrans($1, tty_device_t, chr_file, "pty81")
dev_filetrans($1, tty_device_t, chr_file, "pty82")
dev_filetrans($1, tty_device_t, chr_file, "pty83")
dev_filetrans($1, tty_device_t, chr_file, "pty84")
dev_filetrans($1, tty_device_t, chr_file, "pty85")
dev_filetrans($1, tty_device_t, chr_file, "pty86")
dev_filetrans($1, tty_device_t, chr_file, "pty87")
dev_filetrans($1, tty_device_t, chr_file, "pty88")
dev_filetrans($1, tty_device_t, chr_file, "pty89")
dev_filetrans($1, tty_device_t, chr_file, "pty90")
dev_filetrans($1, tty_device_t, chr_file, "pty91")
dev_filetrans($1, tty_device_t, chr_file, "pty92")
dev_filetrans($1, tty_device_t, chr_file, "pty93")
dev_filetrans($1, tty_device_t, chr_file, "pty94")
dev_filetrans($1, tty_device_t, chr_file, "pty95")
dev_filetrans($1, tty_device_t, chr_file, "pty96")
dev_filetrans($1, tty_device_t, chr_file, "pty97")
dev_filetrans($1, tty_device_t, chr_file, "pty98")
dev_filetrans($1, tty_device_t, chr_file, "pty99")
dev_filetrans($1, tty_device_t, chr_file, "adb0")
dev_filetrans($1, tty_device_t, chr_file, "adb1")
dev_filetrans($1, tty_device_t, chr_file, "adb2")
dev_filetrans($1, tty_device_t, chr_file, "adb3")
dev_filetrans($1, tty_device_t, chr_file, "adb4")
dev_filetrans($1, tty_device_t, chr_file, "adb5")
dev_filetrans($1, tty_device_t, chr_file, "adb6")
dev_filetrans($1, tty_device_t, chr_file, "adb7")
dev_filetrans($1, tty_device_t, chr_file, "adb8")
dev_filetrans($1, tty_device_t, chr_file, "adb9")
dev_filetrans($1, tty_device_t, chr_file, "capi0")
dev_filetrans($1, tty_device_t, chr_file, "capi1")
dev_filetrans($1, tty_device_t, chr_file, "capi2")
dev_filetrans($1, tty_device_t, chr_file, "capi3")
dev_filetrans($1, tty_device_t, chr_file, "capi4")
dev_filetrans($1, tty_device_t, chr_file, "capi5")
dev_filetrans($1, tty_device_t, chr_file, "capi6")
dev_filetrans($1, tty_device_t, chr_file, "capi7")
dev_filetrans($1, tty_device_t, chr_file, "capi8")
dev_filetrans($1, tty_device_t, chr_file, "capi9")
dev_filetrans($1, console_device_t, chr_file, "console")
dev_filetrans($1, tty_device_t, chr_file, "cu0")
dev_filetrans($1, tty_device_t, chr_file, "cu1")
dev_filetrans($1, tty_device_t, chr_file, "cu2")
dev_filetrans($1, tty_device_t, chr_file, "cu3")
dev_filetrans($1, tty_device_t, chr_file, "cu4")
dev_filetrans($1, tty_device_t, chr_file, "cu5")
dev_filetrans($1, tty_device_t, chr_file, "cu6")
dev_filetrans($1, tty_device_t, chr_file, "cu7")
dev_filetrans($1, tty_device_t, chr_file, "cu8")
dev_filetrans($1, tty_device_t, chr_file, "cu9")
dev_filetrans($1, tty_device_t, chr_file, "dcbri0")
dev_filetrans($1, tty_device_t, chr_file, "dcbri1")
dev_filetrans($1, tty_device_t, chr_file, "dcbri2")
dev_filetrans($1, tty_device_t, chr_file, "dcbri3")
dev_filetrans($1, tty_device_t, chr_file, "dcbri4")
dev_filetrans($1, tty_device_t, chr_file, "dcbri5")
dev_filetrans($1, tty_device_t, chr_file, "dcbri6")
dev_filetrans($1, tty_device_t, chr_file, "dcbri7")
dev_filetrans($1, tty_device_t, chr_file, "dcbri8")
dev_filetrans($1, tty_device_t, chr_file, "dcbri9")
dev_filetrans($1, tty_device_t, chr_file, "vcsa")
dev_filetrans($1, tty_device_t, chr_file, "vcsb")
dev_filetrans($1, tty_device_t, chr_file, "vcsc")
dev_filetrans($1, tty_device_t, chr_file, "vcsd")
dev_filetrans($1, tty_device_t, chr_file, "vcse")
dev_filetrans($1, tty_device_t, chr_file, "hvc0")
dev_filetrans($1, tty_device_t, chr_file, "hvc1")
dev_filetrans($1, tty_device_t, chr_file, "hvc2")
dev_filetrans($1, tty_device_t, chr_file, "hvc3")
dev_filetrans($1, tty_device_t, chr_file, "hvc4")
dev_filetrans($1, tty_device_t, chr_file, "hvc5")
dev_filetrans($1, tty_device_t, chr_file, "hvc6")
dev_filetrans($1, tty_device_t, chr_file, "hvc7")
dev_filetrans($1, tty_device_t, chr_file, "hvc8")
dev_filetrans($1, tty_device_t, chr_file, "hvc9")
dev_filetrans($1, tty_device_t, chr_file, "hvsi0")
dev_filetrans($1, tty_device_t, chr_file, "hvsi1")
dev_filetrans($1, tty_device_t, chr_file, "hvsi2")
dev_filetrans($1, tty_device_t, chr_file, "hvsi3")
dev_filetrans($1, tty_device_t, chr_file, "hvsi4")
dev_filetrans($1, tty_device_t, chr_file, "hvsi5")
dev_filetrans($1, tty_device_t, chr_file, "hvsi6")
dev_filetrans($1, tty_device_t, chr_file, "hvsi7")
dev_filetrans($1, tty_device_t, chr_file, "hvsi8")
dev_filetrans($1, tty_device_t, chr_file, "hvsi9")
dev_filetrans($1, tty_device_t, chr_file, "ircomm0")
dev_filetrans($1, tty_device_t, chr_file, "ircomm1")
dev_filetrans($1, tty_device_t, chr_file, "ircomm2")
dev_filetrans($1, tty_device_t, chr_file, "ircomm3")
dev_filetrans($1, tty_device_t, chr_file, "ircomm4")
dev_filetrans($1, tty_device_t, chr_file, "ircomm5")
dev_filetrans($1, tty_device_t, chr_file, "ircomm6")
dev_filetrans($1, tty_device_t, chr_file, "ircomm7")
dev_filetrans($1, tty_device_t, chr_file, "ircomm8")
dev_filetrans($1, tty_device_t, chr_file, "ircomm9")
dev_filetrans($1, tty_device_t, chr_file, "isdn0")
dev_filetrans($1, tty_device_t, chr_file, "isdn1")
dev_filetrans($1, tty_device_t, chr_file, "isdn2")
dev_filetrans($1, tty_device_t, chr_file, "isdn3")
dev_filetrans($1, tty_device_t, chr_file, "isdn4")
dev_filetrans($1, tty_device_t, chr_file, "isdn5")
dev_filetrans($1, tty_device_t, chr_file, "isdn6")
dev_filetrans($1, tty_device_t, chr_file, "isdn7")
dev_filetrans($1, tty_device_t, chr_file, "isdn8")
dev_filetrans($1, tty_device_t, chr_file, "isdn9")
filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx")
dev_filetrans($1, ptmx_t, chr_file, "ptmx")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm2")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm3")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm4")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm5")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm6")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm7")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm8")
dev_filetrans($1, tty_device_t, chr_file, "rfcomm9")
dev_filetrans($1, tty_device_t, chr_file, "slamr0")
dev_filetrans($1, tty_device_t, chr_file, "slamr1")
dev_filetrans($1, tty_device_t, chr_file, "slamr2")
dev_filetrans($1, tty_device_t, chr_file, "slamr3")
dev_filetrans($1, tty_device_t, chr_file, "slamr4")
dev_filetrans($1, tty_device_t, chr_file, "slamr5")
dev_filetrans($1, tty_device_t, chr_file, "slamr6")
dev_filetrans($1, tty_device_t, chr_file, "slamr7")
dev_filetrans($1, tty_device_t, chr_file, "slamr8")
dev_filetrans($1, tty_device_t, chr_file, "slamr9")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM0")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM1")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM2")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM3")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM4")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM5")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM6")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM7")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM8")
dev_filetrans($1, tty_device_t, chr_file, "ttyACM9")
dev_filetrans($1, tty_device_t, chr_file, "ttyS0")
dev_filetrans($1, tty_device_t, chr_file, "ttyS1")
dev_filetrans($1, tty_device_t, chr_file, "ttyS2")
dev_filetrans($1, tty_device_t, chr_file, "ttyS3")
dev_filetrans($1, tty_device_t, chr_file, "ttyS4")
dev_filetrans($1, tty_device_t, chr_file, "ttyS5")
dev_filetrans($1, tty_device_t, chr_file, "ttyS6")
dev_filetrans($1, tty_device_t, chr_file, "ttyS7")
dev_filetrans($1, tty_device_t, chr_file, "ttyS8")
dev_filetrans($1, tty_device_t, chr_file, "ttyS9")
dev_filetrans($1, tty_device_t, chr_file, "ttySG0")
dev_filetrans($1, tty_device_t, chr_file, "ttySG1")
dev_filetrans($1, tty_device_t, chr_file, "ttySG2")
dev_filetrans($1, tty_device_t, chr_file, "ttySG3")
dev_filetrans($1, tty_device_t, chr_file, "ttySG4")
dev_filetrans($1, tty_device_t, chr_file, "ttySG5")
dev_filetrans($1, tty_device_t, chr_file, "ttySG6")
dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p3")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p4")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p5")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p6")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p7")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p8")
dev_filetrans($1, virtio_device_t, chr_file, "vport0p9")
dev_filetrans($1, devpts_t, dir, "pts")
dev_filetrans($1, tty_device_t, chr_file, "xvc0")
dev_filetrans($1, tty_device_t, chr_file, "xvc1")
dev_filetrans($1, tty_device_t, chr_file, "xvc2")
dev_filetrans($1, tty_device_t, chr_file, "xvc3")
dev_filetrans($1, tty_device_t, chr_file, "xvc4")
dev_filetrans($1, tty_device_t, chr_file, "xvc5")
dev_filetrans($1, tty_device_t, chr_file, "xvc6")
dev_filetrans($1, tty_device_t, chr_file, "xvc7")
dev_filetrans($1, tty_device_t, chr_file, "xvc8")
dev_filetrans($1, tty_device_t, chr_file, "xvc9")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `term_filetrans_all_named_dev'($*)) dnl
')
## User-based access control policy
##
## Contains attributes used in UBAC policy.
##
########################################
##
## Constrain by user-based access control (UBAC).
##
##
##
## Constrain the specified type by user-based
## access control (UBAC). Typically, these are
## user processes or user files that need to be
## differentiated by SELinux user. Normally this
## does not include administrative or privileged
## programs. For the UBAC rules to be enforced,
## both the subject (source) type and the object
## (target) types must be UBAC constrained.
##
##
##
##
## Type to be constrained by UBAC.
##
##
##
#
define(`ubac_constrained',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_constrained'($*)) dnl
gen_require(`
attribute ubac_constrained_type;
')
typeattribute $1 ubac_constrained_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_constrained'($*)) dnl
')
########################################
##
## Exempt user-based access control for files.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_file_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_file_exempt'($*)) dnl
gen_require(`
attribute ubacfile;
')
typeattribute $1 ubacfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_file_exempt'($*)) dnl
')
########################################
##
## Exempt user-based access control for processes.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_process_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_process_exempt'($*)) dnl
gen_require(`
attribute ubacproc;
')
typeattribute $1 ubacproc;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_process_exempt'($*)) dnl
')
########################################
##
## Exempt user-based access control for file descriptors.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_fd_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_fd_exempt'($*)) dnl
gen_require(`
attribute ubacfd;
')
typeattribute $1 ubacfd;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_fd_exempt'($*)) dnl
')
########################################
##
## Exempt user-based access control for sockets.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_socket_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_socket_exempt'($*)) dnl
gen_require(`
attribute ubacsock;
')
typeattribute $1 ubacsock;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_socket_exempt'($*)) dnl
')
########################################
##
## Exempt user-based access control for SysV IPC.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_sysvipc_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_sysvipc_exempt'($*)) dnl
gen_require(`
attribute ubacipc;
')
typeattribute $1 ubacipc;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_sysvipc_exempt'($*)) dnl
')
########################################
##
## Exempt user-based access control for X Windows.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_xwin_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_xwin_exempt'($*)) dnl
gen_require(`
attribute ubacxwin;
')
typeattribute $1 ubacxwin;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_xwin_exempt'($*)) dnl
')
########################################
##
## Exempt user-based access control for dbus.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_dbus_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_dbus_exempt'($*)) dnl
gen_require(`
attribute ubacdbus;
')
typeattribute $1 ubacdbus;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_dbus_exempt'($*)) dnl
')
########################################
##
## Exempt user-based access control for keys.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_key_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_key_exempt'($*)) dnl
gen_require(`
attribute ubackey;
')
typeattribute $1 ubackey;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_key_exempt'($*)) dnl
')
########################################
##
## Exempt user-based access control for databases.
##
##
##
## Domain to be exempted.
##
##
#
define(`ubac_db_exempt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ubac_db_exempt'($*)) dnl
gen_require(`
attribute ubacdb;
')
typeattribute $1 ubacdb;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ubac_db_exempt'($*)) dnl
')
## Policy for allowing confined domains to use unlabeled_t packets
## Audit administrator role
########################################
##
## Change to the audit administrator role.
##
##
##
## Role allowed access.
##
##
##
#
define(`auditadm_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auditadm_role_change'($*)) dnl
gen_require(`
role auditadm_r;
')
allow $1 auditadm_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auditadm_role_change'($*)) dnl
')
########################################
##
## Change from the audit administrator role.
##
##
##
## Change from the audit administrator role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`auditadm_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auditadm_role_change_to'($*)) dnl
gen_require(`
role auditadm_r;
')
allow auditadm_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auditadm_role_change_to'($*)) dnl
')
## Log administrator role
########################################
##
## Change to the log administrator role.
##
##
##
## Role allowed access.
##
##
##
#
define(`logadm_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logadm_role_change'($*)) dnl
gen_require(`
role logadm_r;
')
allow $1 logadm_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logadm_role_change'($*)) dnl
')
########################################
##
## Change from the log administrator role.
##
##
##
## Change from the log administrator role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`logadm_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logadm_role_change_to'($*)) dnl
gen_require(`
role logadm_r;
')
allow logadm_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logadm_role_change_to'($*)) dnl
')
## Security administrator role
########################################
##
## Change to the security administrator role.
##
##
##
## Role allowed access.
##
##
##
#
define(`secadm_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `secadm_role_change'($*)) dnl
gen_require(`
role secadm_r;
')
allow $1 secadm_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `secadm_role_change'($*)) dnl
')
########################################
##
## Change from the security administrator role.
##
##
##
## Change from the security administrator role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`secadm_role_change_to_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `secadm_role_change_to_template'($*)) dnl
gen_require(`
role secadm_r;
')
allow secadm_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `secadm_role_change_to_template'($*)) dnl
')
## Administrator's unprivileged user
#####################################
##
## staff stub userdomain interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`staff_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `staff_stub'($*)) dnl
gen_require(`
type staff_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `staff_stub'($*)) dnl
')
########################################
##
## Change to the staff role.
##
##
##
## Role allowed access.
##
##
##
#
define(`staff_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `staff_role_change'($*)) dnl
gen_require(`
role staff_r;
')
allow $1 staff_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `staff_role_change'($*)) dnl
')
########################################
##
## Change from the staff role.
##
##
##
## Change from the staff role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`staff_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `staff_role_change_to'($*)) dnl
gen_require(`
role staff_r;
')
allow staff_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `staff_role_change_to'($*)) dnl
')
## General system administration role
########################################
##
## Change to the system administrator role.
##
##
##
## Role allowed access.
##
##
##
#
define(`sysadm_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_role_change'($*)) dnl
gen_require(`
role sysadm_r;
')
allow $1 sysadm_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_role_change'($*)) dnl
')
########################################
##
## Change from the system administrator role.
##
##
##
## Change from the system administrator role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sysadm_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_role_change_to'($*)) dnl
gen_require(`
role sysadm_r;
')
allow sysadm_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_role_change_to'($*)) dnl
')
########################################
##
## Execute a shell in the sysadm domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sysadm_shell_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_shell_domtrans'($*)) dnl
gen_require(`
type sysadm_t;
')
corecmd_shell_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_shell_domtrans'($*)) dnl
')
#######################################
##
## sysadm stub interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`sysadm_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_stub'($*)) dnl
gen_require(`
type sysadm_t;
role sysadm_r;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_stub'($*)) dnl
')
########################################
##
## Execute a generic bin program in the sysadm domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sysadm_bin_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_bin_spec_domtrans'($*)) dnl
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_bin_spec_domtrans'($*)) dnl
')
########################################
##
## Execute all entrypoint files in the sysadm domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`sysadm_entry_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_entry_spec_domtrans'($*)) dnl
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans($1, sysadm_t)
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_entry_spec_domtrans'($*)) dnl
')
########################################
##
## Allow sysadm to execute all entrypoint files in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
##
##
##
## Allow sysadm to execute all entrypoint files in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
##
##
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain allowed access.
##
##
#
define(`sysadm_entry_spec_domtrans_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_entry_spec_domtrans_to'($*)) dnl
gen_require(`
type sysadm_t;
')
domain_entry_file_spec_domtrans(sysadm_t, $1)
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_entry_spec_domtrans_to'($*)) dnl
')
########################################
##
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
##
##
##
## Allow sysadm to execute a generic bin program in
## a specified domain.
##
##
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain to execute in.
##
##
#
define(`sysadm_bin_spec_domtrans_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_bin_spec_domtrans_to'($*)) dnl
gen_require(`
type sysadm_t;
')
corecmd_bin_spec_domtrans(sysadm_t, $1)
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_bin_spec_domtrans_to'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to sysadm users.
##
##
##
## Domain allowed access.
##
##
#
define(`sysadm_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_sigchld'($*)) dnl
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_sigchld'($*)) dnl
')
########################################
##
## Inherit and use sysadm file descriptors
##
##
##
## Domain allowed access.
##
##
#
define(`sysadm_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_use_fds'($*)) dnl
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_use_fds'($*)) dnl
')
########################################
##
## Read and write sysadm user unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`sysadm_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysadm_rw_pipes'($*)) dnl
gen_require(`
type sysadm_t;
')
allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysadm_rw_pipes'($*)) dnl
')
## No Interfaces
## Unconfined user role
########################################
##
## Change from the unconfineduser role.
##
##
##
## Change from the unconfineduser role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`unconfined_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_role_change_to'($*)) dnl
gen_require(`
role unconfined_r;
')
allow unconfined_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_role_change_to'($*)) dnl
')
########################################
##
## Transition to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_domtrans'($*)) dnl
gen_require(`
type unconfined_t, unconfined_exec_t;
')
domtrans_pattern($1,unconfined_exec_t,unconfined_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_domtrans'($*)) dnl
')
########################################
##
## Execute specified programs in the unconfined domain.
##
##
##
## The type of the process performing this action.
##
##
##
##
## The role to allow the unconfined domain.
##
##
#
define(`unconfined_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_run'($*)) dnl
gen_require(`
type unconfined_t;
')
unconfined_domtrans($1)
role $2 types unconfined_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_run'($*)) dnl
')
########################################
##
## Transition to the unconfined domain by executing a shell.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_shell_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_shell_domtrans'($*)) dnl
gen_require(`
attribute unconfined_login_domain;
')
typeattribute $1 unconfined_login_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_shell_domtrans'($*)) dnl
')
########################################
##
## Execute an Xserver session in unconfined domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
define(`unconfined_xsession_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_xsession_spec_domtrans'($*)) dnl
gen_require(`
type unconfined_t;
')
xserver_xsession_spec_domtrans($1, unconfined_t)
allow unconfined_t $1:fd use;
allow unconfined_t $1:fifo_file rw_file_perms;
allow unconfined_t $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_xsession_spec_domtrans'($*)) dnl
')
########################################
##
## Allow unconfined to execute the specified program in
## the specified domain.
##
##
##
## Allow unconfined to execute the specified program in
## the specified domain.
##
##
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain to execute in.
##
##
##
##
## Domain entry point file.
##
##
#
define(`unconfined_domtrans_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_domtrans_to'($*)) dnl
gen_require(`
type unconfined_t;
')
domtrans_pattern(unconfined_t,$2,$1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_domtrans_to'($*)) dnl
')
########################################
##
## Allow unconfined to execute the specified program in
## the specified domain. Allow the specified domain the
## unconfined role and use of unconfined user terminals.
##
##
##
## Allow unconfined to execute the specified program in
## the specified domain. Allow the specified domain the
## unconfined role and use of unconfined user terminals.
##
##
## This is a interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Domain to execute in.
##
##
##
##
## Domain entry point file.
##
##
#
define(`unconfined_run_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_run_to'($*)) dnl
gen_require(`
type unconfined_t;
role unconfined_r;
')
domtrans_pattern(unconfined_t,$2,$1)
role unconfined_r types $1;
userdom_use_user_terminals($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_run_to'($*)) dnl
')
######################################
##
## Stub unconfined role.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_stub_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_stub_role'($*)) dnl
gen_require(`
role unconfined_r;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_stub_role'($*)) dnl
')
########################################
##
## Inherit file descriptors from the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_use_fds'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_use_fds'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_sigchld'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_sigchld'($*)) dnl
')
########################################
##
## Send a SIGNULL signal to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_signull'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_signull'($*)) dnl
')
########################################
##
## Send generic signals to the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_signal'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_signal'($*)) dnl
')
########################################
##
## Read unconfined domain unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_read_pipes'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_read_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to read unconfined domain unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dontaudit_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_read_pipes'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:fifo_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_read_pipes'($*)) dnl
')
########################################
##
## Read and write unconfined domain unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_rw_pipes'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_rw_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## unconfined domain unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`unconfined_dontaudit_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:fifo_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## unconfined domain stream.
##
##
##
## Domain to not audit.
##
##
#
define(`unconfined_dontaudit_rw_stream',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_stream'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_stream'($*)) dnl
')
########################################
##
## Connect to the unconfined domain using
## a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_stream_connect'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_stream_connect'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
##
##
##
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
##
##
## This interface was added due to a broken
## symptom in ldconfig.
##
##
##
##
## Domain to not audit.
##
##
#
define(`unconfined_dontaudit_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## unconfined domain packet sockets.
##
##
##
## Do not audit attempts to read or write
## unconfined domain packet sockets.
##
##
## This interface was added due to a broken
## symptom.
##
##
##
##
## Domain to not audit.
##
##
#
define(`unconfined_dontaudit_rw_packet_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_packet_sockets'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:packet_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_packet_sockets'($*)) dnl
')
########################################
##
## Create keys for the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_create_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_create_keys'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:key create;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_create_keys'($*)) dnl
')
########################################
##
## Dontaudit write process information for unconfined process.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dontaudit_write_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_write_state'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_write_state'($*)) dnl
')
########################################
##
## Dontaudit read process information for unconfined process.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dontaudit_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_read_state'($*)) dnl
gen_require(`
type unconfined_t;
')
dontaudit $1 unconfined_t:dir list_dir_perms;
dontaudit $1 unconfined_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_read_state'($*)) dnl
')
########################################
##
## Write keys for the unconfined domain.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_write_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_write_keys'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:key write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_write_keys'($*)) dnl
')
########################################
##
## Send messages to the unconfined domain over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dbus_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dbus_send'($*)) dnl
gen_require(`
type unconfined_t;
class dbus send_msg;
')
allow $1 unconfined_t:dbus send_msg;
allow unconfined_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dbus_send'($*)) dnl
')
########################################
##
## Create communication channel with unconfined domain over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dbus_acquire_svc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dbus_acquire_svc'($*)) dnl
gen_require(`
type unconfined_t;
class dbus acquire_svc;
')
allow $1 unconfined_t:dbus acquire_svc;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dbus_acquire_svc'($*)) dnl
')
########################################
##
## Send and receive messages from
## unconfined_t over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dbus_chat'($*)) dnl
gen_require(`
type unconfined_t;
class dbus send_msg;
')
allow $1 unconfined_t:dbus send_msg;
allow unconfined_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dbus_chat'($*)) dnl
')
########################################
##
## Connect to the the unconfined DBUS
## for service (acquire_svc).
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dbus_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dbus_connect'($*)) dnl
gen_require(`
type unconfined_t;
class dbus acquire_svc;
')
allow $1 unconfined_t:dbus acquire_svc;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dbus_connect'($*)) dnl
')
########################################
##
## Allow ptrace of unconfined domain
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_ptrace',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_ptrace'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process ptrace;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_ptrace'($*)) dnl
')
########################################
##
## Read and write to unconfined shared memory.
##
##
##
## The type of the process performing this action.
##
##
#
define(`unconfined_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_rw_shm'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_rw_shm'($*)) dnl
')
########################################
##
## Allow apps to set rlimits on unconfined user
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_set_rlimitnh',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_set_rlimitnh'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process rlimitinh;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_set_rlimitnh'($*)) dnl
')
########################################
##
## Allow apps to setsched on unconfined user
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_setsched',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_setsched'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process setsched;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_setsched'($*)) dnl
')
########################################
##
## Get the process group of unconfined.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_getpgid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_getpgid'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:process getpgid;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_getpgid'($*)) dnl
')
########################################
##
## Change to the unconfined role.
##
##
##
## Role allowed access.
##
##
##
#
define(`unconfined_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_role_change'($*)) dnl
gen_require(`
role unconfined_r;
')
allow $1 unconfined_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_role_change'($*)) dnl
')
########################################
##
## Allow domain to attach to TUN devices created by unconfined_t users.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_attach_tun_iface',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_attach_tun_iface'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_attach_tun_iface'($*)) dnl
')
########################################
##
## Allow domain to transition to unconfined_t user
##
##
##
## Domain allowed access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_transition',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_transition'($*)) dnl
gen_require(`
type unconfined_t;
')
domtrans_pattern($1,$2,unconfined_t)
allow unconfined_t $2:file entrypoint;
allow $1 unconfined_t:process signal_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_transition'($*)) dnl
')
########################################
##
## unconfined_t domain typebounds calling domain.
##
##
##
## Domain to be typebound.
##
##
#
define(`unconfined_typebounds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_typebounds'($*)) dnl
gen_require(`
type unconfined_t;
')
typebounds unconfined_t $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_typebounds'($*)) dnl
')
########################################
##
## unconfined_exec_t domain typebounds file_type.
##
##
##
## File type to be typebound.
##
##
#
define(`unconfined_exec_typebounds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_exec_typebounds'($*)) dnl
gen_require(`
type unconfined_exec_t;
')
typebounds unconfined_exec_t $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_exec_typebounds'($*)) dnl
')
########################################
##
## Send a message to unconfined user over a unix domain datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_dgram_send'($*)) dnl
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_dgram_send'($*)) dnl
')
## Generic unprivileged user
########################################
##
## Change to the generic user role.
##
##
##
## Role allowed access.
##
##
##
#
define(`unprivuser_role_change',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unprivuser_role_change'($*)) dnl
gen_require(`
role user_r;
')
allow $1 user_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unprivuser_role_change'($*)) dnl
')
########################################
##
## Change from the generic user role.
##
##
##
## Change from the generic user role to
## the specified role.
##
##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`unprivuser_role_change_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unprivuser_role_change_to'($*)) dnl
gen_require(`
role user_r;
')
allow user_r $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unprivuser_role_change_to'($*)) dnl
')
## PostgreSQL relational database
#######################################
##
## Role access for SE-PostgreSQL.
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
define(`postgresql_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_role'($*)) dnl
gen_require(`
attribute sepgsql_client_type;
type sepgsql_trusted_proc_t;
type sepgsql_ranged_proc_t;
')
typeattribute $2 sepgsql_client_type;
role $1 types sepgsql_trusted_proc_t;
role $1 types sepgsql_ranged_proc_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_role'($*)) dnl
')
########################################
##
## Execute the postgresql program in the postgresql domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the postgresql domain.
##
##
##
#
define(`postgresql_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_run'($*)) dnl
gen_require(`
type postgresql_t;
')
postgresql_domtrans($1)
role $2 types postgresql_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_run'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL loadable shared library module
##
##
##
## Type marked as a database object type.
##
##
#
define(`postgresql_loadable_module',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_loadable_module'($*)) dnl
gen_require(`
attribute sepgsql_module_type;
')
typeattribute $1 sepgsql_module_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_loadable_module'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL database object type
##
##
##
## Type marked as a database object type.
##
##
#
define(`postgresql_database_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_database_object'($*)) dnl
gen_require(`
attribute sepgsql_database_type;
')
typeattribute $1 sepgsql_database_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_database_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL schema object type
##
##
##
## Type marked as a schema object type.
##
##
#
define(`postgresql_schema_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_schema_object'($*)) dnl
gen_require(`
attribute sepgsql_schema_type;
')
typeattribute $1 sepgsql_schema_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_schema_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL table/column/tuple object type
##
##
##
## Type marked as a table/column/tuple object type.
##
##
#
define(`postgresql_table_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_table_object'($*)) dnl
gen_require(`
attribute sepgsql_table_type;
')
typeattribute $1 sepgsql_table_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_table_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL system table/column/tuple object type
##
##
##
## Type marked as a table/column/tuple object type.
##
##
#
define(`postgresql_system_table_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_system_table_object'($*)) dnl
gen_require(`
attribute sepgsql_table_type, sepgsql_sysobj_table_type;
')
typeattribute $1 sepgsql_table_type;
typeattribute $1 sepgsql_sysobj_table_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_system_table_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL sequence type
##
##
##
## Type marked as a sequence type.
##
##
#
define(`postgresql_sequence_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_sequence_object'($*)) dnl
gen_require(`
attribute sepgsql_sequence_type;
')
typeattribute $1 sepgsql_sequence_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_sequence_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL view object type
##
##
##
## Type marked as a view object type.
##
##
#
define(`postgresql_view_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_view_object'($*)) dnl
gen_require(`
attribute sepgsql_view_type;
')
typeattribute $1 sepgsql_view_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_view_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL procedure object type
##
##
##
## Type marked as a procedure object type.
##
##
#
define(`postgresql_procedure_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_procedure_object'($*)) dnl
gen_require(`
attribute sepgsql_procedure_type;
')
typeattribute $1 sepgsql_procedure_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_procedure_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL trusted procedure object type
##
##
##
## Type marked as a trusted procedure object type.
##
##
#
define(`postgresql_trusted_procedure_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_trusted_procedure_object'($*)) dnl
gen_require(`
attribute sepgsql_procedure_type;
attribute sepgsql_trusted_procedure_type;
')
typeattribute $1 sepgsql_procedure_type;
typeattribute $1 sepgsql_trusted_procedure_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_trusted_procedure_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL procedural language object type
##
##
##
## Type marked as a procedural language object type.
##
##
#
define(`postgresql_language_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_language_object'($*)) dnl
gen_require(`
attribute sepgsql_language_type;
')
typeattribute $1 sepgsql_language_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_language_object'($*)) dnl
')
########################################
##
## Marks as a SE-PostgreSQL binary large object type
##
##
##
## Type marked as a database binary large object type.
##
##
#
define(`postgresql_blob_object',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_blob_object'($*)) dnl
gen_require(`
attribute sepgsql_blob_type;
')
typeattribute $1 sepgsql_blob_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_blob_object'($*)) dnl
')
########################################
##
## Allow the specified domain to search postgresql's database directory.
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_search_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_search_db'($*)) dnl
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_search_db'($*)) dnl
')
########################################
##
## Allow the specified domain to manage postgresql's database.
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_manage_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_manage_db'($*)) dnl
gen_require(`
type postgresql_db_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_manage_db'($*)) dnl
')
########################################
##
## Execute postgresql in the postgresql domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`postgresql_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_domtrans'($*)) dnl
gen_require(`
type postgresql_t, postgresql_exec_t;
')
domtrans_pattern($1, postgresql_exec_t, postgresql_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_domtrans'($*)) dnl
')
######################################
##
## Execute Postgresql in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_exec'($*)) dnl
gen_require(`
type postgresql_exec_t;
')
can_exec($1, postgresql_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_exec'($*)) dnl
')
######################################
##
## Allow domain to signal postgresql
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_signal'($*)) dnl
gen_require(`
type postgresql_t;
')
allow $1 postgresql_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_signal'($*)) dnl
')
######################################
##
## Allow domain to signull postgresql
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_signull'($*)) dnl
gen_require(`
type postgresql_t;
')
allow $1 postgresql_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_signull'($*)) dnl
')
########################################
##
## Allow the specified domain to read postgresql's etc.
##
##
##
## Domain allowed access.
##
##
##
#
define(`postgresql_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_read_config'($*)) dnl
gen_require(`
type postgresql_etc_t;
')
files_search_etc($1)
allow $1 postgresql_etc_t:dir list_dir_perms;
allow $1 postgresql_etc_t:file read_file_perms;
allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_read_config'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to postgresql with a tcp socket.
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_tcp_connect'($*)) dnl
gen_require(`
type postgresql_t;
')
corenet_tcp_recvfrom_labeled($1, postgresql_t)
corenet_tcp_sendrecv_postgresql_port($1)
corenet_tcp_connect_postgresql_port($1)
corenet_sendrecv_postgresql_client_packets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_tcp_connect'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to postgresql with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_stream_connect'($*)) dnl
gen_require(`
type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
')
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
files_search_pids($1)
files_search_tmp($1)
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_stream_connect'($*)) dnl
')
########################################
##
## Allow the specified domain unprivileged accesses to unifined database objects
## managed by SE-PostgreSQL,
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_unpriv_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_unpriv_client'($*)) dnl
gen_require(`
attribute sepgsql_client_type;
')
typeattribute $1 sepgsql_client_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_unpriv_client'($*)) dnl
')
########################################
##
## Allow the specified domain unconfined accesses to any database objects
## managed by SE-PostgreSQL,
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_unconfined'($*)) dnl
gen_require(`
attribute sepgsql_unconfined_type;
')
typeattribute $1 sepgsql_unconfined_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_unconfined'($*)) dnl
')
########################################
##
## Transition to postgresql named content
##
##
##
## Domain allowed access.
##
##
#
define(`postgresql_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_filetrans_named_content'($*)) dnl
gen_require(`
type postgresql_db_t;
type postgresql_log_t;
')
files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql")
files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres")
files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql")
filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile")
filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_filetrans_named_content'($*)) dnl
')
########################################
##
## All of the rules required to administrate an postgresql environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the postgresql domain.
##
##
##
#
define(`postgresql_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `postgresql_admin'($*)) dnl
gen_require(`
attribute sepgsql_admin_type, sepgsql_client_type;
type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
type postgresql_etc_t;
')
typeattribute $1 sepgsql_admin_type;
allow $1 postgresql_t:process signal_perms;
ps_process_pattern($1, postgresql_t)
tunable_policy(`deny_ptrace',`',`
allow $1 postgresql_t:process ptrace;
')
init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, postgresql_var_run_t)
files_list_var_lib($1)
admin_pattern($1, postgresql_db_t)
files_list_etc($1)
admin_pattern($1, postgresql_etc_t)
logging_list_logs($1)
admin_pattern($1, postgresql_log_t)
files_list_tmp($1)
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
postgresql_stream_connect($1)
postgresql_filetrans_named_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `postgresql_admin'($*)) dnl
')
## Secure shell client and server policy.
#######################################
##
## Basic SSH client template.
##
##
##
## This template creates a derived domains which are used
## for ssh client sessions. A derived
## type is also created to protect the user ssh keys.
##
##
## This template was added for NX.
##
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## The type of the domain.
##
##
##
##
## The role associated with the user domain.
##
##
#
define(`ssh_basic_client_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_basic_client_template'($*)) dnl
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
type ssh_keysign_exec_t, ssh_keysign_t;
type ssh_home_t;
')
##############################
#
# Declarations
#
type $1_ssh_t;
application_domain($1_ssh_t, ssh_exec_t)
role $3 types $1_ssh_t;
##############################
#
# Client local policy
#
allow $1_ssh_t self:capability { setuid setgid dac_read_search };
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_ssh_t self:shm create_shm_perms;
allow $1_ssh_t self:sem create_sem_perms;
allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
allow $1_ssh_t self:tun_socket create_socket_perms;
# for rsync
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
allow $1_ssh_t $2:unix_stream_socket connectto;
# Read the ssh key file.
allow $1_ssh_t sshd_key_t:file read_file_perms;
# Access the ssh temporary files.
allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
# Transition from the domain to the derived domain.
domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
# cjp: should probably fix target to be an attribute for ssh servers
# or "regular" (not special like sshd_extern_t) servers
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
# derived domain can execute ssh-keysign
domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
role $3 types ssh_keysign_t;
# allow ps to show ssh
ps_process_pattern($2, $1_ssh_t)
# user can manage the keys and config
manage_files_pattern($2, ssh_home_t, ssh_home_t)
manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
# ssh client can manage the keys and config
manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
allow ssh_server ssh_home_t:dir list_dir_perms;
read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
kernel_read_kernel_sysctls($1_ssh_t)
kernel_read_system_state($1_ssh_t)
kernel_read_network_state($1_ssh_t)
corenet_all_recvfrom_netlabel($1_ssh_t)
corenet_tcp_sendrecv_generic_if($1_ssh_t)
corenet_tcp_sendrecv_generic_node($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
corenet_tcp_bind_generic_node($1_ssh_t)
corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
corenet_rw_inherited_tun_tap_dev($1_ssh_t)
dev_read_urand($1_ssh_t)
fs_getattr_all_fs($1_ssh_t)
fs_search_auto_mountpoints($1_ssh_t)
# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell($1_ssh_t)
corecmd_exec_bin($1_ssh_t)
domain_use_interactive_fds($1_ssh_t)
files_list_home($1_ssh_t)
files_read_usr_files($1_ssh_t)
files_read_etc_runtime_files($1_ssh_t)
files_read_etc_files($1_ssh_t)
files_read_var_files($1_ssh_t)
auth_use_nsswitch($1_ssh_t)
logging_send_syslog_msg($1_ssh_t)
logging_read_generic_logs($1_ssh_t)
seutil_read_config($1_ssh_t)
optional_policy(`
kerberos_use($1_ssh_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_basic_client_template'($*)) dnl
')
######################################
##
## The template to define a domain to which sshd dyntransition.
##
##
##
## The prefix of the dyntransition domain
##
##
#
define(`ssh_dyntransition_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_dyntransition_domain_template'($*)) dnl
gen_require(`
attribute ssh_dyntransition_domain;
')
type $1, ssh_dyntransition_domain;
domain_type($1)
role system_r types $1;
optional_policy(`
ssh_dyntransition_to($1)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_dyntransition_domain_template'($*)) dnl
')
#######################################
##
## The template to define a ssh server.
##
##
##
## This template creates a domains to be used for
## creating a ssh server. This is typically done
## to have multiple ssh servers of different sensitivities,
## such as for an internal network-facing ssh server, and
## a external network-facing ssh server.
##
##
##
##
## The prefix of the server domain (e.g., sshd
## is the prefix for sshd_t).
##
##
#
define(`ssh_server_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_server_template'($*)) dnl
gen_require(`
type sshd_t;
')
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
type $1_devpts_t;
term_login_pty($1_devpts_t)
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
type $1_var_run_t;
files_pid_file($1_var_run_t)
allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:shm create_shm_perms;
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
term_create_pty($1_t, $1_devpts_t)
#manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
#fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
userdom_manage_tmp_role(system_r, sshd_t)
allow $1_t $1_var_run_t:file manage_file_perms;
files_pid_filetrans($1_t, $1_var_run_t, file)
can_exec($1_t, sshd_exec_t)
# Access key files
allow $1_t sshd_key_t:file read_file_perms;
kernel_read_kernel_sysctls($1_t)
kernel_search_network_sysctl($1_t)
kernel_read_network_state($1_t)
kernel_request_load_module($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_udp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
corenet_udp_sendrecv_generic_node($1_t)
corenet_raw_sendrecv_generic_node($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
# -R qualifier
corenet_sendrecv_ssh_server_packets($1_t)
# tunnel feature and -w (net_admin capability also)
corenet_rw_tun_tap_dev($1_t)
fs_getattr_all_fs($1_t)
auth_rw_login_records($1_t)
auth_rw_faillog($1_t)
corecmd_read_bin_symlinks($1_t)
corecmd_getattr_bin_files($1_t)
# for sshd subsystems, such as sftp-server.
corecmd_getattr_bin_files($1_t)
dev_rw_crypto($1_t)
domain_interactive_fd($1_t)
domain_dyntrans_type($1_t)
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
files_read_usr_files($1_t)
logging_search_logs($1_t)
userdom_dontaudit_relabelfrom_user_ptys($1_t)
userdom_read_user_home_content_files($1_t)
# Allow checking users mail at login
optional_policy(`
mta_getattr_spool($1_t)
')
userdom_home_manager($1_t)
optional_policy(`
kerberos_use($1_t)
#kerberos_manage_host_rcache($1_t)
')
optional_policy(`
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
optional_policy(`
rlogin_read_home_content($1_t)
')
optional_policy(`
shutdown_getattr_exec_files($1_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_server_template'($*)) dnl
')
########################################
##
## Role access for ssh
##
##
##
## The prefix of the role (e.g., user
## is the prefix for user_r).
##
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
##
#
define(`ssh_role_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_role_template'($*)) dnl
gen_require(`
attribute ssh_server, ssh_agent_type;
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
type cache_home_t;
')
##############################
#
# Declarations
#
role $2 types ssh_t;
type $1_ssh_agent_t, ssh_agent_type;
userdom_user_application_domain($1_ssh_agent_t, ssh_agent_exec_t)
domain_interactive_fd($1_ssh_agent_t)
role $2 types $1_ssh_agent_t;
##############################
#
# Local policy
#
# Transition from the domain to the derived domain.
domtrans_pattern($3, ssh_exec_t, ssh_t)
# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms;
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
allow $3 ssh_t:process signal_perms;
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
allow ssh_t $3:key manage_key_perms;
allow $3 ssh_t:key { write search read view };
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
userdom_manage_tmp_role($2, ssh_t)
##############################
#
# SSH agent local policy
#
allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
# for ssh-add
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
allow $3 $1_ssh_agent_t:process signal_perms;
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
kernel_read_system_state($1_ssh_agent_t)
# transition back to normal privs upon exec
corecmd_shell_domtrans($1_ssh_agent_t, $3)
corecmd_bin_domtrans($1_ssh_agent_t, $3)
auth_use_nsswitch($1_ssh_agent_t)
logging_send_syslog_msg($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
userdom_home_manager($1_ssh_agent_t)
ssh_exec_keygen($3)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_role_template'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the ssh server.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_sigchld'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_sigchld'($*)) dnl
')
########################################
##
## Send a generic signal to the ssh server.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_signal'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_signal'($*)) dnl
')
########################################
##
## Send a null signal to sshd processes.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_signull'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_signull'($*)) dnl
')
########################################
##
## Read a ssh server unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_read_pipes'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_read_pipes'($*)) dnl
')
######################################
##
## Read and write ssh server unix dgram sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_rw_dgram_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_rw_dgram_sockets'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_rw_dgram_sockets'($*)) dnl
')
########################################
##
## Read and write a ssh server unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_rw_pipes'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_rw_pipes'($*)) dnl
')
########################################
##
## Read and write ssh server unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_rw_stream_sockets'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_rw_stream_sockets'($*)) dnl
')
########################################
##
## Read and write ssh server TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_rw_tcp_sockets'($*)) dnl
gen_require(`
type sshd_t;
')
allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## ssh server TCP sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`ssh_dontaudit_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type sshd_t;
')
dontaudit $1 sshd_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Connect to SSH daemons over TCP sockets. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_tcp_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_tcp_connect'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_tcp_connect'($*)) dnl
')
########################################
##
## Execute the ssh daemon sshd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ssh_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_domtrans'($*)) dnl
gen_require(`
type sshd_t, sshd_exec_t;
')
domtrans_pattern($1, sshd_exec_t, sshd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_domtrans'($*)) dnl
')
########################################
##
## Execute sshd server in the sshd domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_initrc_domtrans'($*)) dnl
gen_require(`
type sshd_initrc_exec_t;
')
init_labeled_script_domtrans($1, sshd_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute the ssh client in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_exec'($*)) dnl
gen_require(`
type ssh_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ssh_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_exec'($*)) dnl
')
########################################
##
## Set the attributes of sshd key files.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_setattr_key_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_setattr_key_files'($*)) dnl
gen_require(`
type sshd_key_t;
')
allow $1 sshd_key_t:file setattr_file_perms;
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_setattr_key_files'($*)) dnl
')
########################################
##
## Execute the ssh agent client in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_agent_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_agent_exec'($*)) dnl
gen_require(`
type ssh_agent_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ssh_agent_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_agent_exec'($*)) dnl
')
########################################
##
## Send generic signals to ssh_agent_type.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_agent_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_agent_signal'($*)) dnl
gen_require(`
attribute ssh_agent_type;
')
allow $1 ssh_agent_type:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_agent_signal'($*)) dnl
')
########################################
##
## Getattr ssh home directory
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_getattr_user_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_getattr_user_home_dir'($*)) dnl
gen_require(`
type ssh_home_t;
')
allow $1 ssh_home_t:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_getattr_user_home_dir'($*)) dnl
')
########################################
##
## Dontaudit search ssh home directory
##
##
##
## Domain to not audit.
##
##
#
define(`ssh_dontaudit_search_user_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_search_user_home_dir'($*)) dnl
gen_require(`
type ssh_home_t;
')
dontaudit $1 ssh_home_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_dontaudit_search_user_home_dir'($*)) dnl
')
########################################
##
## Read ssh home directory content
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_read_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_read_user_home_files'($*)) dnl
gen_require(`
type ssh_home_t;
')
allow $1 ssh_home_t:dir list_dir_perms;
read_files_pattern($1, ssh_home_t, ssh_home_t)
read_lnk_files_pattern($1, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_read_user_home_files'($*)) dnl
')
########################################
##
## Execute the ssh key generator in the ssh keygen domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ssh_domtrans_keygen',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_domtrans_keygen'($*)) dnl
gen_require(`
type ssh_keygen_t, ssh_keygen_exec_t;
')
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
allow $1 ssh_keygen_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_domtrans_keygen'($*)) dnl
')
########################################
##
## Execute the ssh key generator in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ssh_exec_keygen',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_exec_keygen'($*)) dnl
gen_require(`
type ssh_keygen_exec_t;
')
can_exec($1, ssh_keygen_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_exec_keygen'($*)) dnl
')
#######################################
##
## Execute ssh-keygen in the iptables domain, and
## allow the specified role the ssh-keygen domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ssh_run_keygen',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_run_keygen'($*)) dnl
gen_require(`
type ssh_keygen_t;
')
role $2 types ssh_keygen_t;
ssh_domtrans_keygen($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_run_keygen'($*)) dnl
')
########################################
##
## Getattr ssh server keys
##
##
##
## Domain to not audit.
##
##
#
define(`ssh_getattr_server_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_getattr_server_keys'($*)) dnl
gen_require(`
type sshd_key_t;
')
allow $1 sshd_key_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_getattr_server_keys'($*)) dnl
')
########################################
##
## Read ssh server keys
##
##
##
## Domain to not audit.
##
##
#
define(`ssh_dontaudit_read_server_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_read_server_keys'($*)) dnl
gen_require(`
type sshd_key_t;
')
dontaudit $1 sshd_key_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_dontaudit_read_server_keys'($*)) dnl
')
######################################
##
## Append ssh home directory content
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_append_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_append_home_files'($*)) dnl
gen_require(`
type ssh_home_t;
')
append_files_pattern($1, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_append_home_files'($*)) dnl
')
######################################
##
## Manage ssh home directory content
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_manage_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_manage_home_files'($*)) dnl
gen_require(`
type ssh_home_t;
')
manage_files_pattern($1, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_manage_home_files'($*)) dnl
')
#######################################
##
## Delete from the ssh temp files.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_delete_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_delete_tmp'($*)) dnl
gen_require(`
type sshd_tmp_t;
')
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_delete_tmp'($*)) dnl
')
#####################################
##
## Allow domain dyntransition to chroot_user_t domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_dyntransition_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_dyntransition_to'($*)) dnl
gen_require(`
type sshd_t;
')
allow sshd_t $1:process dyntransition;
allow $1 sshd_t:process sigchld;
allow sshd_t $1:process { getattr sigkill sigstop signull signal };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_dyntransition_to'($*)) dnl
')
########################################
##
## Create .ssh directory in the /root directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_filetrans_admin_home_content'($*)) dnl
gen_require(`
type ssh_home_t;
')
userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_filetrans_admin_home_content'($*)) dnl
')
########################################
##
## Create .ssh directory in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_filetrans_home_content'($*)) dnl
gen_require(`
type ssh_home_t;
')
userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_filetrans_home_content'($*)) dnl
')
########################################
##
## Create .ssh directory in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`ssh_filetrans_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_filetrans_keys'($*)) dnl
gen_require(`
type sshd_key_t;
')
files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key")
files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key")
files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key")
files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub")
files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub")
files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_filetrans_keys'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write the sshd pty type.
##
##
##
## Domain to not audit.
##
##
#
define(`ssh_dontaudit_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_use_ptys'($*)) dnl
gen_require(`
type sshd_devpts_t;
')
dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_dontaudit_use_ptys'($*)) dnl
')
########################################
##
## Read and write inherited sshd pty type.
##
##
##
## Domain to not audit.
##
##
#
define(`ssh_use_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_use_ptys'($*)) dnl
gen_require(`
type sshd_devpts_t;
')
allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_use_ptys'($*)) dnl
')
########################################
##
## Execute sshd server in the sshd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ssh_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_systemctl'($*)) dnl
gen_require(`
type sshd_t;
type sshd_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 sshd_unit_file_t:file manage_file_perms;
allow $1 sshd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, sshd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_systemctl'($*)) dnl
')
########################################
##
## Allow the domain to read state files in /proc.
##
##
##
## Domain to allow access.
##
##
#
define(`ssh_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ssh_read_state'($*)) dnl
gen_require(`
type ssh_t;
')
read_files_pattern($1, ssh_t, ssh_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ssh_read_state'($*)) dnl
')
## X Windows Server
########################################
##
## Rules required for using the X Windows server
## and environment, for restricted users.
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_restricted_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_restricted_role'($*)) dnl
gen_require(`
type xauth_t, iceauth_t;
attribute dridomain, x_userdomain;
')
role $1 types { xauth_t iceauth_t };
typeattribute $2 x_userdomain, dridomain;
xserver_common_x_domain_template(user,$2)
xserver_stream_connect_xdm($2)
xserver_xdm_append_log($2)
xserver_dri_domain($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_restricted_role'($*)) dnl
')
########################################
##
## Domain wants to use direct io devices
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_dri_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dri_domain'($*)) dnl
gen_require(`
attribute dridomain;
')
typeattribute $1 dridomain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dri_domain'($*)) dnl
')
########################################
##
## Rules required for using the X Windows server
## and environment.
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_role'($*)) dnl
gen_require(`
type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
')
xserver_restricted_role($1, $2)
# Communicate via System V shared memory.
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
allow $2 iceauth_home_t:file relabel_file_perms;
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file relabel_file_perms;
mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_role'($*)) dnl
')
#######################################
##
## Create sessions on the X server, with read-only
## access to the X server shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the domain SYSV tmpfs files.
##
##
#
define(`xserver_ro_session',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_ro_session'($*)) dnl
gen_require(`
type xserver_t, xserver_tmp_t, xserver_tmpfs_t;
')
# Xserver read/write client shm
allow xserver_t $1:fd use;
allow xserver_t $1:shm rw_shm_perms;
allow xserver_t $2:file rw_file_perms;
# Connect to xserver
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
allow $1 xserver_tmp_t:file read_file_perms;
# Client read xserver shm
allow $1 xserver_t:fd use;
allow $1 xserver_t:shm r_shm_perms;
allow $1 xserver_tmpfs_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_ro_session'($*)) dnl
')
#######################################
##
## Create sessions on the X server, with read and write
## access to the X server shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the domain SYSV tmpfs files.
##
##
#
define(`xserver_rw_session',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_session'($*)) dnl
gen_require(`
type xserver_t, xserver_tmpfs_t;
')
xserver_ro_session($1, $2)
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file { map rw_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_session'($*)) dnl
')
#######################################
##
## Create non-drawing client sessions on an X server.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_non_drawing_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_non_drawing_client'($*)) dnl
gen_require(`
class x_drawable { getattr get_property };
class x_extension { query use };
class x_gc { create setattr };
class x_property read;
type xserver_t, xdm_var_run_t;
type xextension_t, xproperty_t, root_xdrawable_t;
')
allow $1 self:x_gc { create setattr };
allow $1 xdm_var_run_t:dir search_dir_perms;
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
allow $1 root_xdrawable_t:x_drawable { getattr get_property };
allow $1 xproperty_t:x_property read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_non_drawing_client'($*)) dnl
')
#######################################
##
## Create full client sessions
## on a user X server.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the domain SYSV tmpfs files.
##
##
#
define(`xserver_user_client',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_user_client'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
type xdm_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
')
allow $1 self:shm create_shm_perms;
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
allow $1 xauth_home_t:file read_file_perms;
allow $1 iceauth_home_t:file read_file_perms;
# for when /tmp/.X11-unix is created by the system
allow $1 xdm_t:fd use;
allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
userdom_search_user_tmp_dirs($1)
userdom_rw_user_tmp_sock_files($1)
dontaudit $1 xdm_t:tcp_socket { read write };
# Allow connections to X server.
files_search_tmp($1)
miscfiles_read_fonts($1)
userdom_search_user_home_dirs($1)
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($1)
xserver_ro_session($1,$2)
xserver_use_user_fonts($1)
xserver_read_xdm_tmp_files($1)
# Client write xserver shm
tunable_policy(`xserver_clients_write_xshm',`
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_user_client'($*)) dnl
')
#######################################
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Provides the minimal set required by a basic
## X client application.
##
##
##
## The prefix of the X client domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Client domain allowed access.
##
##
#
define(`xserver_common_x_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_common_x_domain_template'($*)) dnl
gen_require(`
type root_xdrawable_t, xdm_t, xserver_t;
type xproperty_t, $1_xproperty_t;
type xevent_t, client_xevent_t;
type input_xevent_t, $1_input_xevent_t;
attribute x_domain, input_xevent_type;
attribute xdrawable_type, xcolormap_type;
class x_drawable all_x_drawable_perms;
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
class x_client destroy;
class x_server manage;
class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor };
class x_pointer { get_property set_property manage };
class x_keyboard { read manage freeze };
')
##############################
#
# Local Policy
#
# Type attributes
typeattribute $2 x_domain;
typeattribute $2 xdrawable_type, xcolormap_type;
# X Properties
# disable property transitions for the time being.
# type_transition $2 xproperty_t:x_property $1_xproperty_t;
# X Windows
# new windows have the domain type
type_transition $2 root_xdrawable_t:x_drawable $2;
# X Input
# distinguish input events
type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
# can send own events
allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send;
# can receive own events
allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
# can receive default events
allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
allow $2 xevent_t:{ x_event x_synthetic_event } { send receive };
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
allow $2 xdm_t:x_drawable { hide read add_child manage };
allow $2 xdm_t:x_client destroy;
allow $2 root_xdrawable_t:x_drawable write;
allow $2 xserver_t:x_server manage;
allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show };
allow $2 xserver_t:x_pointer { get_property set_property manage };
allow $2 xserver_t:x_keyboard { read manage freeze };
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_common_x_domain_template'($*)) dnl
')
#######################################
##
## Template for creating the set of types used
## in an X windows domain.
##
##
##
## The prefix of the X client domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`xserver_object_types_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_object_types_template'($*)) dnl
gen_require(`
attribute xproperty_type, input_xevent_type, xevent_type;
')
##############################
#
# Declarations
#
# Types for properties
type $1_xproperty_t, xproperty_type;
ubac_constrained($1_xproperty_t)
# Types for events
type $1_input_xevent_t, input_xevent_type, xevent_type;
ubac_constrained($1_input_xevent_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_object_types_template'($*)) dnl
')
#######################################
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Provides the minimal set required by a basic
## X client application.
##
##
##
## The prefix of the X client domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Client domain allowed access.
##
##
##
##
## The type of the domain SYSV tmpfs files.
##
##
#
define(`xserver_user_x_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_user_x_domain_template'($*)) dnl
gen_require(`
type xdm_t, xserver_tmpfs_t;
type xdm_home_t;
type xauth_home_t, iceauth_home_t, xserver_t;
')
allow $2 self:shm create_shm_perms;
allow $2 self:unix_dgram_socket create_socket_perms;
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
xserver_filetrans_home_content($2)
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
userdom_search_user_tmp_dirs($2)
userdom_rw_user_tmp_sock_files($2)
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
files_search_tmp($2)
miscfiles_read_fonts($2)
userdom_search_user_home_dirs($2)
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
xserver_ro_session($2, $3)
xserver_use_user_fonts($2)
userdom_read_user_tmp_files($2)
xserver_read_xdm_pid($2)
xserver_xdm_append_log($2)
# X object manager
xserver_object_types_template($1)
xserver_common_x_domain_template($1, $2)
# Client write xserver shm
tunable_policy(`xserver_clients_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
tunable_policy(`selinuxuser_direct_dri_enabled',`
dev_rw_dri($2)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_user_x_domain_template'($*)) dnl
')
########################################
##
## Read user fonts, user font configuration,
## and manage the user font cache.
##
##
##
## Read user fonts, user font configuration,
## and manage the user font cache.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_use_user_fonts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_use_user_fonts'($*)) dnl
gen_require(`
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
')
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
# Read per user font config
allow $1 user_fonts_config_t:dir list_dir_perms;
allow $1 user_fonts_config_t:file read_file_perms;
userdom_search_user_home_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_use_user_fonts'($*)) dnl
')
########################################
##
## Transition to the Xauthority domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xserver_domtrans_xdm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_domtrans_xdm'($*)) dnl
gen_require(`
type xdm_t, xdm_exec_t;
')
domtrans_pattern($1, xdm_exec_t, xdm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_domtrans_xdm'($*)) dnl
')
########################################
##
## Transition to the Xauthority domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xserver_domtrans_xauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_domtrans_xauth'($*)) dnl
gen_require(`
type xauth_t, xauth_exec_t;
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_domtrans_xauth'($*)) dnl
')
######################################
##
## Allow exec of Xauthority program..
##
##
##
## Domain allowed to transition.
##
##
#
define(`xserver_exec_xauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_exec_xauth'($*)) dnl
gen_require(`
type xauth_t, xauth_exec_t;
')
can_exec($1, xauth_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_exec_xauth'($*)) dnl
')
########################################
##
## Dontaudit exec of Xauthority program.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_exec_xauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_exec_xauth'($*)) dnl
gen_require(`
type xauth_exec_t;
')
dontaudit $1 xauth_exec_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_exec_xauth'($*)) dnl
')
########################################
##
## Create a Xauthority file in the user home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_user_home_dir_filetrans_user_xauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_user_home_dir_filetrans_user_xauth'($*)) dnl
gen_require(`
type xauth_home_t;
')
userdom_user_home_dir_filetrans($1, xauth_home_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_user_home_dir_filetrans_user_xauth'($*)) dnl
')
########################################
##
## Create a Xauthority file in the admin home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_admin_home_dir_filetrans_xauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_admin_home_dir_filetrans_xauth'($*)) dnl
gen_require(`
type xauth_home_t;
')
userdom_admin_home_dir_filetrans($1, xauth_home_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_admin_home_dir_filetrans_xauth'($*)) dnl
')
########################################
##
## Read all users fonts, user font configurations,
## and manage all users font caches.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_use_all_users_fonts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_use_all_users_fonts'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
xserver_use_user_fonts($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_use_all_users_fonts'($*)) dnl
')
########################################
##
## Read all users .Xauthority.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_user_xauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_user_xauth'($*)) dnl
gen_require(`
type xauth_home_t;
')
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
xserver_read_xdm_pid($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_user_xauth'($*)) dnl
')
########################################
##
## Manage all users .Xauthority.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_manage_user_xauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_user_xauth'($*)) dnl
gen_require(`
type xauth_home_t;
')
allow $1 xauth_home_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_user_xauth'($*)) dnl
')
########################################
##
## Set the attributes of the X windows console named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_setattr_console_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_setattr_console_pipes'($*)) dnl
gen_require(`
type xconsole_device_t;
')
allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_setattr_console_pipes'($*)) dnl
')
########################################
##
## Read and write the X windows console named pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_rw_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_console'($*)) dnl
gen_require(`
type xconsole_device_t;
')
allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_console'($*)) dnl
')
########################################
##
## Read XDM state files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_state_xdm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_state_xdm'($*)) dnl
gen_require(`
type xdm_t;
')
kernel_search_proc($1)
ps_process_pattern($1, xdm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_state_xdm'($*)) dnl
')
########################################
##
## Use file descriptors for xdm.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_use_xdm_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_use_xdm_fds'($*)) dnl
gen_require(`
type xdm_t;
')
allow $1 xdm_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_use_xdm_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## XDM file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_use_xdm_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_use_xdm_fds'($*)) dnl
gen_require(`
type xdm_t;
')
dontaudit $1 xdm_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_use_xdm_fds'($*)) dnl
')
########################################
##
## Read and write XDM unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_rw_xdm_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_pipes'($*)) dnl
gen_require(`
type xdm_t;
')
allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## XDM unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_rw_xdm_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_xdm_pipes'($*)) dnl
gen_require(`
type xdm_t;
')
dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_xdm_pipes'($*)) dnl
')
########################################
##
## Read xdm process state files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_state'($*)) dnl
gen_require(`
type xdm_t;
')
kernel_search_proc($1)
allow $1 xdm_t:dir list_dir_perms;
allow $1 xdm_t:file read_file_perms;
allow $1 xdm_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_state'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## xdm_spool files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_manage_xdm_spool_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_spool_files'($*)) dnl
gen_require(`
type xdm_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_spool_files'($*)) dnl
')
########################################
##
## Connect to XDM over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_stream_connect_xdm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_stream_connect_xdm'($*)) dnl
gen_require(`
type xdm_t, xdm_var_run_t;
')
files_search_tmp($1)
files_search_pids($1)
stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t)
userdom_stream_connect($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_stream_connect_xdm'($*)) dnl
')
########################################
##
## Allow domain to append XDM unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_append_xdm_stream_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_append_xdm_stream_socket'($*)) dnl
gen_require(`
type xdm_t;
')
allow $1 xdm_t:unix_stream_socket append;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_append_xdm_stream_socket'($*)) dnl
')
########################################
##
## Read XDM files in user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_home_files'($*)) dnl
gen_require(`
type xdm_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 xdm_home_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_home_files'($*)) dnl
')
########################################
##
## Read xserver configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_config'($*)) dnl
gen_require(`
type xserver_etc_t;
')
files_search_etc($1)
read_files_pattern($1, xserver_etc_t, xserver_etc_t)
read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_config'($*)) dnl
')
########################################
##
## Manage xserver configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_config'($*)) dnl
gen_require(`
type xserver_etc_t;
')
files_search_etc($1)
manage_files_pattern($1, xserver_etc_t, xserver_etc_t)
manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_config'($*)) dnl
')
########################################
##
## Read xdm-writable configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_rw_config'($*)) dnl
gen_require(`
type xdm_rw_etc_t;
')
files_search_etc($1)
allow $1 xdm_rw_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_rw_config'($*)) dnl
')
########################################
##
## Search XDM temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_search_xdm_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_search_xdm_tmp_dirs'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.')
userdom_search_user_tmp_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_search_xdm_tmp_dirs'($*)) dnl
')
########################################
##
## Set the attributes of XDM temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_setattr_xdm_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_setattr_xdm_tmp_dirs'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
userdom_dontaudit_setattr_user_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_setattr_xdm_tmp_dirs'($*)) dnl
')
########################################
##
## Dont audit attempts to set the attributes of XDM temporary directories.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_xdm_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_xdm_tmp_dirs'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.')
userdom_dontaudit_setattr_user_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_xdm_tmp_dirs'($*)) dnl
')
########################################
##
## Create a named socket in a XDM
## temporary directory.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_create_xdm_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_create_xdm_tmp_sockets'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.')
userdom_create_user_tmp_sockets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_create_xdm_tmp_sockets'($*)) dnl
')
########################################
##
## Read XDM pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_pid'($*)) dnl
gen_require(`
type xdm_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_pid'($*)) dnl
')
########################################
##
## Mmap XDM pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_map_xdm_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_map_xdm_pid'($*)) dnl
gen_require(`
type xdm_var_run_t;
')
allow $1 xdm_var_run_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_map_xdm_pid'($*)) dnl
')
######################################
##
## Dontaudit Read XDM pid files.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_read_xdm_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_read_xdm_pid'($*)) dnl
gen_require(`
type xdm_var_run_t;
')
dontaudit $1 xdm_var_run_t:dir search_dir_perms;
dontaudit $1 xdm_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_read_xdm_pid'($*)) dnl
')
########################################
##
## Read XDM var lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_lib_files'($*)) dnl
gen_require(`
type xdm_var_lib_t;
')
read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_lib_files'($*)) dnl
')
########################################
##
## Read inherited XDM var lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_inherited_xdm_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_inherited_xdm_lib_files'($*)) dnl
gen_require(`
type xdm_var_lib_t;
')
allow $1 xdm_var_lib_t:file { read_inherited_file_perms map };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_inherited_xdm_lib_files'($*)) dnl
')
########################################
##
## Make an X session script an entrypoint for the specified domain.
##
##
##
## The domain for which the shell is an entrypoint.
##
##
#
define(`xserver_xsession_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xsession_entry_type'($*)) dnl
gen_require(`
type xsession_exec_t;
')
domain_entry_file($1, xsession_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xsession_entry_type'($*)) dnl
')
########################################
##
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Execute an Xsession in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the shell process.
##
##
#
define(`xserver_xsession_spec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xsession_spec_domtrans'($*)) dnl
gen_require(`
type xsession_exec_t;
')
domain_trans($1, xsession_exec_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xsession_spec_domtrans'($*)) dnl
')
########################################
##
## Get the attributes of X server logs.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_getattr_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_getattr_log'($*)) dnl
gen_require(`
type xserver_log_t;
')
logging_search_logs($1)
allow $1 xserver_log_t:file getattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_getattr_log'($*)) dnl
')
#######################################
##
## Allow domain to read X server logs.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_log'($*)) dnl
gen_require(`
type xserver_log_t;
')
logging_search_logs($1)
allow $1 xserver_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_log'($*)) dnl
')
########################################
##
## Do not audit attempts to write the X server
## log files.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_write_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_write_log'($*)) dnl
gen_require(`
type xserver_log_t;
')
dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_write_log'($*)) dnl
')
########################################
##
## Delete X server log files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_delete_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_delete_log'($*)) dnl
gen_require(`
type xserver_log_t;
')
logging_search_logs($1)
allow $1 xserver_log_t:dir list_dir_perms;
delete_files_pattern($1, xserver_log_t, xserver_log_t)
delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_delete_log'($*)) dnl
')
########################################
##
## Read X keyboard extension libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xkb_libs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xkb_libs'($*)) dnl
gen_require(`
type xkb_var_lib_t;
')
files_search_var_lib($1)
allow $1 xkb_var_lib_t:dir list_dir_perms;
read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xkb_libs'($*)) dnl
')
########################################
##
## Manage X keyboard extension libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_manage_xkb_libs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_xkb_libs'($*)) dnl
gen_require(`
type xkb_var_lib_t;
')
files_search_var_lib($1)
allow $1 xkb_var_lib_t:dir list_dir_perms;
manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_xkb_libs'($*)) dnl
')
########################################
##
## dontaudit access checks X keyboard extension libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_dontaudit_xkb_libs_access',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_xkb_libs_access'($*)) dnl
gen_require(`
type xkb_var_lib_t;
')
dontaudit $1 xkb_var_lib_t:dir audit_access;
dontaudit $1 xkb_var_lib_t:file audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_xkb_libs_access'($*)) dnl
')
########################################
##
## Read xdm config files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_read_xdm_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_etc_files'($*)) dnl
gen_require(`
type xdm_etc_t;
')
files_search_etc($1)
read_files_pattern($1, xdm_etc_t, xdm_etc_t)
read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_etc_files'($*)) dnl
')
########################################
##
## Manage xdm config files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_manage_xdm_etc_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_etc_files'($*)) dnl
gen_require(`
type xdm_etc_t;
')
files_search_etc($1)
manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_etc_files'($*)) dnl
')
########################################
##
## Watch xdm config directories.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_watch_xdm_etc_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_watch_xdm_etc_dirs'($*)) dnl
gen_require(`
type xdm_etc_t;
')
files_search_etc($1)
watch_dirs_pattern($1, xdm_etc_t, xdm_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_watch_xdm_etc_dirs'($*)) dnl
')
########################################
##
## Read xdm temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_xdm_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_tmp_files'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.')
userdom_read_user_tmpfs_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_xdm_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read xdm temporary files.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_read_xdm_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_read_xdm_tmp_files'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.')
userdom_dontaudit_read_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_read_xdm_tmp_files'($*)) dnl
')
########################################
##
## Read write xdm temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_rw_xdm_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_tmp_files'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.')
userdom_rw_user_tmpfs_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete xdm temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_manage_xdm_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_tmp_files'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.')
userdom_manage_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete xdm temporary dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_relabel_xdm_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_relabel_xdm_tmp_dirs'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.')
userdom_relabel_user_tmp_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_relabel_xdm_tmp_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete xdm temporary dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_manage_xdm_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_tmp_dirs'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.')
userdom_manage_user_tmp_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_tmp_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_getattr_xdm_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_getattr_xdm_tmp_sockets'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.')
userdom_dontaudit_user_getattr_tmp_sockets($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_getattr_xdm_tmp_sockets'($*)) dnl
')
########################################
##
## Execute the X server in the X server domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xserver_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_domtrans'($*)) dnl
gen_require(`
type xserver_t, xserver_exec_t;
')
allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
allow xserver_t $1:process getpgid;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_domtrans'($*)) dnl
')
########################################
##
## Allow SELinux Domain trasition
## into confined domain with NoNewPrivileges
## Systemd Security feature.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_nnp_daemon_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_nnp_daemon_domain'($*)) dnl
gen_require(`
type xserver_t;
')
allow $1 xserver_t:process2 { nnp_transition nosuid_transition };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_nnp_daemon_domain'($*)) dnl
')
########################################
##
## Allow execute the X server.
##
##
##
## Domain allowed to transition.
##
##
#
define(`xserver_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_exec'($*)) dnl
gen_require(`
type xserver_exec_t;
')
can_exec($1, xserver_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_exec'($*)) dnl
')
########################################
##
## Signal X servers
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_signal'($*)) dnl
gen_require(`
type xserver_t;
')
allow $1 xserver_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_signal'($*)) dnl
')
########################################
##
## Send a null signal to xdm processes.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_xdm_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_signull'($*)) dnl
gen_require(`
type xdm_t;
')
allow $1 xdm_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_signull'($*)) dnl
')
########################################
##
## Kill X servers
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_kill'($*)) dnl
gen_require(`
type xserver_t;
')
allow $1 xserver_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_kill'($*)) dnl
')
########################################
##
## Read and write X server Sys V Shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_rw_shm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_shm'($*)) dnl
gen_require(`
type xserver_t;
')
allow $1 xserver_t:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_shm'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write to
## X server sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_tcp_sockets'($*)) dnl
gen_require(`
type xserver_t;
')
dontaudit $1 xserver_t:tcp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write X server
## unix domain stream sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_stream_sockets'($*)) dnl
gen_require(`
type xserver_t;
')
dontaudit $1 xserver_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_stream_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write xdm
## unix domain stream sockets.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_xdm_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_xdm_rw_stream_sockets'($*)) dnl
gen_require(`
type xdm_t;
')
dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_xdm_rw_stream_sockets'($*)) dnl
')
########################################
##
## Connect to the X server over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_stream_connect'($*)) dnl
gen_require(`
type xserver_t, xserver_tmp_t;
')
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
allow xserver_t $1:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_stream_connect'($*)) dnl
')
######################################
##
## Dontaudit attempts to connect to xserver
## over a unix stream socket.
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_stream_connect'($*)) dnl
gen_require(`
type xserver_t, xserver_tmp_t;
')
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_stream_connect'($*)) dnl
')
########################################
##
## Read X server temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_tmp_files'($*)) dnl
gen_require(`
type xserver_tmp_t;
')
allow $1 xserver_tmp_t:file read_file_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_tmp_files'($*)) dnl
')
########################################
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
## virtual core keyboard and virtual core pointer devices.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_manage_core_devices',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_core_devices'($*)) dnl
gen_require(`
type xserver_t, root_xdrawable_t, xevent_t;
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
class x_screen all_x_screen_perms;
class x_drawable { manage };
attribute x_domain;
class x_drawable all_x_drawable_perms;
class x_resource all_x_resource_perms;
class x_synthetic_event all_x_synthetic_event_perms;
class x_cursor all_x_cursor_perms;
')
allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
allow $1 xserver_t:{ x_screen } setattr;
allow $1 x_domain:x_cursor all_x_cursor_perms;
allow $1 x_domain:x_drawable all_x_drawable_perms;
allow $1 x_domain:x_resource all_x_resource_perms;
allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms;
allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_core_devices'($*)) dnl
')
########################################
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_unconfined'($*)) dnl
gen_require(`
attribute x_domain, xserver_unconfined_type;
')
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_unconfined'($*)) dnl
')
########################################
##
## Dontaudit append to .xsession-errors file
##
##
##
## Domain to not audit
##
##
#
define(`xserver_dontaudit_append_xdm_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_append_xdm_home_files'($*)) dnl
gen_require(`
type xdm_home_t;
')
dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files($1)
')
tunable_policy(`use_samba_home_dirs',`
fs_dontaudit_rw_cifs_files($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_append_xdm_home_files'($*)) dnl
')
########################################
##
## append to .xsession-errors file
##
##
##
## Domain to not audit
##
##
#
define(`xserver_append_xdm_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_append_xdm_home_files'($*)) dnl
gen_require(`
type xdm_home_t, xserver_tmp_t;
')
allow $1 xdm_home_t:file append_file_perms;
allow $1 xserver_tmp_t:file append_file_perms;
tunable_policy(`use_nfs_home_dirs',`
fs_append_nfs_files($1)
')
tunable_policy(`use_samba_home_dirs',`
fs_append_cifs_files($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_append_xdm_home_files'($*)) dnl
')
#######################################
##
## Allow search the xdm_spool files
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_xdm_search_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_search_spool'($*)) dnl
gen_require(`
type xdm_spool_t;
')
files_search_spool($1)
search_dirs_pattern($1, xdm_spool_t, xdm_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_search_spool'($*)) dnl
')
######################################
##
## Allow read the xdm_spool files
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_xdm_read_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_read_spool'($*)) dnl
gen_require(`
type xdm_spool_t;
')
files_search_spool($1)
read_files_pattern($1, xdm_spool_t, xdm_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_read_spool'($*)) dnl
')
########################################
##
## Manage the xdm_spool files
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_xdm_manage_spool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_manage_spool'($*)) dnl
gen_require(`
type xdm_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_manage_spool'($*)) dnl
')
########################################
##
## Send and receive messages from
## xdm over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_dbus_chat_xdm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dbus_chat_xdm'($*)) dnl
gen_require(`
type xdm_t;
class dbus send_msg;
')
allow $1 xdm_t:dbus send_msg;
allow xdm_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dbus_chat_xdm'($*)) dnl
')
########################################
##
## Send and receive messages from
## xdm over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dbus_chat'($*)) dnl
gen_require(`
type xserver_t;
class dbus send_msg;
')
allow $1 xserver_t:dbus send_msg;
allow xserver_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dbus_chat'($*)) dnl
')
########################################
##
## Read xserver files created in /var/run
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_pid'($*)) dnl
gen_require(`
type xserver_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_pid'($*)) dnl
')
########################################
##
## Execute xserver files created in /var/run
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_exec_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_exec_pid'($*)) dnl
gen_require(`
type xserver_var_run_t;
')
files_search_pids($1)
exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_exec_pid'($*)) dnl
')
########################################
##
## Write xserver files created in /var/run
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_write_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_write_pid'($*)) dnl
gen_require(`
type xserver_var_run_t;
')
files_search_pids($1)
write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_write_pid'($*)) dnl
')
########################################
##
## Allow append the xdm
## log files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_xdm_append_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_append_log'($*)) dnl
gen_require(`
type xdm_log_t;
attribute xdmhomewriter;
')
typeattribute $1 xdmhomewriter;
allow $1 xdm_log_t:file append_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_append_log'($*)) dnl
')
########################################
##
## Allow ioctl the xdm log files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_xdm_ioctl_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_ioctl_log'($*)) dnl
gen_require(`
type xdm_log_t;
')
allow $1 xdm_log_t:file ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_ioctl_log'($*)) dnl
')
########################################
##
## Allow append the xdm
## tmp files.
##
##
##
## Domain to not audit
##
##
#
define(`xserver_append_xdm_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_append_xdm_tmp_files'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.')
userdom_append_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_append_xdm_tmp_files'($*)) dnl
')
########################################
##
## Read a user Iceauthority domain.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_read_user_iceauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_user_iceauth'($*)) dnl
gen_require(`
type iceauth_home_t;
')
# Read .Iceauthority file
allow $1 iceauth_home_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_user_iceauth'($*)) dnl
')
########################################
##
## Read/write inherited user homedir fonts.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_rw_inherited_user_fonts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_inherited_user_fonts'($*)) dnl
gen_require(`
type user_fonts_t, user_fonts_config_t;
')
allow $1 user_fonts_t:file rw_inherited_file_perms;
allow $1 user_fonts_t:file read_lnk_file_perms;
allow $1 user_fonts_config_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_inherited_user_fonts'($*)) dnl
')
########################################
##
## Search XDM var lib dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_search_xdm_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_search_xdm_lib'($*)) dnl
gen_require(`
type xdm_var_lib_t;
')
allow $1 xdm_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_search_xdm_lib'($*)) dnl
')
########################################
##
## Make an X executable an entrypoint for the specified domain.
##
##
##
## The domain for which the shell is an entrypoint.
##
##
#
define(`xserver_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_entry_type'($*)) dnl
gen_require(`
type xserver_exec_t;
')
domain_entry_file($1, xserver_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_entry_type'($*)) dnl
')
########################################
##
## Execute xsever in the xserver domain, and
## allow the specified role the xserver domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the xserver domain.
##
##
##
#
define(`xserver_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_run'($*)) dnl
gen_require(`
type xserver_t;
')
xserver_domtrans($1)
xserver_nnp_daemon_domain($1)
role $2 types xserver_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_run'($*)) dnl
')
########################################
##
## Execute xsever in the xserver domain, and
## allow the specified role the xserver domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the xserver domain.
##
##
##
#
define(`xserver_run_xauth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_run_xauth'($*)) dnl
gen_require(`
type xauth_t;
')
xserver_domtrans_xauth($1)
role $2 types xauth_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_run_xauth'($*)) dnl
')
########################################
##
## Read user homedir fonts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`xserver_read_home_fonts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_read_home_fonts'($*)) dnl
gen_require(`
type user_fonts_t, user_fonts_config_t;
')
list_dirs_pattern($1, user_fonts_t, user_fonts_t)
read_files_pattern($1, user_fonts_t, user_fonts_t)
read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_read_home_fonts'($*)) dnl
')
########################################
##
## Manage user fonts dir.
##
##
##
## Domain allowed access.
##
##
##
#
define(`xserver_manage_user_fonts_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_user_fonts_dir'($*)) dnl
gen_require(`
type user_fonts_t;
')
manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_user_fonts_dir'($*)) dnl
')
########################################
##
## Manage user homedir fonts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`xserver_manage_home_fonts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_manage_home_fonts'($*)) dnl
gen_require(`
type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
')
manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
manage_files_pattern($1, user_fonts_t, user_fonts_t)
manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d")
# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_manage_home_fonts'($*)) dnl
')
#######################################
##
## Transition to xserver .fontconfig named content
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_filetrans_fonts_cache_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_filetrans_fonts_cache_home_content'($*)) dnl
gen_require(`
type user_fonts_cache_t;
')
userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_filetrans_fonts_cache_home_content'($*)) dnl
')
########################################
##
## Transition to xserver named content
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_filetrans_home_content'($*)) dnl
gen_require(`
type xdm_home_t, xauth_home_t, iceauth_home_t;
type user_home_t, user_fonts_t, user_fonts_cache_t;
type user_fonts_config_t;
')
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c")
userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n")
userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, "xsession-errors")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".vnc")
userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
optional_policy(`
gnome_data_filetrans($1, user_fonts_t, dir, "fonts")
')
userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_filetrans_home_content'($*)) dnl
')
########################################
##
## Create xserver content in admin home
## directory with a named file transition.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_filetrans_admin_home_content'($*)) dnl
gen_require(`
type xdm_home_t, xauth_home_t, iceauth_home_t;
type user_home_t, user_fonts_t, user_fonts_cache_t;
type user_fonts_config_t;
')
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, "xsession-errors")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".vnc")
userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
optional_policy(`
gnome_cache_filetrans($1, xdm_home_t, dir, "xdm")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_filetrans_admin_home_content'($*)) dnl
')
########################################
##
## Create objects in a xdm temporary directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`xserver_xdm_tmp_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_xdm_tmp_filetrans'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.')
userdom_user_tmp_filetrans($1,$2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_xdm_tmp_filetrans'($*)) dnl
')
########################################
##
## Dontaudit search ssh home directory
##
##
##
## Domain to not audit.
##
##
#
define(`xserver_dontaudit_search_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_search_log'($*)) dnl
gen_require(`
type xserver_log_t;
')
dontaudit $1 xserver_log_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_dontaudit_search_log'($*)) dnl
')
########################################
##
## Manage keys for xdm.
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_rw_xdm_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_keys'($*)) dnl
gen_require(`
type xdm_t;
')
allow $1 xdm_t:key { read write setattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_keys'($*)) dnl
')
######################################
##
## Transition to xdm named content
##
##
##
## Domain allowed access.
##
##
#
define(`xserver_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `xserver_filetrans_named_content'($*)) dnl
gen_require(`
type xdm_var_run_t;
')
files_pid_filetrans($1, xdm_var_run_t, dir, "gdm")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `xserver_filetrans_named_content'($*)) dnl
')
## Policy for user executable applications.
########################################
##
## Make the specified type usable as an application domain.
##
##
##
## Type to be used as a domain type.
##
##
#
define(`application_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_type'($*)) dnl
gen_require(`
attribute application_domain_type;
')
typeattribute $1 application_domain_type;
# start with basic domain
domain_type($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_type'($*)) dnl
')
########################################
##
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
##
##
##
## Type to be used for files.
##
##
#
define(`application_executable_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_executable_file'($*)) dnl
gen_require(`
attribute application_exec_type;
')
typeattribute $1 application_exec_type;
corecmd_executable_file($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_executable_file'($*)) dnl
')
#######################################
##
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
##
##
##
## Type to be used for files.
##
##
#
define(`application_executable_ioctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_executable_ioctl'($*)) dnl
gen_require(`
attribute application_exec_type;
')
allow $1 application_exec_type:file ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_executable_ioctl'($*)) dnl
')
########################################
##
## Execute application executables in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`application_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_exec'($*)) dnl
gen_require(`
attribute application_exec_type;
')
can_exec($1, application_exec_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_exec'($*)) dnl
')
########################################
##
## Execute all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`application_exec_all',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_exec_all'($*)) dnl
corecmd_dontaudit_exec_all_executables($1)
corecmd_exec_bin($1)
corecmd_exec_shell($1)
application_exec($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_exec_all'($*)) dnl
')
########################################
##
## Dontaudit execute all executable files.
##
##
##
## Domain to not audit.
##
##
#
define(`application_dontaudit_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_dontaudit_exec'($*)) dnl
gen_require(`
attribute application_exec_type;
')
dontaudit $1 application_exec_type:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_dontaudit_exec'($*)) dnl
')
########################################
##
## Create a domain for applications.
##
##
##
## Create a domain for applications. Typically these are
## programs that are run interactively.
##
##
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
##
##
##
##
## Type to be used as an application domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
#
define(`application_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_domain'($*)) dnl
application_type($1)
application_executable_file($2)
domain_entry_file($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_domain'($*)) dnl
')
########################################
##
## Send null signals to all application domains.
##
##
##
## Domain allowed access.
##
##
#
define(`application_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_signull'($*)) dnl
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_signull'($*)) dnl
')
########################################
##
## Do not audit attempts to send null signals
## to all application domains.
##
##
##
## Domain to not audit.
##
##
#
define(`application_dontaudit_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_dontaudit_signull'($*)) dnl
gen_require(`
attribute application_domain_type;
')
dontaudit $1 application_domain_type:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_dontaudit_signull'($*)) dnl
')
########################################
##
## Send general signals to all application domains.
##
##
##
## Domain allowed access.
##
##
#
define(`application_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_signal'($*)) dnl
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_signal'($*)) dnl
')
########################################
##
## Do not audit attempts to send general signals
## to all application domains.
##
##
##
## Domain to not audit.
##
##
#
define(`application_dontaudit_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_dontaudit_signal'($*)) dnl
gen_require(`
attribute application_domain_type;
')
dontaudit $1 application_domain_type:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_dontaudit_signal'($*)) dnl
')
########################################
##
## Send kill signals to all application domains.
##
##
##
## Domain allowed access.
##
##
#
define(`application_sigkill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_sigkill'($*)) dnl
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_sigkill'($*)) dnl
')
########################################
##
## Do not audit attempts to send kill signals
## to all application domains.
##
##
##
## Domain to not audit.
##
##
#
define(`application_dontaudit_sigkill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_dontaudit_sigkill'($*)) dnl
gen_require(`
attribute application_domain_type;
')
dontaudit $1 application_domain_type:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_dontaudit_sigkill'($*)) dnl
')
#######################################
##
## Getattr all application sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`application_getattr_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `application_getattr_socket'($*)) dnl
gen_require(`
attribute application_domain_type;
')
allow $1 application_domain_type:socket_class_set getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `application_getattr_socket'($*)) dnl
')
## Common policy for authentication and user login.
########################################
##
## Role access for password authentication.
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_role'($*)) dnl
gen_require(`
type chkpwd_t, chkpwd_exec_t, shadow_t;
')
role $1 types chkpwd_t;
# Transition from the user domain to this domain.
auth_domtrans_chkpwd($2)
ps_process_pattern($2, chkpwd_t)
dontaudit $2 shadow_t:file read_file_perms;
logging_send_syslog_msg($2)
logging_send_audit_msgs($2)
usermanage_read_crack_db($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_role'($*)) dnl
')
########################################
##
## Use PAM for authentication.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_use_pam',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_use_pam'($*)) dnl
# for SSP/ProPolice
dev_read_urand($1)
# for encrypted homedir
dev_read_sysfs($1)
auth_domtrans_chk_passwd($1)
auth_domtrans_upd_passwd($1)
auth_dontaudit_read_shadow($1)
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
auth_create_lastlog($1)
auth_manage_faillog($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
init_rw_stream_sockets($1)
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
userdom_search_user_tmp_dirs($1)
optional_policy(`
dbus_system_bus_client($1)
optional_policy(`
consolekit_dbus_chat($1)
')
optional_policy(`
fprintd_dbus_chat($1)
')
')
optional_policy(`
kerberos_manage_host_rcache($1)
kerberos_read_config($1)
')
optional_policy(`
locallogin_getattr_home_content($1)
')
optional_policy(`
nis_authenticate($1)
')
optional_policy(`
systemd_dbus_chat_logind($1)
systemd_use_fds_logind($1)
systemd_write_inherited_logind_sessions_pipes($1)
systemd_read_logind_sessions_files($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_use_pam'($*)) dnl
')
########################################
##
## Make the specified domain used for a login program.
##
##
##
## Domain type used for a login program domain.
##
##
#
define(`auth_login_pgm_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_login_pgm_domain'($*)) dnl
gen_require(`
type var_auth_t, auth_cache_t;
attribute polydomain;
attribute login_pgm;
')
domain_type($1)
typeattribute $1 polydomain;
typeattribute $1 login_pgm;
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
role system_r types $1;
selinux_get_fs_mount($1)
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
mls_file_upgrade($1)
mls_file_downgrade($1)
mls_process_set_level($1)
mls_process_write_to_clearance($1)
mls_fd_share_all_levels($1)
auth_use_pam($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_login_pgm_domain'($*)) dnl
')
########################################
##
## Read authlogin state files.
##
##
##
## Domain allowed access.
##
##
#
define(`authlogin_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `authlogin_read_state'($*)) dnl
gen_require(`
attribute polydomain;
')
kernel_search_proc($1)
ps_process_pattern($1, polydomain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `authlogin_read_state'($*)) dnl
')
########################################
##
## Read and write a authlogin unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`authlogin_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `authlogin_rw_pipes'($*)) dnl
gen_require(`
attribute polydomain;
')
allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `authlogin_rw_pipes'($*)) dnl
')
########################################
##
## Use the login program as an entry point program.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_login_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_login_entry_type'($*)) dnl
gen_require(`
type login_exec_t;
')
domain_entry_file($1, login_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_login_entry_type'($*)) dnl
')
########################################
##
## Make the specified type usable as a
## login file.
##
##
##
## Make the specified type usable as a login file,
## This type has restricted modification capabilities when used with
## other interfaces that permit files_type access.
## The default type has properties similar to that of the shadow file.
## This will also make the type usable as a security file, making
## calls to files_security_file() redundant.
##
##
##
##
## Type to be used as a login file.
##
##
##
#
define(`auth_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_file'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_auth_file() instead.')
files_auth_file($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_file'($*)) dnl
')
########################################
##
## Execute a login_program in the target domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the login_program process.
##
##
#
define(`auth_domtrans_login_program',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_login_program'($*)) dnl
gen_require(`
type login_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, login_exec_t, $2)
allow $1 login_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_login_program'($*)) dnl
')
########################################
##
## Execute a login_program in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_exec_login_program',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_exec_login_program'($*)) dnl
gen_require(`
type login_exec_t;
')
corecmd_search_bin($1)
can_exec($1, login_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_exec_login_program'($*)) dnl
')
########################################
##
## Execute a login_program in the target domain,
## with a range transition.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The type of the login_program process.
##
##
##
##
## Range of the login program.
##
##
#
define(`auth_ranged_domtrans_login_program',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_ranged_domtrans_login_program'($*)) dnl
gen_require(`
type login_exec_t;
')
auth_domtrans_login_program($1, $2)
ifdef(`enable_mcs',`
range_transition $1 login_exec_t:process $3;
')
ifdef(`enable_mls',`
range_transition $1 login_exec_t:process $3;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_ranged_domtrans_login_program'($*)) dnl
')
########################################
##
## Search authentication cache
##
##
##
## Domain allowed access.
##
##
#
define(`auth_search_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_search_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
allow $1 auth_cache_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_search_cache'($*)) dnl
')
########################################
##
## Read authentication cache
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
read_files_pattern($1, auth_cache_t, auth_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_cache'($*)) dnl
')
########################################
##
## Read/Write authentication cache
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
rw_files_pattern($1, auth_cache_t, auth_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_cache'($*)) dnl
')
########################################
##
## Create authentication cache
##
##
##
## Domain allowed access.
##
##
#
define(`auth_create_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_create_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
create_files_pattern($1, auth_cache_t, auth_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_create_cache'($*)) dnl
')
########################################
##
## Manage authentication cache
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
manage_files_pattern($1, auth_cache_t, auth_cache_t)
allow $1 auth_cache_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_cache'($*)) dnl
')
#######################################
##
## Automatic transition from cache_t to cache.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_var_filetrans_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_var_filetrans_cache'($*)) dnl
gen_require(`
type auth_cache_t;
')
files_var_filetrans($1, auth_cache_t, { file dir } )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_var_filetrans_cache'($*)) dnl
')
########################################
##
## Run unix_chkpwd to check a password.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_chk_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_chk_passwd'($*)) dnl
gen_require(`
type chkpwd_t, chkpwd_exec_t, shadow_t;
type auth_cache_t;
')
allow $1 auth_cache_t:dir search_dir_perms;
corecmd_search_bin($1)
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
allow $1 chkpwd_exec_t:file map;
dontaudit $1 shadow_t:file read_file_perms;
dev_read_rand($1)
dev_read_urand($1)
auth_use_nsswitch($1)
auth_rw_faillog($1)
logging_send_audit_msgs($1)
miscfiles_read_generic_certs($1)
optional_policy(`
kerberos_read_keytab($1)
')
optional_policy(`
pcscd_read_pid_files($1)
pcscd_stream_connect($1)
')
optional_policy(`
samba_stream_connect_winbind($1)
')
auth_domtrans_upd_passwd($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_chk_passwd'($*)) dnl
')
########################################
##
## Run unix_chkpwd to check a password.
## Stripped down version to be called within boolean
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_chkpwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_chkpwd'($*)) dnl
gen_require(`
type chkpwd_t, chkpwd_exec_t, shadow_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
dontaudit $1 shadow_t:file { getattr read };
auth_domtrans_upd_passwd($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_chkpwd'($*)) dnl
')
########################################
##
## Execute chkpwd in the caller domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_exec_chkpwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_exec_chkpwd'($*)) dnl
gen_require(`
type chkpwd_exec_t;
')
allow $1 chkpwd_exec_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_exec_chkpwd'($*)) dnl
')
########################################
##
## Execute chkpwd programs in the chkpwd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the chkpwd domain.
##
##
#
define(`auth_run_chk_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_run_chk_passwd'($*)) dnl
gen_require(`
type chkpwd_t;
')
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
auth_run_upd_passwd($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_run_chk_passwd'($*)) dnl
')
########################################
##
## Send generic signals to chkpwd processes.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_signal_chk_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_signal_chk_passwd'($*)) dnl
gen_require(`
type chkpwd_t;
')
allow $1 chkpwd_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_signal_chk_passwd'($*)) dnl
')
########################################
##
## Execute a domain transition to run unix_update.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_upd_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_upd_passwd'($*)) dnl
gen_require(`
type updpwd_t, updpwd_exec_t;
')
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_upd_passwd'($*)) dnl
')
########################################
##
## Execute updpwd programs in the updpwd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the updpwd domain.
##
##
#
define(`auth_run_upd_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_run_upd_passwd'($*)) dnl
gen_require(`
type updpwd_t;
')
auth_domtrans_upd_passwd($1)
role $2 types updpwd_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_run_upd_passwd'($*)) dnl
')
########################################
##
## Get the attributes of the shadow passwords file.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_getattr_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_getattr_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_search_etc($1)
allow $1 shadow_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_getattr_shadow'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the shadow passwords file.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_getattr_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_getattr_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
dontaudit $1 shadow_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_getattr_shadow'($*)) dnl
')
########################################
##
## Mmap the shadow passwords file.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_map_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_map_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
allow $1 shadow_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_map_shadow'($*)) dnl
')
########################################
##
## Read the shadow passwords file (/etc/shadow)
##
##
##
## Domain allowed access.
##
##
#
# cjp: these next three interfaces are split
# since typeattribute does not work in conditionals
# yet, otherwise they should be one interface.
#
define(`auth_read_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_shadow'($*)) dnl
auth_can_read_shadow_passwords($1)
auth_tunable_read_shadow($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_shadow'($*)) dnl
')
########################################
##
## Pass shadow assertion for reading.
##
##
##
## Pass shadow assertion for reading.
## This should only be used with
## auth_tunable_read_shadow(), and
## only exists because typeattribute
## does not work in conditionals.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_can_read_shadow_passwords',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_can_read_shadow_passwords'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords;
')
typeattribute $1 can_read_shadow_passwords;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_can_read_shadow_passwords'($*)) dnl
')
########################################
##
## Read the shadow password file.
##
##
##
## Read the shadow password file. This
## should only be used in a conditional;
## it does not pass the reading shadow
## assertion.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_tunable_read_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_tunable_read_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_list_etc($1)
allow $1 shadow_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_tunable_read_shadow'($*)) dnl
')
########################################
##
## Do not audit attempts to read the shadow
## password file (/etc/shadow).
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_read_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
dontaudit $1 shadow_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_shadow'($*)) dnl
')
########################################
##
## Read and write the shadow password file (/etc/shadow).
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_shadow'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
')
files_list_etc($1)
allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_shadow'($*)) dnl
')
########################################
##
## Create, read, write, and delete the shadow
## password file.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_shadow'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
')
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
files_var_filetrans($1, shadow_t, file, "shadow")
files_var_filetrans($1, shadow_t, file, "shadow-")
files_etc_filetrans($1, shadow_t, file, "gshadow")
files_etc_filetrans($1, shadow_t, file, "nshadow")
files_etc_filetrans($1, shadow_t, file, "opasswd")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_shadow'($*)) dnl
')
#######################################
##
## Automatic transition from etc to shadow.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_etc_filetrans_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_etc_filetrans_shadow'($*)) dnl
gen_require(`
type shadow_t;
')
files_etc_filetrans($1, shadow_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_etc_filetrans_shadow'($*)) dnl
')
#######################################
##
## Relabel to the shadow
## password file type.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_relabelto_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_relabelto_shadow'($*)) dnl
gen_require(`
attribute can_relabelto_shadow_passwords;
type shadow_t;
')
files_search_etc($1)
allow $1 shadow_t:file relabelto;
typeattribute $1 can_relabelto_shadow_passwords;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_relabelto_shadow'($*)) dnl
')
#######################################
##
## Relabel from and to the shadow
## password file type.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_relabel_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_shadow'($*)) dnl
gen_require(`
attribute can_relabelto_shadow_passwords;
type shadow_t;
')
files_search_etc($1)
allow $1 shadow_t:file relabel_file_perms;
typeattribute $1 can_relabelto_shadow_passwords;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_shadow'($*)) dnl
')
#######################################
##
## Append to the login failure log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_append_faillog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_append_faillog'($*)) dnl
gen_require(`
type faillog_t;
')
logging_search_logs($1)
allow $1 faillog_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_append_faillog'($*)) dnl
')
########################################
##
## Read and write the login failure log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_faillog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_faillog'($*)) dnl
gen_require(`
type faillog_t;
')
logging_search_logs($1)
rw_files_pattern($1, faillog_t, faillog_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_faillog'($*)) dnl
')
########################################
##
## Relabel the login failure log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_relabel_faillog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_faillog'($*)) dnl
gen_require(`
type faillog_t;
')
allow $1 faillog_t:dir relabel_dir_perms;
allow $1 faillog_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_faillog'($*)) dnl
')
########################################
##
## Manage the login failure log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_faillog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_faillog'($*)) dnl
gen_require(`
type faillog_t;
')
logging_search_logs($1)
files_search_pids($1)
allow $1 faillog_t:dir manage_dir_perms;
allow $1 faillog_t:file manage_file_perms;
logging_log_named_filetrans($1, faillog_t, file, "tallylog")
logging_log_named_filetrans($1, faillog_t, file, "faillog")
logging_log_named_filetrans($1, faillog_t, file, "btmp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_faillog'($*)) dnl
')
#######################################
##
## Read the last logins log.
##
##
##
## Domain allowed access.
##
##
##
#
define(`auth_read_lastlog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_lastlog'($*)) dnl
gen_require(`
type lastlog_t;
')
logging_search_logs($1)
allow $1 lastlog_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_lastlog'($*)) dnl
')
#######################################
##
## Append only to the last logins log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_append_lastlog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_append_lastlog'($*)) dnl
gen_require(`
type lastlog_t;
')
logging_search_logs($1)
allow $1 lastlog_t:file { append_file_perms lock };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_append_lastlog'($*)) dnl
')
#######################################
##
## Read and write to the last logins log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_lastlog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_lastlog'($*)) dnl
gen_require(`
type lastlog_t;
')
logging_search_logs($1)
allow $1 lastlog_t:file { rw_file_perms lock setattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_lastlog'($*)) dnl
')
#######################################
##
## Manage create logins log.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_create_lastlog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_create_lastlog'($*)) dnl
gen_require(`
type lastlog_t;
')
logging_search_logs($1)
allow $1 lastlog_t:file create;
logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_create_lastlog'($*)) dnl
')
########################################
##
## Execute pam timestamp programs in the pam timestamp domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_pam_timestamp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam_timestamp'($*)) dnl
gen_require(`
type pam_timestamp_t, pam_timestamp_exec_t;
')
domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_pam_timestamp'($*)) dnl
')
########################################
##
## Execute pam timestamp programs in the pam timestamp domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_pam',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam'($*)) dnl
auth_domtrans_pam_timestamp($1)
refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_pam'($*)) dnl
')
########################################
##
## Send generic signals to pam processes.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_signal_pam',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_signal_pam'($*)) dnl
gen_require(`
type pam_timestamp_t;
')
allow $1 pam_timestamp_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_signal_pam'($*)) dnl
')
########################################
##
## Execute pam_timestamp programs in the PAM timestamp domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the PAM domain.
##
##
#
define(`auth_run_pam_timestamp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_run_pam_timestamp'($*)) dnl
gen_require(`
type pam_timestamp_t;
')
auth_domtrans_pam_timestamp($1)
role $2 types pam_timestamp_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_run_pam_timestamp'($*)) dnl
')
########################################
##
## Execute pam_timestamp programs in the PAM timestamp domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the PAM domain.
##
##
#
define(`auth_run_pam',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_run_pam'($*)) dnl
auth_run_pam_timestamp($1, $2)
refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_run_pam'($*)) dnl
')
########################################
##
## Execute the pam program.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_exec_pam',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_exec_pam'($*)) dnl
gen_require(`
type pam_exec_t;
')
can_exec($1, pam_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_exec_pam'($*)) dnl
')
########################################
##
## Read var auth files. Used by various other applications
## and pam applets etc.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_var_auth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_var_auth'($*)) dnl
gen_require(`
type var_auth_t;
')
files_search_var($1)
read_files_pattern($1, var_auth_t, var_auth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_var_auth'($*)) dnl
')
#######################################
##
## Read and write var auth files. Used by various other applications
## and pam applets etc.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_var_auth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_var_auth'($*)) dnl
gen_require(`
type var_auth_t;
')
files_search_var($1)
rw_files_pattern($1, var_auth_t, var_auth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_var_auth'($*)) dnl
')
########################################
##
## Manage var auth files. Used by various other applications
## and pam applets etc.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_var_auth',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_var_auth'($*)) dnl
gen_require(`
type var_auth_t;
')
files_search_var($1)
manage_dirs_pattern($1, var_auth_t, var_auth_t)
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_lnk_files_pattern($1, var_auth_t, var_auth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_var_auth'($*)) dnl
')
########################################
##
## Relabel all var auth files. Used by various other applications
## and pam applets etc.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_relabel_var_auth_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_var_auth_dirs'($*)) dnl
gen_require(`
type var_auth_t;
')
files_search_var($1)
relabel_dirs_pattern($1, var_auth_t, var_auth_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_var_auth_dirs'($*)) dnl
')
########################################
##
## Read PAM PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_pam_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_pam_pid'($*)) dnl
gen_require(`
type pam_var_run_t;
')
files_search_pids($1)
allow $1 pam_var_run_t:dir list_dir_perms;
allow $1 pam_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_pam_pid'($*)) dnl
')
#######################################
##
## Do not audit attemps to read PAM PID files.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_read_pam_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_pam_pid'($*)) dnl
gen_require(`
type pam_var_run_t;
')
dontaudit $1 pam_var_run_t:file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_pam_pid'($*)) dnl
')
########################################
##
## Delete pam PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_delete_pam_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_delete_pam_pid'($*)) dnl
gen_require(`
type pam_var_run_t;
')
files_search_pids($1)
allow $1 pam_var_run_t:dir del_entry_dir_perms;
allow $1 pam_var_run_t:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_delete_pam_pid'($*)) dnl
')
########################################
##
## Manage pam PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_pam_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_pam_pid'($*)) dnl
gen_require(`
type pam_var_run_t;
')
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
files_pid_filetrans($1, pam_var_run_t, dir, "pam_timestamp")
files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_pam_pid'($*)) dnl
')
########################################
##
## Execute pam_console with a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_pam_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam_console'($*)) dnl
gen_require(`
type pam_console_t, pam_console_exec_t;
')
domtrans_pattern($1, pam_console_exec_t, pam_console_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_pam_console'($*)) dnl
')
########################################
##
## Execute pam_console in the pam timestamp domain
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow transitioning into the pam_console_t domain.
##
##
#
define(`auth_run_pam_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_run_pam_console'($*)) dnl
gen_require(`
type pam_console_t;
')
auth_domtrans_pam_console($1)
role $2 types pam_console_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_run_pam_console'($*)) dnl
')
########################################
##
## Search the contents of the
## pam_console data directory.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_search_pam_console_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_search_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
allow $1 pam_var_console_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_search_pam_console_data'($*)) dnl
')
########################################
##
## List the contents of the pam_console
## data directory.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_list_pam_console_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_list_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
allow $1 pam_var_console_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_list_pam_console_data'($*)) dnl
')
########################################
##
## Create pam var console pid directories.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_create_pam_console_data_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_create_pam_console_data_dirs'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
allow $1 pam_var_console_t:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_create_pam_console_data_dirs'($*)) dnl
')
########################################
##
## Relabel pam_console data directories.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_relabel_pam_console_data_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_pam_console_data_dirs'($*)) dnl
gen_require(`
type pam_var_console_t;
')
relabel_dirs_pattern($1, pam_var_console_t, pam_var_console_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_pam_console_data_dirs'($*)) dnl
')
########################################
##
## Read pam_console data files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_pam_console_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
allow $1 pam_var_console_t:dir list_dir_perms;
allow $1 pam_var_console_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_pam_console_data'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## pam_console data files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_pam_console_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
files_pid_filetrans($1, pam_var_console_t, dir, "console")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_pam_console_data'($*)) dnl
')
#######################################
##
## Delete pam_console data.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_delete_pam_console_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_delete_pam_console_data'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_search_var($1)
files_search_pids($1)
delete_files_pattern($1, pam_var_console_t, pam_var_console_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_delete_pam_console_data'($*)) dnl
')
########################################
##
## Create specified objects in
## pid directories with the pam var
## console pid file type using a
## file type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`auth_pid_filetrans_pam_var_console',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_pid_filetrans_pam_var_console'($*)) dnl
gen_require(`
type pam_var_console_t;
')
files_pid_filetrans($1, pam_var_console_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_pid_filetrans_pam_var_console'($*)) dnl
')
########################################
##
## Read all directories on the filesystem, except
## login files and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_read_all_dirs_except_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_dirs_except_auth_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_list_non_auth_dirs() instead.')
files_list_non_auth_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_dirs_except_auth_files'($*)) dnl
')
########################################
##
## Read all directories on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_read_all_dirs_except_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_dirs_except_shadow'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_list_non_auth_dirs() instead.')
files_list_non_auth_dirs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_dirs_except_shadow'($*)) dnl
')
########################################
##
## Read all files on the filesystem, except
## login files and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`auth_read_all_files_except_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_files_except_auth_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_read_non_auth_files() instead.')
files_read_non_auth_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_files_except_auth_files'($*)) dnl
')
########################################
##
## Read all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
##
#
define(`auth_read_all_files_except_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_files_except_shadow'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_read_non_auth_files() instead.')
files_read_non_auth_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_files_except_shadow'($*)) dnl
')
########################################
##
## Read all symbolic links on the filesystem, except
## login files and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_read_all_symlinks_except_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_symlinks_except_auth_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_read_non_auth_symlinks() instead.')
files_read_non_auth_symlinks($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_symlinks_except_auth_files'($*)) dnl
')
########################################
##
## Read all symbolic links on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_read_all_symlinks_except_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_all_symlinks_except_shadow'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_read_non_auth_symlinks() instead.')
files_read_non_auth_symlinks($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_all_symlinks_except_shadow'($*)) dnl
')
#######################################
##
## Relabel all files on the filesystem, except
## login files and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_relabel_all_files_except_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_all_files_except_auth_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_relabel_non_auth_files() instead.')
files_relabel_non_auth_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_all_files_except_auth_files'($*)) dnl
')
########################################
##
## Relabel all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_relabel_all_files_except_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_all_files_except_shadow'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_relabel_non_auth_files() instead.')
files_relabel_non_auth_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_all_files_except_shadow'($*)) dnl
')
########################################
##
## Read and write all files on the filesystem, except
## login files and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_rw_all_files_except_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_all_files_except_auth_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_rw_non_auth_files() instead.')
files_rw_non_auth_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_all_files_except_auth_files'($*)) dnl
')
########################################
##
## Read and write all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_rw_all_files_except_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_all_files_except_shadow'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_rw_non_auth_files() instead.')
files_rw_non_auth_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_all_files_except_shadow'($*)) dnl
')
########################################
##
## Manage all files on the filesystem, except
## login files passwords and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_manage_all_files_except_auth_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_all_files_except_auth_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_manage_non_auth_files() instead.')
files_manage_non_auth_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_all_files_except_auth_files'($*)) dnl
')
########################################
##
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
##
##
## Domain allowed access.
##
##
##
##
## The types to be excluded. Each type or attribute
## must be negated by the caller.
##
##
#
define(`auth_manage_all_files_except_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_all_files_except_shadow'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use files_manage_non_auth_files() instead.')
files_manage_non_auth_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_all_files_except_shadow'($*)) dnl
')
########################################
##
## Execute utempter programs in the utempter domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`auth_domtrans_utempter',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_domtrans_utempter'($*)) dnl
gen_require(`
type utempter_t, utempter_exec_t;
')
domtrans_pattern($1, utempter_exec_t, utempter_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_domtrans_utempter'($*)) dnl
')
########################################
##
## Execute utempter programs in the utempter domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the utempter domain.
##
##
#
define(`auth_run_utempter',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_run_utempter'($*)) dnl
gen_require(`
type utempter_t;
')
auth_domtrans_utempter($1)
role $2 types utempter_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_run_utempter'($*)) dnl
')
#######################################
##
## Do not audit attemps to execute utempter executable.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_exec_utempter',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_exec_utempter'($*)) dnl
gen_require(`
type utempter_exec_t;
')
dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_exec_utempter'($*)) dnl
')
########################################
##
## Set the attributes of login record files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_setattr_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_setattr_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file setattr;
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_setattr_login_records'($*)) dnl
')
########################################
##
## Relabel login record files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_relabel_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_relabel_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_relabel_login_records'($*)) dnl
')
########################################
##
## Read login records files (/var/log/wtmp).
##
##
##
## Domain allowed access.
##
##
##
#
define(`auth_read_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
logging_search_logs($1)
allow $1 wtmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_login_records'($*)) dnl
')
########################################
##
## Do not audit attempts to read login records
## files (/var/log/wtmp).
##
##
##
## Domain to not audit.
##
##
##
#
define(`auth_dontaudit_read_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
dontaudit $1 wtmp_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_login_records'($*)) dnl
')
########################################
##
## Do not audit attempts to write to
## login records files.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_write_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_write_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
dontaudit $1 wtmp_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_write_login_records'($*)) dnl
')
#######################################
##
## Append to login records (wtmp).
##
##
##
## Domain allowed access.
##
##
#
define(`auth_append_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_append_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file append_file_perms;
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_append_login_records'($*)) dnl
')
#######################################
##
## Write to login records (wtmp).
##
##
##
## Domain allowed access.
##
##
#
define(`auth_write_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_write_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file { write_file_perms lock };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_write_login_records'($*)) dnl
')
########################################
##
## Read and write login records.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_rw_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_rw_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
allow $1 wtmp_t:file rw_file_perms;
logging_search_logs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_rw_login_records'($*)) dnl
')
########################################
##
## Create a login records in the log directory
## using a type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_log_filetrans_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_log_filetrans_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
logging_log_filetrans($1, wtmp_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_log_filetrans_login_records'($*)) dnl
')
########################################
##
## Create, read, write, and delete login
## records files.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_login_records',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_login_records'($*)) dnl
gen_require(`
type wtmp_t;
')
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_login_records'($*)) dnl
')
########################################
##
## Read access to the authlogin module.
##
##
##
## Read access to the authlogin module.
##
##
## Currently, this only allows assertions for
## the shadow passwords file (/etc/shadow) to
## be passed. No access is granted yet.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_reader_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_reader_shadow'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords;
')
typeattribute $1 can_read_shadow_passwords;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_reader_shadow'($*)) dnl
')
########################################
##
## Write access to the authlogin module.
##
##
##
## Write access to the authlogin module.
##
##
## Currently, this only allows assertions for
## the shadow passwords file (/etc/shadow) to
## be passed. No access is granted yet.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_writer_shadow',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_writer_shadow'($*)) dnl
gen_require(`
attribute can_write_shadow_passwords;
')
typeattribute $1 can_write_shadow_passwords;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_writer_shadow'($*)) dnl
')
########################################
##
## Use nsswitch to look up user, password, group, or
## host information.
##
##
##
## Allow the specified domain to look up user, password,
## group, or host information using the name service.
## The most common use of this interface is for services
## that do host name resolution (usually DNS resolution).
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`auth_use_nsswitch',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_use_nsswitch'($*)) dnl
gen_require(`
attribute nsswitch_domain;
')
typeattribute $1 nsswitch_domain;
corenet_all_recvfrom_netlabel($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_use_nsswitch'($*)) dnl
')
########################################
##
## Unconfined access to the authlogin module.
##
##
##
## Unconfined access to the authlogin module.
##
##
## Currently, this only allows assertions for
## the shadow passwords file (/etc/shadow) to
## be passed. No access is granted yet.
##
##
##
##
## Domain allowed access.
##
##
#
define(`auth_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_unconfined'($*)) dnl
gen_require(`
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
')
typeattribute $1 can_read_shadow_passwords;
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_unconfined'($*)) dnl
')
########################################
##
## Transition to authlogin named content
##
##
##
## Domain allowed access.
##
##
#
define(`auth_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_filetrans_named_content'($*)) dnl
gen_require(`
type shadow_t;
type passwd_file_t;
type faillog_t;
type lastlog_t;
type wtmp_t;
type pam_var_console_t;
type pam_var_run_t;
type auth_cache_t;
')
files_etc_filetrans($1, passwd_file_t, file, "group")
files_etc_filetrans($1, passwd_file_t, file, "group-")
#files_etc_filetrans($1, passwd_file_t, file, "group+")
files_etc_filetrans($1, passwd_file_t, file, "passwd")
files_etc_filetrans($1, passwd_file_t, file, "passwd-")
#files_etc_filetrans($1, passwd_file_t, file, "passwd+")
files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
files_etc_filetrans($1, passwd_file_t, file, "group.lock")
files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct")
files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
files_etc_filetrans($1, shadow_t, file, "shadow")
files_etc_filetrans($1, shadow_t, file, "shadow-")
files_etc_filetrans($1, shadow_t, file, "gshadow")
files_etc_filetrans($1, shadow_t, file, "opasswd")
logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
logging_log_named_filetrans($1, faillog_t, file, "tallylog")
logging_log_named_filetrans($1, faillog_t, file, "faillog")
logging_log_named_filetrans($1, faillog_t, file, "btmp")
files_pid_filetrans($1, faillog_t, file, "faillog")
files_pid_filetrans($1, faillog_t, dir, "faillock")
files_pid_filetrans($1, pam_var_console_t, dir, "console")
files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount")
files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh")
files_pid_filetrans($1, pam_var_run_t, dir, "sepermit")
files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
files_var_filetrans($1, auth_cache_t, dir, "coolkey")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_filetrans_named_content'($*)) dnl
')
########################################
##
## Get the attributes of the passwd passwords file.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_getattr_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_getattr_passwd'($*)) dnl
gen_require(`
type passwd_file_t;
')
files_search_etc($1)
allow $1 passwd_file_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_getattr_passwd'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of the passwd passwords file.
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_getattr_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_getattr_passwd'($*)) dnl
gen_require(`
type passwd_file_t;
')
dontaudit $1 passwd_file_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_getattr_passwd'($*)) dnl
')
########################################
##
## Read the passwd passwords file (/etc/passwd)
## Allow to use sss nsswitch module for passwd and group.
## Allow to use systemd nsswitch module for passwd and group
## which is used for dynamic users.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_passwd'($*)) dnl
gen_require(`
type passwd_file_t;
')
allow $1 passwd_file_t:file read_file_perms;
optional_policy(`
sssd_read_public_files($1)
sssd_stream_connect($1)
')
init_dbus_chat($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_passwd'($*)) dnl
')
########################################
##
## Mmap the passwd passwords file (/etc/passwd)
##
##
##
## Domain allowed access.
##
##
#
define(`auth_map_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_map_passwd'($*)) dnl
gen_require(`
type passwd_file_t;
')
allow $1 passwd_file_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_map_passwd'($*)) dnl
')
########################################
##
## Do not audit attempts to read the passwd
## password file (/etc/passwd).
##
##
##
## Domain to not audit.
##
##
#
define(`auth_dontaudit_read_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_passwd'($*)) dnl
gen_require(`
type passwd_file_t;
')
dontaudit $1 passwd_file_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_passwd'($*)) dnl
')
########################################
##
## Create, read, write, and delete the passwd
## password file.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_passwd'($*)) dnl
gen_require(`
type passwd_file_t;
')
files_rw_etc_dirs($1)
allow $1 passwd_file_t:file manage_file_perms;
files_etc_filetrans($1, passwd_file_t, file, "passwd")
files_etc_filetrans($1, passwd_file_t, file, "passwd-")
files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
files_etc_filetrans($1, passwd_file_t, file, "group")
files_etc_filetrans($1, passwd_file_t, file, "group-")
files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock")
files_etc_filetrans($1, passwd_file_t, file, "passwd.lock")
files_etc_filetrans($1, passwd_file_t, file, "group.lock")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_passwd'($*)) dnl
')
########################################
##
## Watch the passwd passwords file.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_watch_passwd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_watch_passwd'($*)) dnl
gen_require(`
type passwd_file_t;
')
files_search_etc($1)
allow $1 passwd_file_t:file watch_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_watch_passwd'($*)) dnl
')
########################################
##
## Create auth directory in the /root directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_filetrans_admin_home_content'($*)) dnl
gen_require(`
type auth_home_t;
')
userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_filetrans_admin_home_content'($*)) dnl
')
########################################
##
## Read the authorization data in the user home directory
##
##
##
## Domain allowed access.
##
##
#
define(`auth_read_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_read_home_content'($*)) dnl
gen_require(`
type auth_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, auth_home_t, auth_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_read_home_content'($*)) dnl
')
########################################
##
## Read the authorization data in the user home directory
##
##
##
## Domain allowed access.
##
##
#
define(`auth_manage_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_manage_home_content'($*)) dnl
gen_require(`
type auth_home_t;
')
userdom_search_user_home_dirs($1)
manage_files_pattern($1, auth_home_t, auth_home_t)
manage_dirs_pattern($1, auth_home_t, auth_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_manage_home_content'($*)) dnl
')
########################################
##
## Create auth directory in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_filetrans_home_content'($*)) dnl
gen_require(`
type auth_home_t;
')
userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_filetrans_home_content'($*)) dnl
')
########################################
##
## Create auth directory in the config home directory
## with a correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_filetrans_auth_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_filetrans_auth_home_content'($*)) dnl
gen_require(`
type auth_home_t;
')
optional_policy(`
gnome_config_filetrans($1, auth_home_t, dir, "Yubico")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_filetrans_auth_home_content'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to login programs.
##
##
##
## Domain allowed access.
##
##
#
define(`auth_login_pgm_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_login_pgm_sigchld'($*)) dnl
gen_require(`
attribute login_pgm;
')
allow $1 login_pgm:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_login_pgm_sigchld'($*)) dnl
')
########################################
##
## Manage the keyrings of all login programs
##
##
##
## Domain allowed access.
##
##
#
define(`auth_login_manage_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `auth_login_manage_key'($*)) dnl
gen_require(`
attribute login_pgm;
')
allow $1 login_pgm:key manage_key_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `auth_login_manage_key'($*)) dnl
')
## Policy for reading and setting the hardware clock.
########################################
##
## Execute hwclock in the clock domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`clock_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clock_domtrans'($*)) dnl
gen_require(`
type hwclock_t, hwclock_exec_t;
')
domtrans_pattern($1, hwclock_exec_t, hwclock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clock_domtrans'($*)) dnl
')
########################################
##
## Execute hwclock in the clock domain, and
## allow the specified role the hwclock domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`clock_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clock_run'($*)) dnl
gen_require(`
type hwclock_t;
')
clock_domtrans($1)
role $2 types hwclock_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clock_run'($*)) dnl
')
########################################
##
## Execute hwclock in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`clock_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clock_exec'($*)) dnl
gen_require(`
type hwclock_exec_t;
')
can_exec($1, hwclock_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clock_exec'($*)) dnl
')
########################################
##
## Read clock drift adjustments.
##
##
##
## Domain allowed access.
##
##
#
define(`clock_read_adjtime',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clock_read_adjtime'($*)) dnl
gen_require(`
type adjtime_t;
')
files_list_etc($1)
allow $1 adjtime_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clock_read_adjtime'($*)) dnl
')
########################################
##
## Do not audit attempts to write clock drift adjustments.
##
##
##
## Domain to not audit.
##
##
#
define(`clock_dontaudit_write_adjtime',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clock_dontaudit_write_adjtime'($*)) dnl
gen_require(`
type adjtime_t;
')
dontaudit $1 adjtime_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clock_dontaudit_write_adjtime'($*)) dnl
')
########################################
##
## Read and write clock drift adjustments.
##
##
##
## Domain allowed access.
##
##
#
define(`clock_rw_adjtime',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clock_rw_adjtime'($*)) dnl
gen_require(`
type adjtime_t;
')
allow $1 adjtime_t:file rw_file_perms;
files_list_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clock_rw_adjtime'($*)) dnl
')
########################################
##
## Manage clock drift adjustments.
##
##
##
## Domain allowed access.
##
##
#
define(`clock_manage_adjtime',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clock_manage_adjtime'($*)) dnl
gen_require(`
type adjtime_t;
')
allow $1 adjtime_t:file manage_file_perms;
files_list_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clock_manage_adjtime'($*)) dnl
')
########################################
##
## Transition to systemd clock content
##
##
##
## Domain allowed access.
##
##
#
define(`clock_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `clock_filetrans_named_content'($*)) dnl
gen_require(`
type adjtime_t;
')
files_etc_filetrans($1, adjtime_t, file, "adjtime" )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `clock_filetrans_named_content'($*)) dnl
')
## Tools for filesystem management, such as mkfs and fsck.
########################################
##
## Execute fs tools in the fstools domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`fstools_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_domtrans'($*)) dnl
gen_require(`
type fsadm_t, fsadm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fsadm_exec_t, fsadm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_domtrans'($*)) dnl
')
########################################
##
## Execute fs tools in the fstools domain, and
## allow the specified role the fs tools domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`fstools_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_run'($*)) dnl
gen_require(`
type fsadm_t;
')
fstools_domtrans($1)
role $2 types fsadm_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_run'($*)) dnl
')
########################################
##
## Execute fsadm in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_exec'($*)) dnl
gen_require(`
type fsadm_exec_t;
')
can_exec($1, fsadm_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_exec'($*)) dnl
')
########################################
##
## Send signal to fsadm process
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_signal'($*)) dnl
gen_require(`
type fsadm_t;
')
allow $1 fsadm_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_signal'($*)) dnl
')
########################################
##
## Read fstools unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_read_pipes'($*)) dnl
gen_require(`
type fsadm_t;
')
allow $1 fsadm_t:fifo_file read_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_read_pipes'($*)) dnl
')
########################################
##
## Relabel a file to the type used by the
## filesystem tools programs.
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_relabelto_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_relabelto_entry_files'($*)) dnl
gen_require(`
type fsadm_exec_t;
')
allow $1 fsadm_exec_t:file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_relabelto_entry_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete a file used by the
## filesystem tools programs.
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_manage_entry_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_manage_entry_files'($*)) dnl
gen_require(`
type fsadm_exec_t;
')
allow $1 fsadm_exec_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_manage_entry_files'($*)) dnl
')
########################################
##
## Getattr swapfile
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_getattr_swap_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_getattr_swap_files'($*)) dnl
gen_require(`
type swapfile_t;
')
allow $1 swapfile_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_getattr_swap_files'($*)) dnl
')
########################################
##
## Read swapfile
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_read_swap_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_read_swap_files'($*)) dnl
gen_require(`
type swapfile_t;
')
allow $1 swapfile_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_read_swap_files'($*)) dnl
')
########################################
##
## Read/Write swapfile
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_rw_swap_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_rw_swap_files'($*)) dnl
gen_require(`
type swapfile_t;
')
allow $1 swapfile_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_rw_swap_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete the FSADM pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`fsadm_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fsadm_manage_pid'($*)) dnl
gen_require(`
type fsadm_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t)
fstools_filetrans_named_content_fsadm($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fsadm_manage_pid'($*)) dnl
')
########################################
##
## Transition to systemd content
##
##
##
## Domain allowed access.
##
##
#
define(`fstools_filetrans_named_content_fsadm',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `fstools_filetrans_named_content_fsadm'($*)) dnl
gen_require(`
type fsadm_var_run_t;
')
files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
files_pid_filetrans($1, fsadm_var_run_t, dir, "fsck")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `fstools_filetrans_named_content_fsadm'($*)) dnl
')
## Policy for getty.
########################################
##
## Execute gettys in the getty domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`getty_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `getty_domtrans'($*)) dnl
gen_require(`
type getty_t, getty_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, getty_exec_t, getty_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `getty_domtrans'($*)) dnl
')
########################################
##
## Inherit and use getty file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`getty_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `getty_use_fds'($*)) dnl
gen_require(`
type getty_t;
')
allow $1 getty_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `getty_use_fds'($*)) dnl
')
########################################
##
## Allow process to read getty log file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`getty_read_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `getty_read_log'($*)) dnl
gen_require(`
type getty_log_t;
')
logging_search_logs($1)
allow $1 getty_log_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `getty_read_log'($*)) dnl
')
########################################
##
## Allow process to read getty config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`getty_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `getty_read_config'($*)) dnl
gen_require(`
type getty_etc_t;
')
files_search_etc($1)
allow $1 getty_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `getty_read_config'($*)) dnl
')
########################################
##
## Allow process to edit getty config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`getty_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `getty_rw_config'($*)) dnl
gen_require(`
type getty_etc_t;
')
files_search_etc($1)
allow $1 getty_etc_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `getty_rw_config'($*)) dnl
')
########################################
##
## Execute getty server in the getty domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`getty_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `getty_systemctl'($*)) dnl
gen_require(`
type getty_unit_file_t;
type getty_t;
')
systemd_exec_systemctl($1)
allow $1 getty_unit_file_t:file read_file_perms;
allow $1 getty_unit_file_t:service manage_service_perms;
ps_process_pattern($1, getty_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `getty_systemctl'($*)) dnl
')
########################################
##
## Start getty unit files domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`getty_start_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `getty_start_services'($*)) dnl
gen_require(`
type getty_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 getty_unit_file_t:service start;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `getty_start_services'($*)) dnl
')
## Policy for changing the system host name.
########################################
##
## Execute hostname in the hostname domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`hostname_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hostname_domtrans'($*)) dnl
gen_require(`
type hostname_t, hostname_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, hostname_exec_t, hostname_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hostname_domtrans'($*)) dnl
')
########################################
##
## Execute hostname in the hostname domain, and
## allow the specified role the hostname domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`hostname_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hostname_run'($*)) dnl
gen_require(`
type hostname_t;
')
hostname_domtrans($1)
role $2 types hostname_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hostname_run'($*)) dnl
')
########################################
##
## Execute hostname in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`hostname_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `hostname_exec'($*)) dnl
gen_require(`
type hostname_exec_t;
')
corecmd_search_bin($1)
can_exec($1, hostname_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `hostname_exec'($*)) dnl
')
## System initialization programs (init and init scripts).
######################################
##
## initrc stub interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`init_stub_initrc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_stub_initrc'($*)) dnl
gen_require(`
type initrc_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_stub_initrc'($*)) dnl
')
########################################
##
## Create a file type used for init scripts.
##
##
##
## Create a file type used for init scripts. It can not be
## used in conjunction with init_script_domain(). These
## script files are typically stored in the /etc/init.d directory.
##
##
## Typically this is used to constrain what services an
## admin can start/stop. For example, a policy writer may want
## to constrain a web administrator to only being able to
## restart the web server, not other services. This special type
## will help address that goal.
##
##
## This also makes the type usable for files; thus an
## explicit call to files_type() is redundant.
##
##
##
##
## Type to be used for a script file.
##
##
##
#
define(`init_script_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_script_file'($*)) dnl
gen_require(`
type initrc_t;
attribute init_script_file_type, init_run_all_scripts_domain;
')
typeattribute $1 init_script_file_type;
domain_entry_file(initrc_t, $1)
domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_script_file'($*)) dnl
')
########################################
##
## Create a domain used for init scripts.
##
##
##
## Create a domain used for init scripts.
## Can not be used in conjunction with
## init_script_file().
##
##
##
##
## Type to be used as an init script domain.
##
##
##
##
## Type of the script file used as an entry point to this domain.
##
##
#
define(`init_script_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_script_domain'($*)) dnl
gen_require(`
attribute init_script_domain_type, init_script_file_type;
attribute init_run_all_scripts_domain;
')
typeattribute $1 init_script_domain_type;
typeattribute $2 init_script_file_type;
domain_type($1)
domain_entry_file($1, $2)
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_script_domain'($*)) dnl
')
########################################
##
## Create a domain which can be started by init.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`init_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_domain'($*)) dnl
gen_require(`
type init_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(init_t, $2, $1)
allow init_t $1:unix_stream_socket create_stream_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
allow init_t $1:process2 { nnp_transition nosuid_transition };
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
# fds open from the initrd
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds($1)
')
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_domain'($*)) dnl
')
########################################
##
## Allow SELinux Domain trasition from sytemd
## into confined domain with NoNewPrivileges
## Systemd Security feature.
##
##
##
## Domain allowed access.
##
##
#
define(`init_nnp_daemon_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_nnp_daemon_domain'($*)) dnl
gen_require(`
type init_t;
')
allow init_t $1:process2 { nnp_transition nosuid_transition };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_nnp_daemon_domain'($*)) dnl
')
########################################
##
## Create a domain which can be started by init,
## with a range transition.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
##
## Range for the domain.
##
##
#
define(`init_ranged_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_ranged_domain'($*)) dnl
gen_require(`
type init_t;
')
init_domain($1, $2)
ifdef(`enable_mcs',`
range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition init_t $2:process $3;
mls_rangetrans_target($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_ranged_domain'($*)) dnl
')
########################################
##
## Create a domain for long running processes
## (daemons/services) which are started by init scripts.
##
##
##
## Create a domain for long running processes (daemons/services)
## which are started by init scripts. Short running processes
## should use the init_system_domain() interface instead.
## Typically all long running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface.
##
##
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
##
##
## If the process must also run in a specific MLS/MCS level,
## the init_ranged_daemon_domain() should be used instead.
##
##
##
##
## Type to be used as a daemon domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
#
define(`init_daemon_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_daemon_domain'($*)) dnl
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type init_t;
role system_r;
attribute daemon;
attribute initrc_transition_domain;
attribute initrc_domain;
')
typeattribute $1 daemon;
typeattribute $2 direct_init_entry;
domain_type($1)
domain_entry_file($1, $2)
type_transition initrc_domain $2:process $1;
ifdef(`direct_sysadm_daemon',`
type_transition direct_run_init $2:process $1;
typeattribute $1 direct_init;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_daemon_domain'($*)) dnl
')
#######################################
##
## Create initrc domain.
##
##
##
## Type to be used as a initrc daemon domain.
##
##
#
define(`init_initrc_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_initrc_domain'($*)) dnl
gen_require(`
attribute initrc_domain;
')
typeattribute $1 initrc_domain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_initrc_domain'($*)) dnl
')
########################################
##
## Create a domain for long running processes
## (daemons/services) which are started by init scripts,
## running at a specified MLS/MCS range.
##
##
##
## Create a domain for long running processes (daemons/services)
## which are started by init scripts, running at a specified
## MLS/MCS range. Short running processes
## should use the init_ranged_system_domain() interface instead.
## Typically all long running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface if they need to run in a specific MLS/MCS range.
##
##
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
##
##
## If the policy build option TYPE is standard (MLS and MCS disabled),
## this interface has the same behavior as init_daemon_domain().
##
##
##
##
## Type to be used as a daemon domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
##
## MLS/MCS range for the domain.
##
##
##
#
define(`init_ranged_daemon_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_ranged_daemon_domain'($*)) dnl
gen_require(`
type initrc_t;
type init_t;
')
# init_daemon_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
range_transition init_t $2:process $3;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_ranged_daemon_domain'($*)) dnl
')
########################################
##
## Create a domain for short running processes
## which are started by init scripts.
##
##
##
## Create a domain for short running processes
## which are started by init scripts. These are generally applications that
## are used to initialize the system during boot.
## Long running processes, such as daemons/services
## should use the init_daemon_domain() interface instead.
## Typically all short running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface.
##
##
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
##
##
## If the process must also run in a specific MLS/MCS level,
## the init_ranged_system_domain() should be used instead.
##
##
##
##
## Type to be used as a system domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
#
define(`init_system_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_system_domain'($*)) dnl
gen_require(`
type init_t;
role system_r;
attribute initrc_transition_domain;
attribute systemprocess, systemprocess_entry;
attribute initrc_domain;
')
typeattribute $1 systemprocess;
application_domain($1, $2)
role system_r types $1;
typeattribute $2 systemprocess_entry;
type_transition initrc_domain $2:process $1;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_system_domain'($*)) dnl
')
########################################
##
## Create a domain for short running processes
## which are started by init scripts.
##
##
##
## Create a domain for long running processes (daemons/services)
## which are started by init scripts.
## These are generally applications that
## are used to initialize the system during boot.
## Long running processes
## should use the init_ranged_system_domain() interface instead.
## Typically all short running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface if they need to run in a specific MLS/MCS range.
##
##
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
##
##
## If the policy build option TYPE is standard (MLS and MCS disabled),
## this interface has the same behavior as init_system_domain().
##
##
##
##
## Type to be used as a system domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
##
## Range for the domain.
##
##
##
#
define(`init_ranged_system_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_ranged_system_domain'($*)) dnl
gen_require(`
type initrc_t;
type init_t;
')
init_system_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
range_transition init_t $2:process $3;
mls_rangetrans_target($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_ranged_system_domain'($*)) dnl
')
######################################
##
## Allow domain dyntransition to init_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`init_dyntrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dyntrans'($*)) dnl
gen_require(`
type init_t;
')
dyntrans_pattern($1, init_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dyntrans'($*)) dnl
')
########################################
##
## Mark the file type as a daemon run dir, allowing initrc_t
## to create it
##
##
##
## Type to mark as a daemon run dir
##
##
##
##
## Filename of the directory that the init script creates
##
##
#
define(`init_daemon_run_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_daemon_run_dir'($*)) dnl
gen_require(`
attribute daemonrundir;
type initrc_t;
')
typeattribute $1 daemonrundir;
files_pid_filetrans(initrc_t, $1, dir, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_daemon_run_dir'($*)) dnl
')
########################################
##
## Execute init (/sbin/init) with a domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`init_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_domtrans'($*)) dnl
gen_require(`
type init_t, init_exec_t;
')
domtrans_pattern($1, init_exec_t, init_t)
allow $1 init_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_domtrans'($*)) dnl
')
########################################
##
## Allow any file point to be the entrypoint of this domain.
##
##
##
## Domain allowed access.
##
##
#
define(`init_entrypoint_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_entrypoint_exec'($*)) dnl
gen_require(`
type init_exec_t;
')
allow $1 init_exec_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_entrypoint_exec'($*)) dnl
')
########################################
##
## Execute the init program in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`init_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_exec'($*)) dnl
gen_require(`
type init_exec_t;
')
corecmd_search_bin($1)
can_exec($1, init_exec_t)
optional_policy(`
systemd_exec_systemctl($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_exec'($*)) dnl
')
#######################################
##
## Check access to the init/systemd executable.
##
##
##
## Domain allowed access.
##
##
#
define(`init_access_check',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_access_check'($*)) dnl
gen_require(`
type init_exec_t;
')
corecmd_search_bin($1)
allow $1 init_exec_t:file { getattr_file_perms execute };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_access_check'($*)) dnl
')
#######################################
##
## Dontaudit getattr on the init program.
##
##
##
## Domain allowed access.
##
##
##
#
define(`init_dontaudit_getattr_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_exec'($*)) dnl
gen_require(`
type init_exec_t;
')
dontaudit $1 init_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_exec'($*)) dnl
')
########################################
##
## Execute the rc application in the caller domain.
##
##
##
## This is only applicable to Gentoo or distributions that use the OpenRC
## init system.
##
##
## The OpenRC /sbin/rc binary is used for both init scripts as well as
## management applications and tools. When used for management purposes,
## calling /sbin/rc should never cause a transition to initrc_t.
##
##
##
##
## Domain allowed access.
##
##
#
define(`init_exec_rc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_exec_rc'($*)) dnl
gen_require(`
type rc_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_exec_rc'($*)) dnl
')
########################################
##
## Get the process group of init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getpgid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_getpgid'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:process getpgid;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_getpgid'($*)) dnl
')
########################################
##
## Send init a null signal.
##
##
##
## Domain allowed access.
##
##
#
define(`init_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_signull'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_signull'($*)) dnl
')
########################################
##
## Send init a SIGCHLD signal.
##
##
##
## Domain allowed access.
##
##
#
define(`init_sigchld',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_sigchld'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_sigchld'($*)) dnl
')
########################################
##
## Send generic signals to init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_signal'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_signal'($*)) dnl
')
########################################
##
## Create objects in the init_var_lib_t directories
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
define(`init_var_lib_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_var_lib_filetrans'($*)) dnl
gen_require(`
type init_var_lib_t;
')
files_search_var_lib($1)
filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_var_lib_filetrans'($*)) dnl
')
#########################################
##
## Abstract socket service activation (systemd).
##
##
##
## The domain to be started by systemd socket activation.
##
##
#
define(`init_abstract_socket_activation',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_abstract_socket_activation'($*)) dnl
gen_require(`
type init_t;
')
allow init_t $1:unix_stream_socket create_stream_socket_perms;
allow init_t $1:tcp_socket create_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_abstract_socket_activation'($*)) dnl
')
#########################################
##
## Named socket service activation (systemd).
##
##
##
## The domain to be started by systemd socket activation.
##
##
##
##
## The domain socket file type.
##
##
##
##
## The name of the object being created.
##
##
#
define(`init_named_socket_activation',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_named_socket_activation'($*)) dnl
gen_require(`
type init_t;
')
allow init_t $1:unix_dgram_socket create_socket_perms;
allow init_t $1:unix_stream_socket create_stream_socket_perms;
allow init_t $2:dir manage_dir_perms;
allow init_t $2:fifo_file manage_fifo_file_perms;
allow init_t $2:sock_file manage_sock_file_perms;
allow init_t $2:lnk_file manage_lnk_file_perms;
files_pid_filetrans(init_t, $2, { dir lnk_file sock_file fifo_file }, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_named_socket_activation'($*)) dnl
')
########################################
##
## Connect to init with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`init_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_stream_connect'($*)) dnl
gen_require(`
type init_t, init_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
allow $1 init_t:unix_stream_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_stream_connect'($*)) dnl
')
########################################
##
## Connect to init with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`init_stream_connectto',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_stream_connectto'($*)) dnl
gen_require(`
type init_t;
')
files_search_pids($1)
allow $1 init_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_stream_connectto'($*)) dnl
')
#######################################
##
## Dontaudit Connect to init with a unix socket.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_stream_connect'($*)) dnl
gen_require(`
type init_t;
')
dontaudit $1 init_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_stream_connect'($*)) dnl
')
######################################
##
## Dontaudit getattr to init with a unix socket.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_getattr_stream_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_stream_socket'($*)) dnl
gen_require(`
type init_t;
')
dontaudit $1 init_t:unix_stream_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_stream_socket'($*)) dnl
')
######################################
##
## Dontaudit read and write to init with a unix socket.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_rw_stream_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_stream_socket'($*)) dnl
gen_require(`
type init_t;
')
dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_stream_socket'($*)) dnl
')
########################################
##
## Inherit and use file descriptors from init.
##
##
##
## Allow the specified domain to inherit file
## descriptors from the init program (process ID 1).
## Typically the only file descriptors to be
## inherited from init are for the console.
## This does not allow the domain any access to
## the object to which the file descriptors references.
##
##
## Related interfaces:
##
##
## - init_dontaudit_use_fds()
## - term_dontaudit_use_console()
## - term_use_console()
##
##
## Example usage:
##
##
## init_use_fds(mydomain_t)
## term_use_console(mydomain_t)
##
##
## Normally, processes that can inherit these file
## descriptors (usually services) write messages to the
## system log instead of writing to the console.
## Therefore, in many cases, this access should
## dontaudited instead.
##
##
## Example dontaudit usage:
##
##
## init_dontaudit_use_fds(mydomain_t)
## term_dontaudit_use_console(mydomain_t)
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`init_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_use_fds'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit file
## descriptors from init.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_fds'($*)) dnl
gen_require(`
type init_t;
')
dontaudit $1 init_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Send UDP network traffic to init. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`init_udp_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_udp_send'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_udp_send'($*)) dnl
')
########################################
##
## Get the attributes of initctl.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_initctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
allow $1 initctl_t:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_initctl'($*)) dnl
')
########################################
##
## Do not audit attempts to get the
## attributes of initctl.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_getattr_initctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
dontaudit $1 initctl_t:fifo_file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_initctl'($*)) dnl
')
########################################
##
## Write to initctl.
##
##
##
## Domain allowed access.
##
##
#
define(`init_write_initctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_write_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_write_initctl'($*)) dnl
')
########################################
##
## Use telinit (Read and write initctl).
##
##
##
## Domain allowed access.
##
##
##
#
define(`init_telinit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_telinit'($*)) dnl
gen_require(`
type initctl_t;
type init_t;
')
corecmd_exec_bin($1)
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
init_exec($1)
ps_process_pattern($1, init_t)
allow $1 init_t:process signal;
dontaudit $1 self:capability net_admin;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
#576913
allow $1 init_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_telinit'($*)) dnl
')
########################################
##
## Read and write initctl.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_initctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_initctl'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write initctl.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_rw_initctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_initctl'($*)) dnl
gen_require(`
type initctl_t;
')
dontaudit $1 initctl_t:fifo_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_initctl'($*)) dnl
')
########################################
##
## Make init scripts an entry point for
## the specified domain.
##
##
##
## Domain allowed access.
##
##
# cjp: added for gentoo integrated run_init
define(`init_script_file_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_script_file_entry_type'($*)) dnl
gen_require(`
type initrc_exec_t;
')
domain_entry_file($1, initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_script_file_entry_type'($*)) dnl
')
########################################
##
## Execute init scripts with a specified domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`init_spec_domtrans_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_spec_domtrans_script'($*)) dnl
gen_require(`
type initrc_t;
attribute init_script_file_type;
')
files_list_etc($1)
spec_domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`distro_gentoo',`
gen_require(`
type rc_exec_t;
')
domtrans_pattern($1, rc_exec_t, initrc_t)
')
ifdef(`enable_mcs',`
range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_spec_domtrans_script'($*)) dnl
')
########################################
##
## Execute init scripts with an automatic domain transition.
##
##
##
## Domain allowed to transition.
##
##
#
define(`init_domtrans_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_domtrans_script'($*)) dnl
gen_require(`
type initrc_t;
attribute init_script_file_type;
attribute initrc_transition_domain;
')
typeattribute $1 initrc_transition_domain;
files_list_etc($1)
domtrans_pattern($1, init_script_file_type, initrc_t)
allow $1 initrc_t:process2 { nnp_transition nosuid_transition };
ifdef(`enable_mcs',`
range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_domtrans_script'($*)) dnl
')
########################################
##
## Execute a file in a bin directory
## in the initrc_t domain
##
##
##
## Domain allowed access.
##
##
#
define(`init_bin_domtrans_spec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_bin_domtrans_spec'($*)) dnl
gen_require(`
type initrc_t;
')
corecmd_bin_domtrans($1, initrc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_bin_domtrans_spec'($*)) dnl
')
########################################
##
## Execute a init script in a specified domain.
##
##
##
## Execute a init script in a specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Domain to transition to.
##
##
# cjp: added for gentoo integrated run_init
define(`init_script_file_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_script_file_domtrans'($*)) dnl
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
domain_auto_trans($1, initrc_exec_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_script_file_domtrans'($*)) dnl
')
########################################
##
## Transition to the init script domain
## on a specified labeled init script.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Labeled init script file.
##
##
#
define(`init_labeled_script_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_labeled_script_domtrans'($*)) dnl
gen_require(`
type initrc_t;
attribute initrc_transition_domain;
')
typeattribute $1 initrc_transition_domain;
# service script searches all filesystems via mountpoint
fs_search_all($1)
domtrans_pattern($1, $2, initrc_t)
allow $1 $2:file ioctl;
files_search_etc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_labeled_script_domtrans'($*)) dnl
')
#########################################
##
## Transition to the init script domain
## for all labeled init script types
##
##
##
## Domain allowed to transition.
##
##
#
define(`init_all_labeled_script_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_all_labeled_script_domtrans'($*)) dnl
gen_require(`
attribute init_script_file_type;
')
init_labeled_script_domtrans($1, init_script_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_all_labeled_script_domtrans'($*)) dnl
')
########################################
##
## Start and stop daemon programs directly.
##
##
##
## Start and stop daemon programs directly
## in the traditional "/etc/init.d/daemon start"
## style, and do not require run_init.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be performing this action.
##
##
#
define(`init_run_daemon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_run_daemon'($*)) dnl
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
role system_r;
')
typeattribute $1 direct_run_init;
role_transition $2 direct_init_entry system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_run_daemon'($*)) dnl
')
########################################
##
## Allow execute all init daemon executables type without transition.
##
##
##
## Domain allowed access.
##
##
#
define(`init_exec_notrans_direct_init_entry',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_exec_notrans_direct_init_entry'($*)) dnl
gen_require(`
attribute direct_init_entry;
')
allow $1 direct_init_entry:file execute_no_trans;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_exec_notrans_direct_init_entry'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_state'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:dir search_dir_perms;
allow $1 init_t:file read_file_perms;
allow $1 init_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_state'($*)) dnl
')
########################################
##
## Dontaudit read the process state (/proc/pid) of init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dontaudit_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_state'($*)) dnl
gen_require(`
type init_t;
')
dontaudit $1 init_t:dir search_dir_perms;
dontaudit $1 init_t:file read_file_perms;
dontaudit $1 init_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_read_state'($*)) dnl
')
########################################
##
## Read the process keyring of init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_key'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:key read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_key'($*)) dnl
')
########################################
##
## Allow view the init key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`init_view_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_view_key'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:key view;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_view_key'($*)) dnl
')
########################################
##
## Write the process keyring of init.
##
##
##
## Domain allowed access.
##
##
#
define(`init_write_key',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_write_key'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:key read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_write_key'($*)) dnl
')
########################################
##
## Ptrace init
##
##
##
## Domain allowed access.
##
##
##
#
define(`init_ptrace',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_ptrace'($*)) dnl
gen_require(`
type init_t;
')
tunable_policy(`deny_ptrace',`',`
allow $1 init_t:process ptrace;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_ptrace'($*)) dnl
')
########################################
##
## Write an init script unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`init_write_script_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_write_script_pipes'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_write_script_pipes'($*)) dnl
')
########################################
##
## Get the attribute of init script entrypoint files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_script_files'($*)) dnl
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
allow $1 initrc_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_script_files'($*)) dnl
')
########################################
##
## Read init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_script_files'($*)) dnl
gen_require(`
type initrc_exec_t;
')
files_search_etc($1)
allow $1 initrc_exec_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_script_files'($*)) dnl
')
########################################
##
## Execute init scripts in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`init_exec_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_exec_script_files'($*)) dnl
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
can_exec($1, initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_exec_script_files'($*)) dnl
')
########################################
##
## Get the attribute of all init script entrypoint files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_all_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_all_script_files'($*)) dnl
gen_require(`
attribute init_script_file_type;
')
files_list_etc($1)
allow $1 init_script_file_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_all_script_files'($*)) dnl
')
########################################
##
## Allow the specified domain to modify the systemd configuration of
## all init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_config_all_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_config_all_script_files'($*)) dnl
gen_require(`
attribute init_script_file_type;
')
allow $1 init_script_file_type:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_config_all_script_files'($*)) dnl
')
########################################
##
## Allow the specified domain to modify the systemd configuration of
## transient scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_config_transient_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_config_transient_files'($*)) dnl
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_config_transient_files'($*)) dnl
')
########################################
##
## Allow the specified domain to modify the systemd configuration of
## transient scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_manage_config_transient_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_manage_config_transient_files'($*)) dnl
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:service manage_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_manage_config_transient_files'($*)) dnl
')
########################################
##
## Read all init script files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_all_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_all_script_files'($*)) dnl
gen_require(`
attribute init_script_file_type;
')
files_search_etc($1)
allow $1 init_script_file_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_all_script_files'($*)) dnl
')
#######################################
##
## Dontaudit getattr all init script files.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_getattr_all_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_all_script_files'($*)) dnl
gen_require(`
attribute init_script_file_type;
')
dontaudit $1 init_script_file_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_all_script_files'($*)) dnl
')
#######################################
##
## Dontaudit read all init script files.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_read_all_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_all_script_files'($*)) dnl
gen_require(`
attribute init_script_file_type;
')
dontaudit $1 init_script_file_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_read_all_script_files'($*)) dnl
')
########################################
##
## Execute all init scripts in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`init_exec_all_script_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_exec_all_script_files'($*)) dnl
gen_require(`
attribute init_script_file_type;
')
files_list_etc($1)
can_exec($1, init_script_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_exec_all_script_files'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of the init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_script_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_script_state'($*)) dnl
gen_require(`
type initrc_t;
')
kernel_search_proc($1)
ps_process_pattern($1, initrc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_script_state'($*)) dnl
')
########################################
##
## Inherit and use init script file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`init_use_script_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_use_script_fds'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_use_script_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit
## init script file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_use_script_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_script_fds'($*)) dnl
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_use_script_fds'($*)) dnl
')
########################################
##
## Search init script keys.
##
##
##
## Domain allowed access.
##
##
#
define(`init_search_script_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_search_script_keys'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:key search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_search_script_keys'($*)) dnl
')
########################################
##
## Get the process group ID of init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getpgid_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_getpgid_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process getpgid;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_getpgid_script'($*)) dnl
')
########################################
##
## Send SIGCHLD signals to init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_sigchld_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_sigchld_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_sigchld_script'($*)) dnl
')
########################################
##
## Send generic signals to init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_signal_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_signal_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_signal_script'($*)) dnl
')
########################################
##
## Send kill signals to init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_sigkill_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_sigkill_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_sigkill_script'($*)) dnl
')
########################################
##
## Send null signals to init scripts.
##
##
##
## Domain allowed access.
##
##
#
define(`init_signull_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_signull_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_signull_script'($*)) dnl
')
########################################
##
## Read and write init script unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_script_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_script_pipes'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fifo_file { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_script_pipes'($*)) dnl
')
########################################
##
## Send UDP network traffic to init scripts. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`init_udp_send_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_udp_send_script'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_udp_send_script'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to
## init scripts with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`init_stream_connect_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_stream_connect_script'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_stream_connect_script'($*)) dnl
')
########################################
##
## Allow the specified domain to read/write to
## init scripts with a unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_script_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_script_stream_sockets'($*)) dnl
gen_require(`
type initrc_t;
')
allow $1 initrc_t:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_script_stream_sockets'($*)) dnl
')
########################################
##
## Dont audit the specified domain connecting to
## init scripts with a unix domain stream socket.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_stream_connect_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_stream_connect_script'($*)) dnl
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_stream_connect_script'($*)) dnl
')
########################################
##
## Send messages to init scripts over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dbus_send_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dbus_send_script'($*)) dnl
gen_require(`
type initrc_t;
class dbus send_msg;
')
allow $1 initrc_t:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dbus_send_script'($*)) dnl
')
########################################
##
## Send and receive messages from
## init over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dbus_chat'($*)) dnl
gen_require(`
type init_t;
class dbus send_msg;
')
allow $1 init_t:dbus send_msg;
allow init_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dbus_chat'($*)) dnl
')
########################################
##
## Dontaudit attempts to send dbus domains chat messages
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_dbus_chat'($*)) dnl
gen_require(`
type init_t;
class dbus send_msg;
')
dontaudit $1 init_t:dbus send_msg;
dontaudit init_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_dbus_chat'($*)) dnl
')
########################################
##
## Send and receive messages from
## init scripts over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dbus_chat_script',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dbus_chat_script'($*)) dnl
gen_require(`
type initrc_t;
class dbus send_msg;
')
allow $1 initrc_t:dbus send_msg;
allow initrc_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dbus_chat_script'($*)) dnl
')
########################################
##
## Read and write the init script pty.
##
##
##
## Read and write the init script pty. This
## pty is generally opened by the open_init_pty
## portion of the run_init program so that the
## daemon does not require direct access to
## the administrator terminal.
##
##
##
##
## Domain allowed access.
##
##
#
define(`init_use_script_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_use_script_ptys'($*)) dnl
gen_require(`
type initrc_devpts_t;
')
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_use_script_ptys'($*)) dnl
')
########################################
##
## Read and write inherited init script ptys.
##
##
##
## Domain allowed access.
##
##
#
define(`init_use_inherited_script_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_use_inherited_script_ptys'($*)) dnl
gen_require(`
type initrc_devpts_t;
')
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
init_use_fds($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_use_inherited_script_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write the init script pty.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_use_script_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_script_ptys'($*)) dnl
gen_require(`
type initrc_devpts_t;
')
dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_use_script_ptys'($*)) dnl
')
########################################
##
## Get the attributes of init script
## status files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_script_status_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_script_status_files'($*)) dnl
gen_require(`
type initrc_state_t;
')
getattr_files_pattern($1, initrc_state_t, initrc_state_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_script_status_files'($*)) dnl
')
########################################
##
## Manage init script
## status files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_manage_script_status_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_manage_script_status_files'($*)) dnl
gen_require(`
type initrc_state_t;
')
manage_files_pattern($1, initrc_state_t, initrc_state_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_manage_script_status_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read init script
## status files.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_read_script_status_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_script_status_files'($*)) dnl
gen_require(`
type initrc_state_t;
')
dontaudit $1 initrc_state_t:dir search_dir_perms;
dontaudit $1 initrc_state_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_read_script_status_files'($*)) dnl
')
########################################
##
## Read init script temporary data.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_script_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_script_tmp_files'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_script_tmp_files'($*)) dnl
')
########################################
##
## Read and write init script temporary data.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_script_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_script_tmp_files'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_script_tmp_files'($*)) dnl
')
########################################
##
## Manage init script temporary data.
##
##
##
## Domain allowed access.
##
##
#
define(`init_manage_script_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_manage_script_tmp_files'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, initrc_tmp_t, initrc_tmp_t)
manage_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
manage_lnk_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
allow $1 initrc_tmp_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_manage_script_tmp_files'($*)) dnl
')
########################################
##
## Allow caller doamin to write initrc_tmp_t pipes
##
##
##
## Domain to not audit.
##
##
#
define(`init_write_initrc_tmp_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_write_initrc_tmp_pipes'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
allow $1 initrc_tmp_t:fifo_file write_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_write_initrc_tmp_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to read initrc_tmp_t files
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_write_initrc_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_write_initrc_tmp'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
dontaudit $1 initrc_tmp_t:fifo_file write_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_write_initrc_tmp'($*)) dnl
')
########################################
##
## Read and write init script inherited temporary data.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_inherited_script_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_inherited_script_tmp_files'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
allow $1 initrc_tmp_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_inherited_script_tmp_files'($*)) dnl
')
########################################
##
## Create files in a init script
## temporary data directory.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
define(`init_script_tmp_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_script_tmp_filetrans'($*)) dnl
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_script_tmp_filetrans'($*)) dnl
')
########################################
##
## Get the attributes of init script process id files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_getattr_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_getattr_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
allow $1 initrc_var_run_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_getattr_utmp'($*)) dnl
')
########################################
##
## Read utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_utmp'($*)) dnl
')
########################################
##
## Read utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_machineid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_machineid'($*)) dnl
gen_require(`
type machineid_t;
')
files_search_etc($1)
allow $1 machineid_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_machineid'($*)) dnl
')
########################################
##
## Do not audit attempts to read utmp.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_read_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_read_utmp'($*)) dnl
')
########################################
##
## Do not audit attempts to write utmp.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_write_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_write_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file { write lock };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_write_utmp'($*)) dnl
')
########################################
##
## Write to utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_write_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_write_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file { getattr open write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_write_utmp'($*)) dnl
')
########################################
##
## Do not audit attempts to lock
## init script pid files.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_lock_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_lock_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file lock;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_lock_utmp'($*)) dnl
')
########################################
##
## Read and write utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_utmp'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write utmp.
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_rw_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_utmp'($*)) dnl
')
########################################
##
## Watch the utmp file.
##
##
##
## Domain allowed access.
##
##
#
define(`init_watch_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_watch_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_search_pids($1)
allow $1 initrc_var_run_t:file watch_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_watch_utmp'($*)) dnl
')
########################################
##
## Create, read, write, and delete utmp.
##
##
##
## Domain allowed access.
##
##
#
define(`init_manage_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_manage_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_manage_utmp'($*)) dnl
')
########################################
##
## Create files in /var/run with the
## utmp file type.
##
##
##
## Domain allowed access.
##
##
#
define(`init_pid_filetrans_utmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_pid_filetrans_utmp'($*)) dnl
gen_require(`
type initrc_var_run_t;
')
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_pid_filetrans_utmp'($*)) dnl
')
######################################
##
## Allow search directory in the /run/systemd directory.
##
##
##
## Domain allowed access.
##
##
#
define(`init_search_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_search_pid_dirs'($*)) dnl
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_search_pid_dirs'($*)) dnl
')
######################################
##
## Allow listing of the /run/systemd directory.
##
##
##
## Domain allowed access.
##
##
#
define(`init_list_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_list_pid_dirs'($*)) dnl
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_list_pid_dirs'($*)) dnl
')
#######################################
##
## Create a directory in the /run/systemd directory.
##
##
##
## Domain allowed access.
##
##
#
define(`init_create_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_create_pid_dirs'($*)) dnl
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir list_dir_perms;
create_dirs_pattern($1, init_var_run_t, init_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_create_pid_dirs'($*)) dnl
')
#######################################
##
## Remove entries from the /run/systemd directory.
##
##
##
## Domain allowed access.
##
##
#
define(`init_delete_pid_dir_entry',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_delete_pid_dir_entry'($*)) dnl
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir del_entry_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_delete_pid_dir_entry'($*)) dnl
')
#######################################
##
## Watch the /run/systemd directory.
##
##
##
## Domain allowed access.
##
##
#
define(`init_watch_pid_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_watch_pid_dir'($*)) dnl
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_watch_pid_dir'($*)) dnl
')
#######################################
##
## Create objects in /run/systemd directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`init_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_pid_filetrans'($*)) dnl
gen_require(`
type init_var_run_t;
')
files_search_pids($1)
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_pid_filetrans'($*)) dnl
')
#######################################
##
## Create objects in /run/systemd directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`init_named_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_named_pid_filetrans'($*)) dnl
gen_require(`
type init_var_run_t;
')
files_search_pids($1)
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_named_pid_filetrans'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
##
##
##
## Domain allowed access.
##
##
#
define(`init_tcp_recvfrom_all_daemons',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_tcp_recvfrom_all_daemons'($*)) dnl
gen_require(`
attribute daemon;
')
corenet_tcp_recvfrom_labeled($1, daemon)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_tcp_recvfrom_all_daemons'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to daemon with a udp socket
##
##
##
## Domain allowed access.
##
##
#
define(`init_udp_recvfrom_all_daemons',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_udp_recvfrom_all_daemons'($*)) dnl
gen_require(`
attribute daemon;
')
corenet_udp_recvfrom_labeled($1, daemon)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_udp_recvfrom_all_daemons'($*)) dnl
')
########################################
##
## Transition to system_r when execute an init script
##
##
##
## Execute a init script in a specified role
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Role to transition from.
##
##
#
define(`init_script_role_transition',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_script_role_transition'($*)) dnl
gen_require(`
attribute init_script_file_type;
')
role_transition $1 init_script_file_type system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_script_role_transition'($*)) dnl
')
########################################
##
## dontaudit read and write an leaked init scrip file descriptors
##
##
##
## Domain to not audit.
##
##
#
define(`init_dontaudit_script_leaks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dontaudit_script_leaks'($*)) dnl
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:socket_class_set { read write };
dontaudit $1 initrc_t:shm rw_shm_perms;
init_dontaudit_use_script_ptys($1)
init_dontaudit_use_script_fds($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dontaudit_script_leaks'($*)) dnl
')
#######################################
##
## Allow the specified domain to ioctl an
## init with a unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`init_ioctl_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_ioctl_stream_sockets'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket ioctl;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_ioctl_stream_sockets'($*)) dnl
')
########################################
##
## Allow the specified domain to read/write to
## init with a unix domain stream sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_stream_sockets'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_stream_sockets'($*)) dnl
')
#######################################
##
## Allow the specified domain to write to
## init sock file.
##
##
##
## Domain allowed access.
##
##
#
define(`init_write_pid_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_write_pid_socket'($*)) dnl
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:sock_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_write_pid_socket'($*)) dnl
')
########################################
##
## Send a message to init over a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`init_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_dgram_send'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_dgram_send'($*)) dnl
')
########################################
##
## Send a message to init over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`init_stream_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_stream_send'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_stream_send'($*)) dnl
')
########################################
##
## Create a file type used for init socket files.
##
##
##
## This defines a type that init can create sock_file within for
## impersonation purposes
##
##
##
##
## Type to be used for a sock file.
##
##
##
#
define(`init_sock_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_sock_file'($*)) dnl
gen_require(`
attribute init_sock_file_type;
')
typeattribute $1 init_sock_file_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_sock_file'($*)) dnl
')
########################################
##
## Read init pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_pid_files'($*)) dnl
gen_require(`
type init_var_run_t;
')
list_dirs_pattern($1, init_var_run_t, init_var_run_t)
read_files_pattern($1, init_var_run_t, init_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_pid_files'($*)) dnl
')
########################################
##
## Manage init pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_manage_pid_files'($*)) dnl
gen_require(`
type init_var_run_t;
')
manage_files_pattern($1, init_var_run_t, init_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_manage_pid_files'($*)) dnl
')
#######################################
##
## Read init pid lnk_files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_pid_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_pid_lnk_files'($*)) dnl
gen_require(`
type init_var_run_t;
')
read_lnk_files_pattern($1, init_var_run_t, init_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_pid_lnk_files'($*)) dnl
')
########################################
##
## Read init unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_pipes'($*)) dnl
gen_require(`
type init_var_run_t;
')
read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_pipes'($*)) dnl
')
########################################
##
## Read/Write init unnamed pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_pipes'($*)) dnl
gen_require(`
type init_var_run_t;
')
rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_pipes'($*)) dnl
')
#######################################
##
## Read and write init TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`init_rw_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_rw_tcp_sockets'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:tcp_socket { read write getattr };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_rw_tcp_sockets'($*)) dnl
')
########################################
##
## Get the system status information from init
##
##
##
## Domain allowed access.
##
##
#
define(`init_status',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_status'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system status;
allow $1 init_t:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_status'($*)) dnl
')
########################################
##
## Stop system from init
##
##
##
## Domain allowed access.
##
##
#
define(`init_stop',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_stop'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system stop;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_stop'($*)) dnl
')
########################################
##
## Start system from init
##
##
##
## Domain allowed access.
##
##
#
define(`init_start',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_start'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system start;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_start'($*)) dnl
')
########################################
##
## Tell init to reboot the system.
##
##
##
## Domain allowed access.
##
##
#
define(`init_reboot',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_reboot'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system reboot;
systemd_config_power_services($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_reboot'($*)) dnl
')
########################################
##
## Tell init to enable the services.
##
##
##
## Domain allowed access.
##
##
#
define(`init_enable_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_enable_services'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system enable;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_enable_services'($*)) dnl
')
########################################
##
## Tell init to disable the services.
##
##
##
## Domain allowed access.
##
##
#
define(`init_disable_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_disable_services'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system disable;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_disable_services'($*)) dnl
')
########################################
##
## Tell init to reload the services.
##
##
##
## Domain allowed access.
##
##
#
define(`init_reload_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_reload_services'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system reload;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_reload_services'($*)) dnl
')
########################################
##
## Tell init to halt the system.
##
##
##
## Domain allowed access.
##
##
#
define(`init_halt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_halt'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system halt;
systemd_config_power_services($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_halt'($*)) dnl
')
########################################
##
## Tell init to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`init_undefined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_undefined'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:system undefined;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_undefined'($*)) dnl
')
########################################
##
## Tell init to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`init_start_transient_unit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_start_transient_unit'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:service start;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_start_transient_unit'($*)) dnl
')
########################################
##
## Tell init to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`init_enable_transient_unit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_enable_transient_unit'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:service enable;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_enable_transient_unit'($*)) dnl
')
########################################
##
## Tell init to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`init_disable_transient_unit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_disable_transient_unit'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:service disable;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_disable_transient_unit'($*)) dnl
')
########################################
##
## Tell init to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`init_stop_transient_unit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_stop_transient_unit'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:service stop;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_stop_transient_unit'($*)) dnl
')
########################################
##
## Tell init to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`init_reload_transient_unit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_reload_transient_unit'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:service reload;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_reload_transient_unit'($*)) dnl
')
########################################
##
## Tell init to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`init_status_transient_unit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_status_transient_unit'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_status_transient_unit'($*)) dnl
')
########################################
##
## Tell init to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`init_manage_transient_unit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_manage_transient_unit'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:service manage_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_manage_transient_unit'($*)) dnl
')
########################################
##
## Transition to init named content
##
##
##
## Domain allowed access.
##
##
#
define(`init_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_filetrans_named_content'($*)) dnl
gen_require(`
type init_var_run_t;
type initrc_var_run_t;
type machineid_t;
type initctl_t;
type systemd_unit_file_t;
')
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
files_pid_filetrans($1, init_var_run_t, file, "random-seed")
files_etc_filetrans($1, machineid_t, file, "machine-id" )
files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_filetrans_named_content'($*)) dnl
')
########################################
##
## Read systemd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_var_lib_files'($*)) dnl
gen_require(`
type init_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, init_var_lib_t, init_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_var_lib_files'($*)) dnl
')
########################################
##
## Mmap and read systemd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_mmap_read_var_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_mmap_read_var_lib_files'($*)) dnl
gen_require(`
type init_var_lib_t;
')
files_search_var_lib($1)
mmap_read_files_pattern($1, init_var_lib_t, init_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_mmap_read_var_lib_files'($*)) dnl
')
########################################
##
## Search systemd lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_search_var_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_search_var_lib_dirs'($*)) dnl
gen_require(`
type init_var_lib_t;
')
files_search_var_lib($1)
allow $1 init_var_lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_search_var_lib_dirs'($*)) dnl
')
########################################
##
## Read systemd lib sock_files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_var_lib_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_var_lib_sock_files'($*)) dnl
gen_require(`
type init_var_lib_t;
')
files_search_var_lib($1)
read_sock_files_pattern($1, init_var_lib_t, init_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_var_lib_sock_files'($*)) dnl
')
########################################
##
## Read systemd lib lnk_files.
##
##
##
## Domain allowed access.
##
##
#
define(`init_read_var_lib_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_read_var_lib_lnk_files'($*)) dnl
gen_require(`
type init_var_lib_t;
')
files_search_var_lib($1)
read_lnk_files_pattern($1, init_var_lib_t, init_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_read_var_lib_lnk_files'($*)) dnl
')
########################################
##
## Allow caller domain to run bpftool.
##
##
##
## Domain allowed access.
##
##
#
define(`init_prog_run_bpf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_prog_run_bpf'($*)) dnl
gen_require(`
type init_t;
')
allow $1 init_t:bpf { map_create map_read map_write prog_load prog_run };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_prog_run_bpf'($*)) dnl
')
#######################################
##
## Allow systemd to watch directories of given type.
## Intended for systemd path units - see systemd.path(5). (Deprecated)
##
##
##
## Type allowed to watch.
##
##
#
define(`init_watch_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `init_watch_dir'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `init_watch_dir'($*)) dnl
')
## TCP/IP encryption
########################################
##
## Execute ipsec in the ipsec domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipsec_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_domtrans'($*)) dnl
gen_require(`
type ipsec_t, ipsec_exec_t;
')
domtrans_pattern($1, ipsec_exec_t, ipsec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_domtrans'($*)) dnl
')
#######################################
##
## Allow read/write ipsec pipes
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_rw_inherited_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_rw_inherited_pipes'($*)) dnl
gen_require(`
type ipsec_t;
')
allow $1 ipsec_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_rw_inherited_pipes'($*)) dnl
')
########################################
##
## Connect to IPSEC using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_stream_connect'($*)) dnl
gen_require(`
type ipsec_t, ipsec_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_stream_connect'($*)) dnl
')
########################################
##
## Execute ipsec in the ipsec mgmt domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_domtrans_mgmt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_mgmt'($*)) dnl
gen_require(`
type ipsec_mgmt_t, ipsec_mgmt_exec_t;
')
domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_domtrans_mgmt'($*)) dnl
')
#######################################
##
## Allow to create OBJECT in /etc with ipsec_key_file_t.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_filetrans_key_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_filetrans_key_file'($*)) dnl
gen_require(`
type ipsec_key_file_t;
')
files_etc_filetrans($1, ipsec_key_file_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_filetrans_key_file'($*)) dnl
')
#######################################
##
## Allow to manage ipsec key files.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_manage_key_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_manage_key_file'($*)) dnl
gen_require(`
type ipsec_key_file_t;
')
manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_manage_key_file'($*)) dnl
')
########################################
##
## Read the ipsec_mgmt_var_run_t files.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_mgmt_read_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_mgmt_read_pid'($*)) dnl
gen_require(`
type ipsec_var_run_t;
type ipsec_mgmt_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_mgmt_read_pid'($*)) dnl
')
########################################
##
## Connect to racoon using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_stream_connect_racoon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_stream_connect_racoon'($*)) dnl
gen_require(`
type racoon_t, ipsec_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_stream_connect_racoon'($*)) dnl
')
########################################
##
## Get the attributes of an IPSEC key socket.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_getattr_key_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_getattr_key_sockets'($*)) dnl
gen_require(`
type ipsec_t;
')
allow $1 ipsec_t:key_socket getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_getattr_key_sockets'($*)) dnl
')
########################################
##
## Execute the IPSEC management program in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_exec_mgmt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_exec_mgmt'($*)) dnl
gen_require(`
type ipsec_exec_t;
')
can_exec($1, ipsec_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_exec_mgmt'($*)) dnl
')
########################################
##
## Send ipsec mgmt a general signal.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_signal_mgmt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_signal_mgmt'($*)) dnl
gen_require(`
type ipsec_mgmt_t;
')
allow $1 ipsec_mgmt_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_signal_mgmt'($*)) dnl
')
########################################
##
## Send ipsec mgmt a null signal.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_signull_mgmt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_signull_mgmt'($*)) dnl
gen_require(`
type ipsec_mgmt_t;
')
allow $1 ipsec_mgmt_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_signull_mgmt'($*)) dnl
')
########################################
##
## Send ipsec mgmt a kill signal.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_kill_mgmt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_kill_mgmt'($*)) dnl
gen_require(`
type ipsec_mgmt_t;
')
allow $1 ipsec_mgmt_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_kill_mgmt'($*)) dnl
')
########################################
##
## Send ipsec a general signal.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_signal'($*)) dnl
gen_require(`
type ipsec_t;
')
allow $1 ipsec_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_signal'($*)) dnl
')
########################################
##
## Send ipsec a null signal.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_signull'($*)) dnl
gen_require(`
type ipsec_t;
')
allow $1 ipsec_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_signull'($*)) dnl
')
########################################
##
## Send ipsec a kill signal.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_kill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_kill'($*)) dnl
gen_require(`
type ipsec_t;
')
allow $1 ipsec_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_kill'($*)) dnl
')
######################################
##
## Send and receive messages from
## ipsec-mgmt over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_mgmt_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_mgmt_dbus_chat'($*)) dnl
gen_require(`
type ipsec_mgmt_t;
class dbus send_msg;
')
allow $1 ipsec_mgmt_t:dbus send_msg;
allow ipsec_mgmt_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_mgmt_dbus_chat'($*)) dnl
')
########################################
##
## Read the IPSEC configuration
##
##
##
## Domain allowed access.
##
##
##
#
define(`ipsec_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_read_config'($*)) dnl
gen_require(`
type ipsec_conf_file_t;
')
files_search_etc($1)
allow $1 ipsec_conf_file_t:file read_file_perms;
allow $1 ipsec_conf_file_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_read_config'($*)) dnl
')
########################################
##
## Match the default SPD entry.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_match_default_spd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_match_default_spd'($*)) dnl
gen_require(`
type ipsec_spd_t;
')
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
allow $1 self:peer recv;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_match_default_spd'($*)) dnl
')
########################################
##
## Set the context of a SPD entry to
## the default context.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_setcontext_default_spd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_setcontext_default_spd'($*)) dnl
gen_require(`
type ipsec_spd_t;
')
allow $1 ipsec_spd_t:association setcontext;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_setcontext_default_spd'($*)) dnl
')
########################################
##
## write the ipsec_var_run_t files.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_write_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_write_pid'($*)) dnl
gen_require(`
type ipsec_var_run_t;
')
files_search_pids($1)
write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_write_pid'($*)) dnl
')
########################################
##
## Allow read the IPSEC pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_read_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_read_pid'($*)) dnl
gen_require(`
type ipsec_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_read_pid'($*)) dnl
')
########################################
##
## Create, read, write, and delete the IPSEC pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`ipsec_manage_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_manage_pid'($*)) dnl
gen_require(`
type ipsec_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_manage_pid'($*)) dnl
')
########################################
##
## Execute racoon in the racoon domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipsec_domtrans_racoon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_racoon'($*)) dnl
gen_require(`
type racoon_t, racoon_exec_t;
')
domtrans_pattern($1, racoon_exec_t, racoon_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_domtrans_racoon'($*)) dnl
')
########################################
##
## Execute racoon and allow the specified role the domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`ipsec_run_racoon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_run_racoon'($*)) dnl
gen_require(`
type racoon_t;
')
ipsec_domtrans_racoon($1)
role $2 types racoon_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_run_racoon'($*)) dnl
')
########################################
##
## Execute setkey in the setkey domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipsec_domtrans_setkey',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_setkey'($*)) dnl
gen_require(`
type setkey_t, setkey_exec_t;
')
domtrans_pattern($1, setkey_exec_t, setkey_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_domtrans_setkey'($*)) dnl
')
########################################
##
## Execute setkey and allow the specified role the domains.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access..
##
##
##
#
define(`ipsec_run_setkey',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_run_setkey'($*)) dnl
gen_require(`
type setkey_t;
')
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_run_setkey'($*)) dnl
')
#######################################
##
## Execute strongswan in the ipsec_mgmt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`ipsec_mgmt_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `ipsec_mgmt_systemctl'($*)) dnl
gen_require(`
type ipsec_mgmt_unit_file_t;
type ipsec_mgmt_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 ipsec_mgmt_unit_file_t:file read_file_perms;
allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms;
ps_process_pattern($1, ipsec_mgmt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `ipsec_mgmt_systemctl'($*)) dnl
')
## Policy for iptables.
########################################
##
## Execute iptables in the iptables domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`iptables_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_domtrans'($*)) dnl
gen_require(`
type iptables_t, iptables_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, iptables_exec_t, iptables_t)
allow $1 iptables_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_domtrans'($*)) dnl
')
########################################
##
## Execute iptables in the iptables domain, and
## allow the specified role the iptables domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`iptables_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_run'($*)) dnl
gen_require(`
attribute_role iptables_roles;
')
iptables_domtrans($1)
roleattribute $2 iptables_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_run'($*)) dnl
')
########################################
##
## Execute iptables in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_exec'($*)) dnl
gen_require(`
type iptables_exec_t;
')
corecmd_search_bin($1)
can_exec($1, iptables_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_exec'($*)) dnl
')
#####################################
##
## Execute iptables in the iptables domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`iptables_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_initrc_domtrans'($*)) dnl
gen_require(`
type iptables_initrc_exec_t;
')
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_initrc_domtrans'($*)) dnl
')
########################################
##
## Execute iptables server in the iptables domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`iptables_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_systemctl'($*)) dnl
gen_require(`
type iptables_unit_file_t;
type iptables_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 iptables_unit_file_t:file read_file_perms;
allow $1 iptables_unit_file_t:service manage_service_perms;
ps_process_pattern($1, iptables_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_systemctl'($*)) dnl
')
#####################################
##
## Set the attributes of iptables config files.
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_setattr_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_setattr_config'($*)) dnl
gen_require(`
type iptables_conf_t;
')
files_search_etc($1)
allow $1 iptables_conf_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_setattr_config'($*)) dnl
')
#####################################
##
## Read iptables config files.
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_read_config'($*)) dnl
gen_require(`
type iptables_conf_t;
')
files_search_etc($1)
allow $1 iptables_conf_t:dir list_dir_perms;
read_files_pattern($1, iptables_conf_t, iptables_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_read_config'($*)) dnl
')
#####################################
##
## Create files in /etc with the type used for
## the iptables config files.
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_etc_filetrans_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_etc_filetrans_config'($*)) dnl
gen_require(`
type iptables_conf_t;
')
files_etc_filetrans($1, iptables_conf_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_etc_filetrans_config'($*)) dnl
')
###################################
##
## Manage iptables config files.
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_manage_config'($*)) dnl
gen_require(`
type iptables_conf_t;
type etc_t;
')
files_search_etc($1)
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_manage_config'($*)) dnl
')
########################################
##
## Transition to iptables named content
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_filetrans_named_content'($*)) dnl
gen_require(`
type iptables_var_run_t;
')
files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_filetrans_named_content'($*)) dnl
')
#####################################
##
## Read iptables run files.
##
##
##
## Domain allowed access.
##
##
#
define(`iptables_read_var_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `iptables_read_var_run'($*)) dnl
gen_require(`
type iptables_var_run_t;
')
allow $1 iptables_var_run_t:dir list_dir_perms;
read_files_pattern($1, iptables_var_run_t, iptables_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `iptables_read_var_run'($*)) dnl
')
## Policy for system libraries.
########################################
##
## Execute ldconfig in the ldconfig domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`libs_domtrans_ldconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_domtrans_ldconfig'($*)) dnl
gen_require(`
type ldconfig_t, ldconfig_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ldconfig_exec_t, ldconfig_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_domtrans_ldconfig'($*)) dnl
')
########################################
##
## Execute ldconfig in the ldconfig domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the ldconfig domain.
##
##
##
#
define(`libs_run_ldconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_run_ldconfig'($*)) dnl
gen_require(`
type ldconfig_t;
')
libs_domtrans_ldconfig($1)
role $2 types ldconfig_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_run_ldconfig'($*)) dnl
')
########################################
##
## Execute ldconfig in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`libs_exec_ldconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_exec_ldconfig'($*)) dnl
gen_require(`
type ldconfig_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ldconfig_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_exec_ldconfig'($*)) dnl
')
########################################
##
## Make ldconfig_exec_t entrypoint for
## the specified domain.
##
##
##
## The domain for which bin_t is an entrypoint.
##
##
#
define(`libs_ldconfig_exec_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_ldconfig_exec_entry_type'($*)) dnl
gen_require(`
type ldconfig_exec_t;
')
domain_entry_file($1, ldconfig_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_ldconfig_exec_entry_type'($*)) dnl
')
########################################
##
## Use the dynamic link/loader for automatic loading
## of shared libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_use_ld_so',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_use_ld_so'($*)) dnl
gen_require(`
type lib_t, ld_so_t, ld_so_cache_t;
')
files_list_etc($1)
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
mmap_exec_files_pattern($1, lib_t, { lib_t ld_so_t })
allow $1 ld_so_cache_t:file { map read_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_use_ld_so'($*)) dnl
')
########################################
##
## Use the dynamic link/loader for automatic loading
## of shared libraries with legacy support.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_legacy_use_ld_so',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_legacy_use_ld_so'($*)) dnl
gen_require(`
type ld_so_t, ld_so_cache_t;
')
libs_use_ld_so($1)
allow $1 ld_so_t:file execmod;
allow $1 ld_so_cache_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_legacy_use_ld_so'($*)) dnl
')
########################################
##
## Execute the dynamic link/loader in the caller's domain.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_exec_ld_so',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_exec_ld_so'($*)) dnl
gen_require(`
type lib_t, ld_so_t;
')
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
exec_files_pattern($1, lib_t, ld_so_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_exec_ld_so'($*)) dnl
')
########################################
##
## Create, read, write, and delete the
## dynamic link/loader.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_manage_ld_so',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_manage_ld_so'($*)) dnl
gen_require(`
type lib_t, ld_so_t;
')
read_lnk_files_pattern($1, lib_t, lib_t)
manage_files_pattern($1, lib_t, ld_so_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_manage_ld_so'($*)) dnl
')
########################################
##
## Relabel to and from the type used for
## the dynamic link/loader.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_relabel_ld_so',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_relabel_ld_so'($*)) dnl
gen_require(`
type lib_t, ld_so_t;
')
relabel_files_pattern($1, lib_t, ld_so_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_relabel_ld_so'($*)) dnl
')
########################################
##
## Modify the dynamic link/loader's cached listing
## of shared libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_rw_ld_so_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_rw_ld_so_cache'($*)) dnl
gen_require(`
type ld_so_cache_t;
')
files_list_etc($1)
allow $1 ld_so_cache_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_rw_ld_so_cache'($*)) dnl
')
########################################
##
## Search library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_search_lib'($*)) dnl
gen_require(`
type lib_t;
')
read_lnk_files_pattern($1, lib_t, lib_t)
allow $1 lib_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_search_lib'($*)) dnl
')
########################################
##
## dontaudit attempts to setattr on library files
##
##
##
## Domain to not audit.
##
##
#
define(`libs_dontaudit_setattr_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_dontaudit_setattr_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
dontaudit $1 lib_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_dontaudit_setattr_lib_files'($*)) dnl
')
########################################
##
## dontaudit attempts to setattr on library dirs
##
##
##
## Domain to not audit.
##
##
#
define(`libs_dontaudit_setattr_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_dontaudit_setattr_lib_dirs'($*)) dnl
gen_require(`
type lib_t;
')
dontaudit $1 lib_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_dontaudit_setattr_lib_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to write to library directories.
##
##
##
## Do not audit attempts to write to library directories.
## Typically this is used to quiet attempts to recompile
## python byte code.
##
##
##
##
## Domain to not audit.
##
##
#
define(`libs_dontaudit_write_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_dontaudit_write_lib_dirs'($*)) dnl
gen_require(`
type lib_t;
')
dontaudit $1 lib_t:dir write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_dontaudit_write_lib_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_manage_lib_dirs'($*)) dnl
gen_require(`
type lib_t;
')
read_lnk_files_pattern($1, lib_t, lib_t)
allow $1 lib_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_manage_lib_dirs'($*)) dnl
')
########################################
##
## Watch library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_watch_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_watch_lib_dirs'($*)) dnl
gen_require(`
type lib_t;
')
allow $1 lib_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_watch_lib_dirs'($*)) dnl
')
########################################
##
## Read files in the library directories, such
## as static libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_read_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
files_list_usr($1)
list_dirs_pattern($1, lib_t, lib_t)
read_files_pattern($1, lib_t, lib_t)
read_lnk_files_pattern($1, lib_t, lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_read_lib_files'($*)) dnl
')
########################################
##
## Execute library scripts in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_exec_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_exec_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
files_search_usr($1)
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, lib_t)
exec_files_pattern($1, lib_t, lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_exec_lib_files'($*)) dnl
')
########################################
##
## Load and execute functions from generic
## lib files as shared libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_use_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_use_lib_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.')
libs_use_shared_libs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_use_lib_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete generic
## files in library directories.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_manage_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
read_lnk_files_pattern($1, lib_t, lib_t)
manage_files_pattern($1, lib_t, lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_manage_lib_files'($*)) dnl
')
########################################
##
## Relabel files to the type used in library directories.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_relabelto_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_relabelto_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
relabelto_files_pattern($1, lib_t, lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_relabelto_lib_files'($*)) dnl
')
########################################
##
## Relabel to and from the type used
## for generic lib files.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_relabel_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_relabel_lib_files'($*)) dnl
gen_require(`
type lib_t;
')
relabel_files_pattern($1, lib_t, lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_relabel_lib_files'($*)) dnl
')
########################################
##
## Delete generic symlinks in library directories.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_delete_lib_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_delete_lib_symlinks'($*)) dnl
gen_require(`
type lib_t;
')
delete_lnk_files_pattern($1, lib_t, lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_delete_lib_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete shared libraries.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_manage_shared_libs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_manage_shared_libs'($*)) dnl
gen_require(`
type lib_t, textrel_shlib_t;
')
read_lnk_files_pattern($1, lib_t, lib_t)
manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_manage_shared_libs'($*)) dnl
')
########################################
##
## Load and execute functions from shared libraries.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_use_shared_libs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_use_shared_libs'($*)) dnl
gen_require(`
type lib_t, textrel_shlib_t;
')
files_search_usr($1)
allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
mmap_exec_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
# allow $1 lib_t:file execmod;
allow $1 textrel_shlib_t:file execmod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_use_shared_libs'($*)) dnl
')
########################################
##
## Load and execute functions from shared libraries,
## with legacy support.
##
##
##
## Domain allowed access.
##
##
#
define(`libs_legacy_use_shared_libs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_legacy_use_shared_libs'($*)) dnl
gen_require(`
type lib_t;
')
libs_use_shared_libs($1)
allow $1 lib_t:file execmod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_legacy_use_shared_libs'($*)) dnl
')
########################################
##
## Relabel to and from the type used for
## shared libraries.
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
define(`libs_relabel_shared_libs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_relabel_shared_libs'($*)) dnl
gen_require(`
type lib_t, textrel_shlib_t;
')
relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_relabel_shared_libs'($*)) dnl
')
########################################
##
## Create an object in lib directories, with
## the shared libraries type using a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`lib_filetrans_shared_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lib_filetrans_shared_lib'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lib_filetrans_shared_lib'($*)) dnl
')
########################################
##
## Create an object in lib directories, with
## the shared libraries type using a type transition. (Deprecated)
##
##
##
## Create an object in lib directories, with
## the shared libraries type using a type transition. (Deprecated)
##
##
## lib_filetrans_shared_lib() should be used instead.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The object class of the object being created.
##
##
#
define(`files_lib_filetrans_shared_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `files_lib_filetrans_shared_lib'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `files_lib_filetrans_shared_lib'($*)) dnl
')
########################################
##
## Transition to lib named content
##
##
##
## Domain allowed access.
##
##
#
define(`libs_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `libs_filetrans_named_content'($*)) dnl
gen_require(`
type ld_so_cache_t;
type ldconfig_cache_t;
')
files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `libs_filetrans_named_content'($*)) dnl
')
## Policy for local logins.
########################################
##
## Execute local logins in the local login domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`locallogin_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_domtrans'($*)) dnl
gen_require(`
type local_login_t;
')
auth_domtrans_login_program($1, local_login_t)
ifdef(`enable_mcs',`
auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_domtrans'($*)) dnl
')
########################################
##
## Allow processes to inherit local login file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_use_fds'($*)) dnl
gen_require(`
type local_login_t;
')
allow $1 local_login_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit local login file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`locallogin_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_dontaudit_use_fds'($*)) dnl
gen_require(`
type local_login_t;
')
dontaudit $1 local_login_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Send a null signal to local login processes.
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_signull'($*)) dnl
gen_require(`
type local_login_t;
')
allow $1 local_login_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_signull'($*)) dnl
')
########################################
##
## Search for key.
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_search_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_search_keys'($*)) dnl
gen_require(`
type local_login_t;
')
allow $1 local_login_t:key search;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_search_keys'($*)) dnl
')
########################################
##
## Allow link to the local_login key ring.
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_link_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_link_keys'($*)) dnl
gen_require(`
type local_login_t;
')
allow $1 local_login_t:key link;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_link_keys'($*)) dnl
')
########################################
##
## Execute local logins in the local login domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`locallogin_domtrans_sulogin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_domtrans_sulogin'($*)) dnl
gen_require(`
type sulogin_exec_t, sulogin_t;
')
domtrans_pattern($1, sulogin_exec_t, sulogin_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_domtrans_sulogin'($*)) dnl
')
#######################################
##
## Allow domain to gettatr local login home content
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_getattr_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_getattr_home_content'($*)) dnl
gen_require(`
type local_login_home_t;
')
getattr_files_pattern($1, local_login_home_t, local_login_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_getattr_home_content'($*)) dnl
')
########################################
##
## create local login content in the in the /root directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_filetrans_admin_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_filetrans_admin_home_content'($*)) dnl
gen_require(`
type local_login_home_t;
')
userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_filetrans_admin_home_content'($*)) dnl
')
########################################
##
## Transition to local login named content
##
##
##
## Domain allowed access.
##
##
#
define(`locallogin_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `locallogin_filetrans_home_content'($*)) dnl
gen_require(`
type local_login_home_t;
')
userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `locallogin_filetrans_home_content'($*)) dnl
')
## Policy for the kernel message logger and system logging daemon.
########################################
##
## Make the specified type usable for log files
## in a filesystem.
##
##
##
## Make the specified type usable for log files in a filesystem.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a log file type may result in problems with log
## rotation, log analysis, and log monitoring programs.
##
##
## Related interfaces:
##
##
## - logging_log_filetrans()
##
##
## Example usage with a domain that can create
## and append to a private log file stored in the
## general directories (e.g., /var/log):
##
##
## type mylogfile_t;
## logging_log_file(mylogfile_t)
## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
## logging_log_filetrans(mydomain_t, mylogfile_t, file)
##
##
##
##
## Type to be used for files.
##
##
##
#
define(`logging_log_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_log_file'($*)) dnl
gen_require(`
attribute logfile;
')
files_type($1)
files_associate_tmp($1)
fs_associate_tmpfs($1)
typeattribute $1 logfile;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_log_file'($*)) dnl
')
#######################################
##
## Send audit messages.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_send_audit_msgs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_send_audit_msgs'($*)) dnl
allow $1 self:capability audit_write;
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay nlmsg_tty_audit };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_send_audit_msgs'($*)) dnl
')
#######################################
##
## dontaudit attempts to send audit messages.
##
##
##
## Domain to not audit.
##
##
#
define(`logging_dontaudit_send_audit_msgs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_send_audit_msgs'($*)) dnl
dontaudit $1 self:capability audit_write;
dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_send_audit_msgs'($*)) dnl
')
########################################
##
## Create netlink audit socket
##
##
##
## Domain allowed access.
##
##
#
define(`logging_create_syslog_netlink_audit_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_create_syslog_netlink_audit_socket'($*)) dnl
gen_require(`
type syslogd_t;
')
allow $1 syslogd_t:netlink_audit_socket create_netlink_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_create_syslog_netlink_audit_socket'($*)) dnl
')
########################################
##
## Set login uid
##
##
##
## Domain allowed access.
##
##
#
define(`logging_set_loginuid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_set_loginuid'($*)) dnl
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_set_loginuid'($*)) dnl
')
########################################
##
## Set tty auditing
##
##
##
## Domain allowed access.
##
##
#
define(`logging_set_tty_audit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_set_tty_audit'($*)) dnl
allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_set_tty_audit'($*)) dnl
')
########################################
##
## Set up audit
##
##
##
## Domain allowed access.
##
##
#
define(`logging_set_audit_parameters',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_set_audit_parameters'($*)) dnl
allow $1 self:capability { audit_write audit_control };
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_set_audit_parameters'($*)) dnl
')
########################################
##
## Read the audit log.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_audit_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_read_audit_log'($*)) dnl
gen_require(`
type auditd_log_t;
')
files_search_var($1)
read_files_pattern($1, auditd_log_t, auditd_log_t)
allow $1 auditd_log_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_read_audit_log'($*)) dnl
')
########################################
##
## Watch the audit log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_watch_audit_log_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_watch_audit_log_files'($*)) dnl
gen_require(`
type var_log_t, auditd_log_t;
')
watch_files_pattern($1, auditd_log_t, auditd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_watch_audit_log_files'($*)) dnl
')
########################################
##
## Watch the audit log directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_watch_audit_log_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_watch_audit_log_dirs'($*)) dnl
gen_require(`
type var_log_t, auditd_log_t;
')
allow $1 var_log_t:dir search_dir_perms;
watch_dirs_pattern($1, auditd_log_t, auditd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_watch_audit_log_dirs'($*)) dnl
')
########################################
##
## Map the audit log.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_map_audit_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_map_audit_log'($*)) dnl
gen_require(`
type auditd_log_t;
')
allow $1 auditd_log_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_map_audit_log'($*)) dnl
')
########################################
##
## Execute auditctl in the auditctl domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_domtrans_auditctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_auditctl'($*)) dnl
gen_require(`
type auditctl_t, auditctl_exec_t;
')
domtrans_pattern($1, auditctl_exec_t, auditctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_auditctl'($*)) dnl
')
########################################
##
## Execute auditctl in the auditctl domain, and
## allow the specified role the auditctl domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`logging_run_auditctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_run_auditctl'($*)) dnl
gen_require(`
type auditctl_t;
')
logging_domtrans_auditctl($1)
role $2 types auditctl_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_run_auditctl'($*)) dnl
')
########################################
##
## Execute auditd in the auditd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_domtrans_auditd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_auditd'($*)) dnl
gen_require(`
type auditd_t, auditd_exec_t;
')
domtrans_pattern($1, auditd_exec_t, auditd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_auditd'($*)) dnl
')
########################################
##
## Execute auditd in the auditd domain, and
## allow the specified role the auditd domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`logging_run_auditd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_run_auditd'($*)) dnl
gen_require(`
type auditd_t;
')
logging_domtrans_auditd($1)
role $2 types auditd_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_run_auditd'($*)) dnl
')
########################################
##
## Connect to auditdstored over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_stream_connect_auditd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_stream_connect_auditd'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
logging_stream_connect_dispatcher($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_stream_connect_auditd'($*)) dnl
')
########################################
##
## Execute a domain transition to run the audit dispatcher.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_domtrans_dispatcher',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_dispatcher'($*)) dnl
gen_require(`
type audisp_t, audisp_exec_t;
')
domtrans_pattern($1, audisp_exec_t, audisp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_dispatcher'($*)) dnl
')
########################################
##
## Signal the audit dispatcher.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_signal_dispatcher',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_signal_dispatcher'($*)) dnl
gen_require(`
type audisp_t;
')
allow $1 audisp_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_signal_dispatcher'($*)) dnl
')
########################################
##
## Create a domain for processes
## which can be started by the system audit dispatcher
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`logging_dispatcher_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dispatcher_domain'($*)) dnl
gen_require(`
type audisp_t;
type auditd_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(audisp_t, $2, $1)
domtrans_pattern(auditd_t, $2, $1)
allow audisp_t $1:process { sigkill sigstop signull signal };
allow audisp_t $2:file getattr;
allow $1 audisp_t:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dispatcher_domain'($*)) dnl
')
########################################
##
## Connect to the audit dispatcher over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_stream_connect_dispatcher',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_stream_connect_dispatcher'($*)) dnl
gen_require(`
type audisp_t, audisp_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_stream_connect_dispatcher'($*)) dnl
')
########################################
##
## Manage the auditd configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_audit_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_audit_config'($*)) dnl
gen_require(`
type auditd_etc_t;
')
files_search_etc($1)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_audit_config'($*)) dnl
')
########################################
##
## Manage the audit log.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_audit_log',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_audit_log'($*)) dnl
gen_require(`
type auditd_log_t;
')
files_search_var($1)
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_audit_log'($*)) dnl
')
########################################
##
## Execute klogd in the klog domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_domtrans_klog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_klog'($*)) dnl
gen_require(`
type klogd_t, klogd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, klogd_exec_t, klogd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_klog'($*)) dnl
')
########################################
##
## Check if syslogd is executable.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_check_exec_syslog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_check_exec_syslog'($*)) dnl
gen_require(`
type syslogd_exec_t;
')
corecmd_list_bin($1)
corecmd_read_bin_symlinks($1)
allow $1 syslogd_exec_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_check_exec_syslog'($*)) dnl
')
########################################
##
## Execute syslogd in the syslog domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_domtrans_syslog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_domtrans_syslog'($*)) dnl
gen_require(`
type syslogd_t, syslogd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, syslogd_exec_t, syslogd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_domtrans_syslog'($*)) dnl
')
########################################
##
## Create an object in the log directory, with a private type.
##
##
##
## Allow the specified domain to create an object
## in the general system log directories (e.g., /var/log)
## with a private type. Typically this is used for creating
## private log files in /var/log with the private type instead
## of the general system log type. To accomplish this goal,
## either the program must be SELinux-aware, or use this interface.
##
##
## Related interfaces:
##
##
##
## Example usage with a domain that can create
## and append to a private log file stored in the
## general directories (e.g., /var/log):
##
##
## type mylogfile_t;
## logging_log_file(mylogfile_t)
## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
## logging_log_filetrans(mydomain_t, mylogfile_t, file)
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
##
#
define(`logging_log_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_log_filetrans'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
filetrans_pattern($1, var_log_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_log_filetrans'($*)) dnl
')
#######################################
##
## Create an object in the log directory, with a private type.
##
##
##
## Allow the specified domain to create an object
## in the general system log directories (e.g., /var/log)
## with a private type. Typically this is used for creating
## private log files in /var/log with the private type instead
## of the general system log type. To accomplish this goal,
## either the program must be SELinux-aware, or use this interface.
##
##
## Related interfaces:
##
##
##
## Example usage with a domain that can create
## and append to a private log file stored in the
## general directories (e.g., /var/log):
##
##
## type mylogfile_t;
## logging_log_file(mylogfile_t)
## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
## logging_log_filetrans(mydomain_t, mylogfile_t, file)
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
##
#
define(`logging_log_named_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_log_named_filetrans'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
filetrans_pattern($1, var_log_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_log_named_filetrans'($*)) dnl
')
########################################
##
## Send system log messages.
##
##
##
## Allow the specified domain to connect to the
## system log service (syslog), to send messages be added to
## the system logs. Typically this is used by services
## that do not have their own log file in /var/log.
##
##
## This does not allow messages to be sent to
## the auditing system.
##
##
## Programs which use the libc function syslog() will
## require this access.
##
##
## Related interfaces:
##
##
## - logging_send_audit_msgs()
##
##
##
##
## Domain allowed access.
##
##
#
define(`logging_send_syslog_msg',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_send_syslog_msg'($*)) dnl
gen_require(`
attribute syslog_client_type;
')
typeattribute $1 syslog_client_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_send_syslog_msg'($*)) dnl
')
########################################
##
## Connect to the syslog control unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_create_devlog_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_create_devlog_dev'($*)) dnl
gen_require(`
type devlog_t;
')
allow $1 devlog_t:lnk_file manage_lnk_file_perms;
allow $1 devlog_t:sock_file manage_sock_file_perms;
dev_filetrans($1, devlog_t, lnk_file, "log")
init_pid_filetrans($1, devlog_t, sock_file, "syslog")
logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_create_devlog_dev'($*)) dnl
')
########################################
##
## Relabel the devlog sock_file.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_relabel_devlog_dev',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_relabel_devlog_dev'($*)) dnl
gen_require(`
type devlog_t;
')
allow $1 devlog_t:sock_file relabel_sock_file_perms;
allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_relabel_devlog_dev'($*)) dnl
')
########################################
##
## Allow domain to read the syslog pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_read_syslog_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_read_syslog_pid'($*)) dnl
gen_require(`
type syslogd_var_run_t;
')
read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_read_syslog_pid'($*)) dnl
')
########################################
##
## Relabel the syslog pid sock_file.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_relabel_syslog_pid_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_relabel_syslog_pid_socket'($*)) dnl
gen_require(`
type syslogd_var_run_t;
')
allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_relabel_syslog_pid_socket'($*)) dnl
')
########################################
##
## Connect to the syslog control unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_stream_connect_syslog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_stream_connect_syslog'($*)) dnl
gen_require(`
type syslogd_t, syslogd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_stream_connect_syslog'($*)) dnl
')
########################################
##
## Read the auditd configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_audit_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_read_audit_config'($*)) dnl
gen_require(`
type auditd_etc_t;
')
files_search_etc($1)
read_files_pattern($1, auditd_etc_t, auditd_etc_t)
allow $1 auditd_etc_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_read_audit_config'($*)) dnl
')
########################################
##
## Map the auditd configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_map_audit_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_map_audit_config'($*)) dnl
gen_require(`
type auditd_etc_t;
')
allow $1 auditd_etc_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_map_audit_config'($*)) dnl
')
########################################
##
## dontaudit search of auditd log files.
##
##
##
## Domain to not audit.
##
##
##
#
define(`logging_dontaudit_search_audit_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_audit_logs'($*)) dnl
gen_require(`
type auditd_log_t;
')
dontaudit $1 auditd_log_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_audit_logs'($*)) dnl
')
########################################
##
## dontaudit search of auditd configuration files.
##
##
##
## Domain to not audit.
##
##
##
#
define(`logging_dontaudit_search_audit_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_audit_config'($*)) dnl
gen_require(`
type auditd_etc_t;
')
dontaudit $1 auditd_etc_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_audit_config'($*)) dnl
')
########################################
##
## Read syslog configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_syslog_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_read_syslog_config'($*)) dnl
gen_require(`
type syslog_conf_t;
')
allow $1 syslog_conf_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_read_syslog_config'($*)) dnl
')
########################################
##
## Manage syslog configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_syslog_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_syslog_config'($*)) dnl
gen_require(`
type syslog_conf_t;
')
manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_syslog_config'($*)) dnl
')
########################################
##
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_search_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_search_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_search_logs'($*)) dnl
')
#######################################
##
## Do not audit attempts to search the var log directory.
##
##
##
## Domain not to audit.
##
##
#
define(`logging_dontaudit_search_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_logs'($*)) dnl
gen_require(`
type var_log_t;
')
dontaudit $1 var_log_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_logs'($*)) dnl
')
#######################################
##
## List the contents of the generic log directory (/var/log).
##
##
##
## Domain allowed access.
##
##
#
define(`logging_list_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_list_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_list_logs'($*)) dnl
')
#######################################
##
## Read and write the generic log directory (/var/log).
##
##
##
## Domain allowed access.
##
##
#
define(`logging_rw_generic_log_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_rw_generic_log_dirs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_rw_generic_log_dirs'($*)) dnl
')
#######################################
##
## Watch the generic log directory (/var/log).
##
##
##
## Domain allowed access.
##
##
#
define(`logging_watch_generic_log_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_watch_generic_log_dirs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_watch_generic_log_dirs'($*)) dnl
')
#######################################
##
## Search through all log dirs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_search_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_search_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
allow $1 logfile:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_search_all_logs'($*)) dnl
')
#######################################
##
## Set attributes on all log dirs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_setattr_all_log_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_setattr_all_log_dirs'($*)) dnl
gen_require(`
attribute logfile;
')
allow $1 logfile:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_setattr_all_log_dirs'($*)) dnl
')
#######################################
##
## Relabel on all log dirs.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_relabel_all_log_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_relabel_all_log_dirs'($*)) dnl
gen_require(`
attribute logfile;
')
relabel_dirs_pattern($1, logfile, logfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_relabel_all_log_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes
## of any log files.
##
##
##
## Domain to not audit.
##
##
#
define(`logging_dontaudit_getattr_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_getattr_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
dontaudit $1 logfile:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_getattr_all_logs'($*)) dnl
')
########################################
##
## Read the atttributes of any log file
##
##
##
## Domain allowed access
##
##
#
define(`logging_getattr_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_getattr_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
allow $1 logfile:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_getattr_all_logs'($*)) dnl
')
########################################
##
## Append to all log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_append_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_append_all_logs'($*)) dnl
gen_require(`
attribute logfile;
type var_log_t;
')
files_search_var($1)
append_files_pattern($1, logfile, logfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_append_all_logs'($*)) dnl
')
########################################
##
## Append to all log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_inherit_append_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_inherit_append_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
allow $1 logfile:file { getattr append ioctl lock };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_inherit_append_all_logs'($*)) dnl
')
########################################
##
## Read all log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_read_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
allow $1 logfile:file map;
read_files_pattern($1, logfile, logfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_read_all_logs'($*)) dnl
')
########################################
##
## Execute all log files in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
# cjp: not sure why this is needed. This was added
# because of logrotate.
define(`logging_exec_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_exec_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
can_exec($1, logfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_exec_all_logs'($*)) dnl
')
########################################
##
## read/write to all log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_rw_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_rw_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
files_search_var($1)
rw_files_pattern($1, logfile, logfile)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_rw_all_logs'($*)) dnl
')
########################################
##
## Create, read, write, and delete all log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_all_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_all_logs'($*)) dnl
gen_require(`
attribute logfile;
')
files_search_var($1)
manage_dirs_pattern($1, logfile, logfile)
manage_files_pattern($1, logfile, logfile)
manage_lnk_files_pattern($1, logfile, logfile)
allow $1 logfile:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_all_logs'($*)) dnl
')
#######################################
##
## Watch all directories in the path for log directories.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_watch_all_log_dirs_path',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_watch_all_log_dirs_path'($*)) dnl
gen_require(`
attribute logfile;
')
files_watch_root_dirs($1)
files_search_var($1)
files_watch_var_dirs($1)
allow $1 logfile:dir { search_dir_perms watch_dir_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_watch_all_log_dirs_path'($*)) dnl
')
########################################
##
## Read generic log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_read_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_read_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
allow $1 var_log_t:file map;
read_files_pattern($1, var_log_t, var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_read_generic_logs'($*)) dnl
')
########################################
##
## Create generic log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_create_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_create_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
allow $1 var_log_t:file create;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_create_generic_logs'($*)) dnl
')
########################################
##
## Link generic log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_link_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_link_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
allow $1 var_log_t:file link;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_link_generic_logs'($*)) dnl
')
########################################
##
## Delete generic log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_delete_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_delete_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
allow $1 var_log_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_delete_generic_logs'($*)) dnl
')
########################################
##
## Map generic log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_mmap_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_mmap_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
allow $1 var_log_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_mmap_generic_logs'($*)) dnl
')
########################################
##
## Write generic log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_write_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_write_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
write_files_pattern($1, var_log_t, var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_write_generic_logs'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic
## links in the /var/log directory.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_manage_var_log_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_var_log_symlinks'($*)) dnl
gen_require(`
type var_log_t;
')
manage_lnk_files_pattern($1, var_log_t, var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_var_log_symlinks'($*)) dnl
')
########################################
##
## Allow attempts to write to /var/log
##
##
##
## Domain allowed access.
##
##
#
define(`logging_write_var_log_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_write_var_log_dirs'($*)) dnl
gen_require(`
type var_log_t;
')
allow $1 var_log_t:dir { setattr write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_write_var_log_dirs'($*)) dnl
')
########################################
##
## Dontaudit read/Write inherited generic log files.
##
##
##
## Domain to not audit.
##
##
#
define(`logging_dontaudit_rw_inherited_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_rw_inherited_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
dontaudit $1 var_log_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_rw_inherited_generic_logs'($*)) dnl
')
########################################
##
## Dontaudit Write generic log files.
##
##
##
## Domain to not audit.
##
##
#
define(`logging_dontaudit_write_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dontaudit_write_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
dontaudit $1 var_log_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dontaudit_write_generic_logs'($*)) dnl
')
########################################
##
## Read and write generic log files.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_rw_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_rw_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
rw_files_pattern($1, var_log_t, var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_rw_generic_logs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## generic log files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`logging_manage_generic_logs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_manage_generic_logs'($*)) dnl
gen_require(`
type var_log_t;
')
files_search_var($1)
manage_files_pattern($1, var_log_t, var_log_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_manage_generic_logs'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## the audit environment
##
##
##
## Domain allowed access.
##
##
##
##
## User role allowed access.
##
##
##
#
define(`logging_admin_audit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_admin_audit'($*)) dnl
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
type auditd_unit_file_t;
')
allow $1 auditd_t:process signal_perms;
ps_process_pattern($1, auditd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 auditd_t:process ptrace;
')
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
logging_run_auditctl($1, $2)
init_labeled_script_domtrans($1, auditd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
logging_systemctl_audit($1)
admin_pattern($1, auditd_unit_file_t)
allow $1 auditd_unit_file_t:service all_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_admin_audit'($*)) dnl
')
########################################
##
## Execute auditd server in the auditd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_systemctl_audit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_systemctl_audit'($*)) dnl
gen_require(`
type auditd_t;
type auditd_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 auditd_unit_file_t:file read_file_perms;
allow $1 auditd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, auditd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_systemctl_audit'($*)) dnl
')
########################################
##
## Execute auditd server in the auditd domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`logging_systemctl_syslogd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_systemctl_syslogd'($*)) dnl
gen_require(`
type syslogd_t;
type syslogd_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 syslogd_unit_file_t:file read_file_perms;
allow $1 syslogd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, syslogd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_systemctl_syslogd'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## the syslog environment
##
##
##
## Domain allowed access.
##
##
##
##
## User role allowed access.
##
##
##
#
define(`logging_admin_syslog',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_admin_syslog'($*)) dnl
gen_require(`
type syslogd_t, klogd_t, syslog_conf_t;
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
type syslogd_initrc_exec_t;
')
allow $1 self:capability2 syslog;
allow $1 syslogd_t:process signal_perms;
allow $1 klogd_t:process signal_perms;
ps_process_pattern($1, syslogd_t)
ps_process_pattern($1, klogd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 syslogd_t:process ptrace;
allow $1 klogd_t:process ptrace;
')
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
files_etc_filetrans($1, syslog_conf_t, file)
manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
allow $1 logfile:dir relabel_dir_perms;
allow $1 logfile:file relabel_file_perms;
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 syslogd_initrc_exec_t system_r;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_admin_syslog'($*)) dnl
')
########################################
##
## All of the rules required to administrate
## the logging environment
##
##
##
## Domain allowed access.
##
##
##
##
## User role allowed access.
##
##
##
#
define(`logging_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_admin'($*)) dnl
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_admin'($*)) dnl
')
########################################
##
## Transition to syslog.conf
##
##
##
## Domain allowed access.
##
##
#
define(`logging_filetrans_named_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_filetrans_named_conf'($*)) dnl
gen_require(`
type syslog_conf_t;
')
files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_filetrans_named_conf'($*)) dnl
')
########################################
##
## Transition to logging named content
##
##
##
## Domain allowed access.
##
##
#
define(`logging_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_filetrans_named_content'($*)) dnl
gen_require(`
type var_log_t;
type audit_spool_t;
type syslogd_var_run_t;
type syslog_conf_t;
')
files_pid_filetrans($1, syslogd_var_run_t, dir, "log")
files_spool_filetrans($1, var_log_t, dir, "rsyslog")
files_spool_filetrans($1, var_log_t, dir, "log")
files_spool_filetrans($1, audit_spool_t, dir, "audit")
files_var_filetrans($1, var_log_t, dir, "webmin")
files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
logging_log_filetrans($1, var_log_t, dir, "anaconda")
logging_log_filetrans($1, var_log_t, dir, "remote")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_filetrans_named_content'($*)) dnl
')
#######################################
##
## Create objects in /run/systemd/journal/ directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`logging_syslogd_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_syslogd_pid_filetrans'($*)) dnl
gen_require(`
type syslogd_var_run_t;
')
files_search_pids($1)
filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_syslogd_pid_filetrans'($*)) dnl
')
#######################################
##
## Map files in /run/log/journal/ directory.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_mmap_journal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_mmap_journal'($*)) dnl
gen_require(`
type syslogd_var_run_t;
')
allow $1 syslogd_var_run_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_mmap_journal'($*)) dnl
')
#######################################
##
## Watch the /run/log/journal directory.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_watch_journal_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_watch_journal_dir'($*)) dnl
gen_require(`
type syslogd_var_run_t;
')
allow $1 syslogd_var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_watch_journal_dir'($*)) dnl
')
########################################
##
## Send a message to syslogd over a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`logging_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `logging_dgram_send'($*)) dnl
gen_require(`
type syslogd_t;
')
allow $1 syslogd_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `logging_dgram_send'($*)) dnl
')
## Policy for logical volume management programs.
#####################################
##
## lvm stub domain interface. No access allowed.
##
##
##
## Domain allowed access
##
##
#
define(`lvm_stub',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_stub'($*)) dnl
gen_require(`
type lvm_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_stub'($*)) dnl
')
########################################
##
## Get the attribute of lvm entrypoint files.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_getattr_exec_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_getattr_exec_files'($*)) dnl
gen_require(`
type lvm_exec_t;
')
files_list_etc($1)
allow $1 lvm_exec_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_getattr_exec_files'($*)) dnl
')
########################################
##
## Execute lvm programs in the lvm domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lvm_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_domtrans'($*)) dnl
gen_require(`
type lvm_t, lvm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, lvm_exec_t, lvm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_domtrans'($*)) dnl
')
########################################
##
## Execute lvm programs in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_exec'($*)) dnl
gen_require(`
type lvm_exec_t;
')
corecmd_search_bin($1)
can_exec($1, lvm_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_exec'($*)) dnl
')
########################################
##
## Execute lvm programs in the lvm domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the LVM domain.
##
##
##
#
define(`lvm_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_run'($*)) dnl
gen_require(`
type lvm_t;
')
lvm_domtrans($1)
role $2 types lvm_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_run'($*)) dnl
')
########################################
##
## Read LVM configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lvm_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_read_config'($*)) dnl
gen_require(`
type lvm_etc_t;
')
files_search_etc($1)
allow $1 lvm_etc_t:dir list_dir_perms;
read_files_pattern($1, lvm_etc_t, lvm_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_read_config'($*)) dnl
')
########################################
##
## Mmap LVM configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lvm_map_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_map_config'($*)) dnl
gen_require(`
type lvm_etc_t;
')
allow $1 lvm_etc_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_map_config'($*)) dnl
')
########################################
##
## Read LVM configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lvm_read_metadata',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_read_metadata'($*)) dnl
gen_require(`
type lvm_etc_t;
type lvm_metadata_t;
')
files_search_etc($1)
allow $1 lvm_etc_t:dir list_dir_perms;
read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_read_metadata'($*)) dnl
')
########################################
##
## Read LVM configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lvm_write_metadata',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_write_metadata'($*)) dnl
gen_require(`
type lvm_etc_t;
type lvm_metadata_t;
')
files_search_etc($1)
allow $1 lvm_etc_t:dir list_dir_perms;
write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_write_metadata'($*)) dnl
')
########################################
##
## Manage LVM metadata files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lvm_manage_metadata',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_manage_metadata'($*)) dnl
gen_require(`
type lvm_metadata_t;
')
allow $1 lvm_metadata_t:dir list_dir_perms;
manage_dirs_pattern($1, lvm_metadata_t, lvm_metadata_t)
manage_files_pattern($1, lvm_metadata_t, lvm_metadata_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_manage_metadata'($*)) dnl
')
########################################
##
## Manage LVM configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`lvm_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_manage_config'($*)) dnl
gen_require(`
type lvm_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_manage_config'($*)) dnl
')
########################################
##
## Connect to lvm using a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_stream_connect'($*)) dnl
gen_require(`
type lvm_t, lvm_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, lvm_var_run_t, lvm_var_run_t, lvm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_stream_connect'($*)) dnl
')
######################################
##
## Execute a domain transition to run clvmd.
##
##
##
## Domain allowed to transition.
##
##
#
define(`lvm_domtrans_clvmd',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_domtrans_clvmd'($*)) dnl
gen_require(`
type clvmd_t, clvmd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_domtrans_clvmd'($*)) dnl
')
########################################
##
## Read and write to lvm temporary file system.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_rw_clvmd_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_rw_clvmd_tmpfs_files'($*)) dnl
gen_require(`
type clvmd_tmpfs_t;
')
allow $1 clvmd_tmpfs_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_rw_clvmd_tmpfs_files'($*)) dnl
')
########################################
##
## Delete lvm temporary file system.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_delete_clvmd_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_delete_clvmd_tmpfs_files'($*)) dnl
gen_require(`
type clvmd_tmpfs_t;
')
allow $1 clvmd_tmpfs_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_delete_clvmd_tmpfs_files'($*)) dnl
')
########################################
##
## Send lvm a null signal.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_signull'($*)) dnl
gen_require(`
type lvm_t;
')
allow $1 lvm_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_signull'($*)) dnl
')
########################################
##
## Send a message to lvm over the
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_dgram_send'($*)) dnl
gen_require(`
type lvm_t;
')
allow $1 lvm_t:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_dgram_send'($*)) dnl
')
########################################
##
## Read and write a lvm unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_rw_pipes'($*)) dnl
gen_require(`
type lvm_var_run_t;
')
allow $1 lvm_var_run_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_rw_pipes'($*)) dnl
')
########################################
##
## Dontaudit Read and write a lvm unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_dontaudit_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type lvm_var_run_t;
')
dontaudit $1 lvm_var_run_t:fifo_file rw_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_dontaudit_rw_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to access check cert dirs/files.
##
##
##
## Domain to not audit.
##
##
#
define(`lvm_dontaudit_access_check_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_dontaudit_access_check_lock'($*)) dnl
gen_require(`
type lvm_lock_t;
')
dontaudit $1 lvm_lock_t:dir audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_dontaudit_access_check_lock'($*)) dnl
')
########################################
##
## Dontaudit read and write to lvm_lock_t dir.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_dontaudit_rw_lock_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_dontaudit_rw_lock_dir'($*)) dnl
gen_require(`
type lvm_lock_t;
')
dontaudit $1 lvm_lock_t:dir rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_dontaudit_rw_lock_dir'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of lvm.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_read_state'($*)) dnl
gen_require(`
type lvm_t;
')
ps_process_pattern($1, lvm_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_read_state'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## lvm lock files.
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_manage_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_manage_lock'($*)) dnl
gen_require(`
type lvm_lock_t;
')
files_lock_filetrans($1, lvm_lock_t, dir, "lvm")
files_search_locks($1)
manage_files_pattern($1, lvm_lock_t, lvm_lock_t)
manage_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_manage_lock'($*)) dnl
')
########################################
##
## Allow dbus send for lvm dbus API (only send needed)
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_dbus_send_msg',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_dbus_send_msg'($*)) dnl
gen_require(`
type lvm_t;
class dbus send_msg;
')
allow $1 lvm_t:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_dbus_send_msg'($*)) dnl
')
########################################
##
## Allow lvm hints file access
##
##
##
## Domain allowed access.
##
##
#
define(`lvm_rw_var_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `lvm_rw_var_run'($*)) dnl
gen_require(`
type lvm_t;
type lvm_var_run_t;
')
allow $1 lvm_var_run_t:file { rw_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `lvm_rw_var_run'($*)) dnl
')
## Miscelaneous files.
########################################
##
## Make the specified type usable as a cert file.
##
##
##
## Make the specified type usable for cert files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## cert management tools.
##
##
## Related interfaces:
##
##
##
## Example:
##
##
## type mycertfile_t;
## cert_type(mycertfile_t)
## allow mydomain_t mycertfile_t:file read_file_perms;
## files_search_etc(mydomain_t)
##
##
##
##
## Type to be used for files.
##
##
##
#
define(`miscfiles_cert_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_cert_type'($*)) dnl
gen_require(`
attribute cert_type;
')
typeattribute $1 cert_type;
files_type($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_cert_type'($*)) dnl
')
########################################
##
## Read all SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_all_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_all_certs'($*)) dnl
gen_require(`
attribute cert_type;
')
allow $1 cert_type:dir list_dir_perms;
read_files_pattern($1, cert_type, cert_type)
read_lnk_files_pattern($1, cert_type, cert_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_all_certs'($*)) dnl
')
########################################
##
## Read all SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_all_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_all_certs'($*)) dnl
gen_require(`
attribute cert_type;
')
manage_dirs_pattern($1, cert_type, cert_type)
manage_files_pattern($1, cert_type, cert_type)
manage_lnk_files_pattern($1, cert_type, cert_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_all_certs'($*)) dnl
')
########################################
##
## Read generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_generic_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_generic_certs'($*)) dnl
gen_require(`
type cert_t;
')
allow $1 cert_t:dir list_dir_perms;
read_files_pattern($1, cert_t, cert_t)
read_lnk_files_pattern($1, cert_t, cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_generic_certs'($*)) dnl
')
########################################
##
## mmap generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_map_generic_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_map_generic_certs'($*)) dnl
gen_require(`
type cert_t;
')
allow $1 cert_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_map_generic_certs'($*)) dnl
')
########################################
##
## Do not audit attempts to mmap generic SSL certificates.
##
##
##
## Domain to not audit.
##
##
##
#
define(`miscfiles_dontaudit_map_generic_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_map_generic_certs'($*)) dnl
gen_require(`
type cert_t;
')
dontaudit $1 cert_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_map_generic_certs'($*)) dnl
')
########################################
##
## Manage generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_manage_generic_cert_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_generic_cert_dirs'($*)) dnl
gen_require(`
type cert_t;
')
manage_dirs_pattern($1, cert_t, cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_generic_cert_dirs'($*)) dnl
')
########################################
##
## Allow process to relabel cert_t
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_relabel_generic_cert',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_generic_cert'($*)) dnl
gen_require(`
type cert_t;
')
files_search_usr($1)
relabel_files_pattern($1, cert_t, cert_t)
relabel_dirs_pattern($1, cert_t, cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_relabel_generic_cert'($*)) dnl
')
########################################
##
## Dontaudit attempts to write generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_dontaudit_write_generic_cert_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_write_generic_cert_files'($*)) dnl
gen_require(`
type cert_t;
')
dontaudit $1 cert_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_write_generic_cert_files'($*)) dnl
')
########################################
##
## Manage generic SSL certificates.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_generic_cert_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_generic_cert_files'($*)) dnl
gen_require(`
type cert_t;
')
manage_files_pattern($1, cert_t, cert_t)
manage_lnk_files_pattern($1, cert_t, cert_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_generic_cert_files'($*)) dnl
')
########################################
##
## Read SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_certs'($*)) dnl
miscfiles_read_generic_certs($1)
refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_certs'($*)) dnl
')
########################################
##
## Manage SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_manage_cert_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_cert_dirs'($*)) dnl
miscfiles_manage_generic_cert_dirs($1)
refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_cert_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to access check cert dirs/files.
##
##
##
## Domain to not audit.
##
##
#
define(`miscfiles_dontaudit_access_check_cert',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_access_check_cert'($*)) dnl
gen_require(`
type cert_t;
')
dontaudit $1 cert_t:file audit_access;
dontaudit $1 cert_t:dir audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_access_check_cert'($*)) dnl
')
########################################
##
## Manage SSL certificates.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_manage_cert_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_cert_files'($*)) dnl
miscfiles_manage_generic_cert_files($1)
refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_cert_files'($*)) dnl
')
########################################
##
## Read fonts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_fonts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_fonts'($*)) dnl
gen_require(`
type fonts_t, fonts_cache_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
allow $1 fonts_t:dir list_dir_perms;
read_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_t:file map;
read_lnk_files_pattern($1, fonts_t, fonts_t)
allow $1 fonts_cache_t:dir list_dir_perms;
read_files_pattern($1, fonts_cache_t, fonts_cache_t)
read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
allow $1 fonts_cache_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_fonts'($*)) dnl
')
########################################
##
## Set the attributes on a fonts directory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_setattr_fonts_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_fonts_dirs'($*)) dnl
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_setattr_fonts_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## on a fonts directory.
##
##
##
## Domain to not audit.
##
##
##
#
define(`miscfiles_dontaudit_setattr_fonts_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_setattr_fonts_dirs'($*)) dnl
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_setattr_fonts_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to write fonts.
##
##
##
## Domain to not audit.
##
##
##
#
define(`miscfiles_dontaudit_write_fonts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_write_fonts'($*)) dnl
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir { write setattr };
dontaudit $1 fonts_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_write_fonts'($*)) dnl
')
########################################
##
## Watch fonts directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_watch_fonts_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_watch_fonts_dirs'($*)) dnl
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_watch_fonts_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete fonts.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_fonts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_fonts'($*)) dnl
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_fonts'($*)) dnl
')
########################################
##
## Set the attributes on a fonts cache directory.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_setattr_fonts_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_fonts_cache_dirs'($*)) dnl
gen_require(`
type fonts_cache_t;
')
allow $1 fonts_cache_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_setattr_fonts_cache_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes
## on a fonts cache directory.
##
##
##
## Domain to not audit.
##
##
#
define(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_setattr_fonts_cache_dirs'($*)) dnl
gen_require(`
type fonts_cache_t;
')
dontaudit $1 fonts_cache_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_setattr_fonts_cache_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete fonts cache.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_fonts_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_fonts_cache'($*)) dnl
gen_require(`
type fonts_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_fonts_cache'($*)) dnl
')
########################################
##
## Read hardware identification data.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_hwdata',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_hwdata'($*)) dnl
gen_require(`
type hwdata_t;
')
allow $1 hwdata_t:dir list_dir_perms;
read_files_pattern($1, hwdata_t, hwdata_t)
read_lnk_files_pattern($1, hwdata_t, hwdata_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_hwdata'($*)) dnl
')
########################################
##
## Allow process to setattr localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_setattr_localization',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
allow $1 locale_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_setattr_localization'($*)) dnl
')
########################################
##
## Allow process to read localization information.
##
##
##
## Allow the specified domain to read the localization files.
## This is typically for time zone configuration files, such as
## /etc/localtime and files in /usr/share/zoneinfo.
## Typically, any domain which needs to know the GMT/UTC
## offset of the current timezone will need access
## to these files. Generally, it should be safe for any
## domain to read these files.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_localization',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_read_etc_symlinks($1)
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
allow $1 locale_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_localization'($*)) dnl
')
########################################
##
## Allow process to watch localization files.
##
##
##
## Allow the specified domain to watch localization files
## (e.g. /usr/share/zoneinfo/UTC) for changes.
##
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_watch_localization_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_watch_localization_files'($*)) dnl
gen_require(`
type locale_t;
')
watch_files_pattern($1, locale_t, locale_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_watch_localization_files'($*)) dnl
')
########################################
##
## Allow process to watch localization symlinks.
##
##
##
## Allow the specified domain to watch localization symlinks
## (e.g. /etc/localtime) for changes.
##
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_watch_localization_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_watch_localization_symlinks'($*)) dnl
gen_require(`
type locale_t;
')
watch_lnk_files_pattern($1, locale_t, locale_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_watch_localization_symlinks'($*)) dnl
')
########################################
##
## Allow process to write localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_rw_localization',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_rw_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
rw_files_pattern($1, locale_t, locale_t)
manage_lnk_files_pattern($1, locale_t, locale_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_rw_localization'($*)) dnl
')
########################################
##
## Allow process to relabel localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_relabel_localization',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_search_usr($1)
relabel_files_pattern($1, locale_t, locale_t)
relabel_lnk_files_pattern($1, locale_t, locale_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_relabel_localization'($*)) dnl
')
########################################
##
## Allow process to read legacy time localization info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_legacy_read_localization',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_legacy_read_localization'($*)) dnl
gen_require(`
type locale_t;
')
allow $1 locale_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_legacy_read_localization'($*)) dnl
')
########################################
##
## Search man pages.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_search_man_pages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_search_man_pages'($*)) dnl
gen_require(`
type man_t, man_cache_t;
')
allow $1 { man_cache_t man_t }:dir search_dir_perms;
files_search_usr($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_search_man_pages'($*)) dnl
')
########################################
##
## Do not audit attempts to search man pages.
##
##
##
## Domain to not audit.
##
##
#
define(`miscfiles_dontaudit_search_man_pages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_search_man_pages'($*)) dnl
gen_require(`
type man_t, man_cache_t;
')
dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_search_man_pages'($*)) dnl
')
########################################
##
## Read man pages
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_man_pages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_man_pages'($*)) dnl
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
allow $1 { man_cache_t man_t }:dir list_dir_perms;
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
optional_policy(`
mandb_read_cache_files($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_man_pages'($*)) dnl
')
########################################
##
## Delete man pages
##
##
##
## Domain allowed access.
##
##
# cjp: added for tmpreaper
#
define(`miscfiles_delete_man_pages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_delete_man_pages'($*)) dnl
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
optional_policy(`
mandb_setattr_cache_dirs($1)
mandb_delete_cache($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_delete_man_pages'($*)) dnl
')
#######################################
##
## Create, read, write, and delete man pages
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_setattr_man_pages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_man_pages'($*)) dnl
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_setattr_man_pages'($*)) dnl
')
########################################
##
## Create, read, write, and delete man pages
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_manage_man_pages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_man_pages'($*)) dnl
gen_require(`
type man_t, man_cache_t;
')
files_search_usr($1)
manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_man_pages'($*)) dnl
')
########################################
##
## Read man cache content.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_man_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_man_cache'($*)) dnl
gen_require(`
type man_cache_t;
')
files_search_var($1)
allow $1 man_cache_t:dir list_dir_perms;
allow $1 man_cache_t:file read_file_perms;
allow $1 man_cache_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_man_cache'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## man cache content.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_manage_man_cache',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_man_cache'($*)) dnl
gen_require(`
type man_cache_t;
')
files_search_var($1)
allow $1 man_cache_t:dir manage_dir_perms;
allow $1 man_cache_t:file manage_file_perms;
allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_man_cache'($*)) dnl
')
########################################
##
## Allow process to relabel man_pages info
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_relabel_man_pages',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_man_pages'($*)) dnl
gen_require(`
type man_t;
')
files_search_usr($1)
relabel_dirs_pattern($1, man_t, man_t)
relabel_files_pattern($1, man_t, man_t)
optional_policy(`
mandb_relabel_cache($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_relabel_man_pages'($*)) dnl
')
########################################
##
## Read public files used for file
## transfer services.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_public_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_public_files'($*)) dnl
gen_require(`
type public_content_t, public_content_rw_t;
')
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
allow $1 { public_content_t public_content_rw_t }:file map;
read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_public_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete public files
## and directories used for file transfer services.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_public_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_public_files'($*)) dnl
gen_require(`
type public_content_rw_t;
')
manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t)
manage_files_pattern($1, public_content_rw_t, public_content_rw_t)
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_public_files'($*)) dnl
')
########################################
##
## Append to public files used for file transfer services
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_append_public_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_append_public_files'($*)) dnl
gen_require(`
type public_content_rw_t;
')
append_files_pattern($1, public_content_rw_t, public_content_rw_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_append_public_files'($*)) dnl
')
########################################
##
## Read TeX data
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_tetex_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_tetex_data'($*)) dnl
gen_require(`
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir list_dir_perms;
read_files_pattern($1, tetex_data_t, tetex_data_t)
read_lnk_files_pattern($1, tetex_data_t, tetex_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_tetex_data'($*)) dnl
')
########################################
##
## Execute TeX data programs in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_exec_tetex_data',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_exec_tetex_data'($*)) dnl
gen_require(`
type fonts_t;
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir list_dir_perms;
exec_files_pattern($1, tetex_data_t, tetex_data_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_exec_tetex_data'($*)) dnl
')
########################################
##
## Let test files be an entry point for
## a specified domain.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_domain_entry_test_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_domain_entry_test_files'($*)) dnl
gen_require(`
type test_file_t;
')
domain_entry_file($1, test_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_domain_entry_test_files'($*)) dnl
')
########################################
##
## Read test files and directories.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_read_test_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_test_files'($*)) dnl
gen_require(`
type test_file_t;
')
read_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_test_files'($*)) dnl
')
########################################
##
## Execute test files.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_exec_test_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_exec_test_files'($*)) dnl
gen_require(`
type test_file_t;
')
exec_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_exec_test_files'($*)) dnl
')
########################################
##
## Execute test files.
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_etc_filetrans_localization',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_etc_filetrans_localization'($*)) dnl
gen_require(`
type locale_t;
')
files_etc_filetrans($1, locale_t, { file lnk_file })
files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
files_etc_filetrans($1, locale_t, file, "locale.conf" )
files_etc_filetrans($1, locale_t, file, "timezone" )
files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_etc_filetrans_localization'($*)) dnl
')
########################################
##
## Create, read, write, and delete localization
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_manage_localization',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_manage_localization'($*)) dnl
gen_require(`
type locale_t;
')
manage_dirs_pattern($1, locale_t, locale_t)
manage_files_pattern($1, locale_t, locale_t)
manage_lnk_files_pattern($1, locale_t, locale_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_manage_localization'($*)) dnl
')
########################################
##
## Transition to miscfiles locale named content
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_filetrans_locale_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_filetrans_locale_named_content'($*)) dnl
gen_require(`
type locale_t;
')
files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
files_etc_filetrans($1, locale_t, file, "locale.conf")
files_etc_filetrans($1, locale_t, file, "vconsole.conf")
files_etc_filetrans($1, locale_t, file, "locale.conf.new")
files_etc_filetrans($1, locale_t, file, "timezone")
files_etc_filetrans($1, locale_t, file, "clock")
files_usr_filetrans($1, locale_t, dir, "locale")
files_usr_filetrans($1, locale_t, dir, "zoneinfo")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_filetrans_locale_named_content'($*)) dnl
')
########################################
##
## Transition to miscfiles named content
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_filetrans_named_content'($*)) dnl
gen_require(`
type man_t;
type cert_t;
type fonts_t;
type fonts_cache_t;
type hwdata_t;
type tetex_data_t;
type public_content_t;
')
miscfiles_filetrans_locale_named_content($1)
files_var_filetrans($1, man_t, dir, "man")
files_etc_filetrans($1, cert_t, dir, "pki")
files_usr_filetrans($1, cert_t, dir, "certs")
files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
files_usr_filetrans($1, fonts_t, dir, "fonts")
files_usr_filetrans($1, hwdata_t, dir, "hwdata")
files_var_filetrans($1, fonts_cache_t, dir, "fontconfig")
files_var_filetrans($1, tetex_data_t, dir, "fonts")
files_spool_filetrans($1, tetex_data_t, dir, "texmf")
files_var_lib_filetrans($1, tetex_data_t, dir, "texmf")
files_var_filetrans($1, public_content_t, dir, "ftp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_filetrans_named_content'($*)) dnl
')
########################################
##
## Transition to miscfiles named content
##
##
##
## Domain allowed access.
##
##
#
define(`miscfiles_filetrans_named_content_letsencrypt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_filetrans_named_content_letsencrypt'($*)) dnl
gen_require(`
type cert_t;
')
files_var_lib_filetrans($1, cert_t, dir, "letsencrypt")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_filetrans_named_content_letsencrypt'($*)) dnl
')
########################################
##
## Read all pkcs11 modules configurations.
##
##
##
## Domain allowed access.
##
##
##
#
define(`miscfiles_read_pkcs11_modules',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `miscfiles_read_pkcs11_modules'($*)) dnl
gen_require(`
type pkcs11_modules_conf_t;
')
allow $1 pkcs11_modules_conf_t:dir list_dir_perms;
read_files_pattern($1, pkcs11_modules_conf_t, pkcs11_modules_conf_t)
allow $1 pkcs11_modules_conf_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `miscfiles_read_pkcs11_modules'($*)) dnl
')
## Policy for kernel module utilities
######################################
##
## Getattr the dependencies of kernel modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_getattr_module_deps',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_getattr_module_deps'($*)) dnl
gen_require(`
type modules_dep_t, modules_object_t;
')
getattr_files_pattern($1, modules_object_t, modules_dep_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_getattr_module_deps'($*)) dnl
')
########################################
##
## Read the dependencies of kernel modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_read_module_deps_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_read_module_deps_files'($*)) dnl
gen_require(`
type modules_dep_t;
')
allow $1 modules_dep_t:file { map read_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_read_module_deps_files'($*)) dnl
')
########################################
##
## Read the dependencies of kernel modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_read_module_deps',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_read_module_deps'($*)) dnl
gen_require(`
type modules_dep_t;
')
files_list_kernel_modules($1)
files_read_kernel_modules($1)
allow $1 modules_dep_t:file { map read_file_perms };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_read_module_deps'($*)) dnl
')
########################################
##
## Read the dependencies of kernel modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_delete_module_deps',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_delete_module_deps'($*)) dnl
gen_require(`
type modules_dep_t;
')
delete_files_pattern($1, modules_dep_t, modules_dep_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_delete_module_deps'($*)) dnl
')
########################################
##
## list the configuration options used when
## loading modules.
##
##
##
## Domain allowed access.
##
##
##
#
define(`modutils_list_module_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_list_module_config'($*)) dnl
gen_require(`
type modules_conf_t;
')
list_dirs_pattern($1, modules_conf_t, modules_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_list_module_config'($*)) dnl
')
########################################
##
## Read the configuration options used when
## loading modules.
##
##
##
## Domain allowed access.
##
##
##
#
define(`modutils_read_module_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_read_module_config'($*)) dnl
gen_require(`
type modules_conf_t;
')
# This file type can be in /etc or
# /lib(64)?/modules
files_search_etc($1)
files_search_boot($1)
allow $1 modules_conf_t:dir list_dir_perms;
allow $1 modules_conf_t:file read_file_perms;
allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_read_module_config'($*)) dnl
')
########################################
##
## Rename a file with the configuration options used when
## loading modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_rename_module_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_rename_module_config'($*)) dnl
gen_require(`
type modules_conf_t;
')
rename_files_pattern($1, modules_conf_t, modules_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_rename_module_config'($*)) dnl
')
########################################
##
## Unlink a file with the configuration options used when
## loading modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_delete_module_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_delete_module_config'($*)) dnl
gen_require(`
type modules_conf_t;
')
delete_files_pattern($1, modules_conf_t, modules_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_delete_module_config'($*)) dnl
')
########################################
##
## Manage files with the configuration options used when
## loading modules.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_manage_module_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_manage_module_config'($*)) dnl
gen_require(`
type modules_conf_t;
')
manage_files_pattern($1, modules_conf_t, modules_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_manage_module_config'($*)) dnl
')
########################################
##
## Execute insmod in the kmod domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`modutils_domtrans_kmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_kmod'($*)) dnl
gen_require(`
type kmod_t, kmod_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kmod_exec_t, kmod_t)
allow $1 kmod_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_kmod'($*)) dnl
')
########################################
##
## Unconditionally execute insmod in the insmod domain.
##
##
##
## Domain allowed to transition.
##
##
#
# cjp: this is added for pppd, due to nested
# conditionals not working.
define(`modutils_domtrans_insmod_uncond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_insmod_uncond'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_domtrans_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_insmod_uncond'($*)) dnl
')
########################################
##
## Execute insmod in the insmod domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`modutils_domtrans_insmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_insmod'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_domtrans_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_insmod'($*)) dnl
')
########################################
##
## Execute depmod in the depmod domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`modutils_domtrans_depmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_depmod'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_domtrans_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_depmod'($*)) dnl
')
########################################
##
## Execute depmod in the depmod domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`modutils_domtrans_update_mods',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_domtrans_update_mods'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_domtrans_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_domtrans_update_mods'($*)) dnl
')
########################################
##
## Allow send signal to insmod.
##
##
##
## Domain allowed to transition.
##
##
#
define(`modutils_signal_kmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_signal_kmod'($*)) dnl
gen_require(`
type kmod_t;
')
allow $1 kmod_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_signal_kmod'($*)) dnl
')
########################################
##
## Allow send signal to insmod.
##
##
##
## Domain allowed to transition.
##
##
#
define(`modutils_signal_insmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_signal_insmod'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_signal_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_signal_insmod'($*)) dnl
')
########################################
##
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`modutils_run_kmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_run_kmod'($*)) dnl
gen_require(`
type kmod_t;
')
modutils_domtrans_kmod($1)
role $2 types kmod_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_run_kmod'($*)) dnl
')
########################################
##
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`modutils_run_insmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_run_insmod'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_run_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_run_insmod'($*)) dnl
')
########################################
##
## Execute depmod in the depmod domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`modutils_run_depmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_run_depmod'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_run_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_run_depmod'($*)) dnl
')
########################################
##
## Execute update_modules in the update_modules domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`modutils_run_update_mods',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_run_update_mods'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_run_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_run_update_mods'($*)) dnl
')
#######################################
##
## Execute insmod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_exec_kmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_exec_kmod'($*)) dnl
gen_require(`
type kmod_exec_t;
')
corecmd_search_bin($1)
can_exec($1, kmod_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_exec_kmod'($*)) dnl
')
#######################################
##
## Execute insmod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_exec_insmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_exec_insmod'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_exec_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_exec_insmod'($*)) dnl
')
########################################
##
## Execute depmod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_exec_depmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_exec_depmod'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_exec_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_exec_depmod'($*)) dnl
')
########################################
##
## Execute update_modules in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_exec_update_mods',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_exec_update_mods'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_exec_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_exec_update_mods'($*)) dnl
')
#######################################
##
## Don't audit execute insmod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_dontaudit_exec_kmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_dontaudit_exec_kmod'($*)) dnl
gen_require(`
type kmod_exec_t;
')
dontaudit $1 kmod_exec_t:file exec_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_dontaudit_exec_kmod'($*)) dnl
')
#######################################
##
## Don't audit execute insmod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`modutils_dontaudit_exec_insmod',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modutils_dontaudit_exec_insmod'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use modutils_dontaudit_exec_kmod() instead.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modutils_dontaudit_exec_insmod'($*)) dnl
')
########################################
##
## Transition to modutils named content
##
##
##
## Domain allowed access.
##
##
#
define(`modules_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `modules_filetrans_named_content'($*)) dnl
gen_require(`
type modules_dep_t;
type modules_conf_t;
')
files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf")
files_etc_filetrans($1, modules_conf_t, file, "modules.conf")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `modules_filetrans_named_content'($*)) dnl
')
## Policy for mount.
########################################
##
## Execute mount in the mount domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mount_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_domtrans'($*)) dnl
gen_require(`
type mount_t, mount_exec_t;
')
domtrans_pattern($1, mount_exec_t, mount_t)
mount_domtrans_fusermount($1)
allow $1 mount_t:fd use;
ps_process_pattern(mount_t, $1)
allow mount_t $1:key write;
allow mount_t $1:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_domtrans'($*)) dnl
')
########################################
##
## Execute mount in the mount domain, and
## allow the specified role the mount domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`mount_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_run'($*)) dnl
gen_require(`
attribute_role mount_roles;
type mount_t;
')
mount_domtrans($1)
roleattribute $2 mount_roles;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_run'($*)) dnl
')
########################################
##
## Execute fusermount in the mount domain, and
## allow the specified role the mount domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the mount domain.
##
##
##
#
define(`mount_run_fusermount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_run_fusermount'($*)) dnl
gen_require(`
type mount_t;
')
mount_domtrans_fusermount($1)
role $2 types mount_t;
fstools_run(mount_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_run_fusermount'($*)) dnl
')
########################################
##
## Read mount PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_read_pid_files'($*)) dnl
gen_require(`
type mount_var_run_t;
')
read_files_pattern($1, mount_var_run_t, mount_var_run_t)
list_dirs_pattern($1, mount_var_run_t, mount_var_run_t)
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_read_pid_files'($*)) dnl
')
########################################
##
## Read/write mount PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_rw_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_rw_pid_files'($*)) dnl
gen_require(`
type mount_var_run_t;
')
rw_files_pattern($1, mount_var_run_t, mount_var_run_t)
files_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_rw_pid_files'($*)) dnl
')
#######################################
##
## Do not audit attemps to write mount PID files.
##
##
##
## Domain to not audit.
##
##
#
define(`mount_dontaudit_write_mount_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_dontaudit_write_mount_pid'($*)) dnl
gen_require(`
type mount_var_run_t;
')
dontaudit $1 mount_var_run_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_dontaudit_write_mount_pid'($*)) dnl
')
########################################
##
## Manage mount PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_manage_pid_files'($*)) dnl
gen_require(`
type mount_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, mount_var_run_t, mount_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_manage_pid_files'($*)) dnl
')
########################################
##
## Watch mount PID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_watch_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_watch_pid_dirs'($*)) dnl
gen_require(`
type mount_var_run_t;
')
files_search_pids($1)
watch_dirs_pattern($1, mount_var_run_t, mount_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_watch_pid_dirs'($*)) dnl
')
########################################
##
## Watch_reads mount PID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_watch_reads_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_watch_reads_pid_dirs'($*)) dnl
gen_require(`
type mount_var_run_t;
')
files_search_pids($1)
watch_reads_dirs_pattern($1, mount_var_run_t, mount_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_watch_reads_pid_dirs'($*)) dnl
')
########################################
##
## Watch mount PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_watch_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_watch_pid_files'($*)) dnl
gen_require(`
type mount_var_run_t;
')
files_search_pids($1)
allow $1 mount_var_run_t:file watch_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_watch_pid_files'($*)) dnl
')
########################################
##
## Watch_reads mount PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_watch_reads_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_watch_reads_pid_files'($*)) dnl
gen_require(`
type mount_var_run_t;
')
files_search_pids($1)
allow $1 mount_var_run_t:file watch_reads_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_watch_reads_pid_files'($*)) dnl
')
########################################
##
## Execute mount in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_exec'($*)) dnl
gen_require(`
type mount_exec_t;
')
# cjp: this should be removed:
allow $1 mount_exec_t:dir list_dir_perms;
allow $1 mount_exec_t:lnk_file read_lnk_file_perms;
can_exec($1, mount_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_exec'($*)) dnl
')
########################################
##
## Send a generic signal to mount.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_signal'($*)) dnl
gen_require(`
type mount_t;
')
allow $1 mount_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_signal'($*)) dnl
')
########################################
##
## Send a generic sigkill to mount.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_sigkill',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_sigkill'($*)) dnl
gen_require(`
type mount_t;
')
allow $1 mount_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_sigkill'($*)) dnl
')
########################################
##
## Use file descriptors for mount.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_use_fds'($*)) dnl
gen_require(`
type mount_t;
')
allow $1 mount_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_use_fds'($*)) dnl
')
########################################
##
## Allow the mount domain to send nfs requests for mounting
## network drives
##
##
##
## Allow the mount domain to send nfs requests for mounting
## network drives
##
##
## This interface has been deprecated as these rules were
## a side effect of leaked mount file descriptors. This
## interface has no effect.
##
##
##
##
## Domain allowed access.
##
##
#
define(`mount_send_nfs_client_request',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_send_nfs_client_request'($*)) dnl
refpolicywarn(`$0($*) has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_send_nfs_client_request'($*)) dnl
')
########################################
##
## Read the mount tmp directory
##
##
##
## Domain allowed access.
##
##
#
define(`mount_list_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_list_tmp'($*)) dnl
gen_require(`
type mount_tmp_t;
')
allow $1 mount_tmp_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_list_tmp'($*)) dnl
')
########################################
##
## Execute fusermount in the mount domain.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_domtrans_fusermount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_domtrans_fusermount'($*)) dnl
gen_require(`
type mount_t, fusermount_exec_t;
')
domtrans_pattern($1, fusermount_exec_t, mount_t)
ps_process_pattern(mount_t, $1)
allow mount_t $1:unix_stream_socket { read write };
allow $1 mount_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_domtrans_fusermount'($*)) dnl
')
########################################
##
## Execute fusermount.
##
##
##
## Domain allowed access.
##
##
#
define(`mount_exec_fusermount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_exec_fusermount'($*)) dnl
gen_require(`
type fusermount_exec_t;
')
can_exec($1, fusermount_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_exec_fusermount'($*)) dnl
')
########################################
##
## dontaudit Execute fusermount.
##
##
##
## Domain to not audit.
##
##
#
define(`mount_dontaudit_exec_fusermount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_dontaudit_exec_fusermount'($*)) dnl
gen_require(`
type fusermount_exec_t;
')
dontaudit $1 fusermount_exec_t:file exec_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_dontaudit_exec_fusermount'($*)) dnl
')
######################################
##
## Execute a domain transition to run showmount.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mount_domtrans_showmount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_domtrans_showmount'($*)) dnl
gen_require(`
type showmount_t, showmount_exec_t;
')
domtrans_pattern($1, showmount_exec_t, showmount_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_domtrans_showmount'($*)) dnl
')
######################################
##
## Execute showmount in the showmount domain, and
## allow the specified role the showmount domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the showmount domain.
##
##
#
define(`mount_run_showmount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_run_showmount'($*)) dnl
gen_require(`
type showmount_t;
')
mount_domtrans_showmount($1)
role $2 types showmount_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_run_showmount'($*)) dnl
')
#######################################
##
## Transition to ecryptmount.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mount_domtrans_ecryptmount',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_domtrans_ecryptmount'($*)) dnl
gen_require(`
type mount_ecryptfs_t, mount_ecryptfs_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_domtrans_ecryptmount'($*)) dnl
')
#######################################
##
## Execute mount in the unconfined mount domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`mount_domtrans_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_domtrans_unconfined'($*)) dnl
gen_require(`
type unconfined_mount_t, mount_exec_t;
')
domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_domtrans_unconfined'($*)) dnl
')
#######################################
##
## Execute mount in the unconfined mount domain, and
## allow the specified role the unconfined mount domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`mount_run_unconfined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_run_unconfined'($*)) dnl
gen_require(`
type unconfined_mount_t;
')
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_run_unconfined'($*)) dnl
')
########################################
##
## Allow mount programs to be an entrypoint for
## the specified domain.
##
##
##
## The domain for which mount programs is an entrypoint.
##
##
#
define(`mount_entry_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `mount_entry_type'($*)) dnl
gen_require(`
type mount_ecryptfs_exec_t;
type mount_exec_t;
')
domain_entry_file($1, mount_ecryptfs_exec_t)
domain_entry_file($1, mount_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `mount_entry_type'($*)) dnl
')
## NetLabel/CIPSO labeled networking management
########################################
##
## Execute netlabel_mgmt in the netlabel_mgmt domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`netlabel_domtrans_mgmt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netlabel_domtrans_mgmt'($*)) dnl
gen_require(`
type netlabel_mgmt_t, netlabel_mgmt_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, netlabel_mgmt_exec_t, netlabel_mgmt_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netlabel_domtrans_mgmt'($*)) dnl
')
########################################
##
## Execute netlabel_mgmt in the netlabel_mgmt domain, and
## allow the specified role the netlabel_mgmt domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`netlabel_run_mgmt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `netlabel_run_mgmt'($*)) dnl
gen_require(`
type netlabel_mgmt_t;
')
netlabel_domtrans_mgmt($1)
role $2 types netlabel_mgmt_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `netlabel_run_mgmt'($*)) dnl
')
## Policy for SELinux policy and userland applications.
#######################################
##
## Execute checkpolicy in the checkpolicy domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_checkpolicy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_checkpolicy'($*)) dnl
gen_require(`
type checkpolicy_t, checkpolicy_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_checkpolicy'($*)) dnl
')
########################################
##
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`seutil_run_checkpolicy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_checkpolicy'($*)) dnl
gen_require(`
type checkpolicy_t;
')
seutil_domtrans_checkpolicy($1)
role $2 types checkpolicy_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_checkpolicy'($*)) dnl
')
########################################
##
## Execute checkpolicy in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_exec_checkpolicy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_checkpolicy'($*)) dnl
gen_require(`
type checkpolicy_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, checkpolicy_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_checkpolicy'($*)) dnl
')
#######################################
##
## Execute load_policy in the load_policy domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_loadpolicy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_loadpolicy'($*)) dnl
gen_require(`
type load_policy_t, load_policy_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, load_policy_exec_t, load_policy_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_loadpolicy'($*)) dnl
')
########################################
##
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`seutil_run_loadpolicy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_loadpolicy'($*)) dnl
gen_require(`
type load_policy_t;
')
seutil_domtrans_loadpolicy($1)
role $2 types load_policy_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_loadpolicy'($*)) dnl
')
########################################
##
## Execute load_policy in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_exec_loadpolicy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_loadpolicy'($*)) dnl
gen_require(`
type load_policy_exec_t;
')
corecmd_search_bin($1)
can_exec($1, load_policy_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_loadpolicy'($*)) dnl
')
########################################
##
## Allow access check on load_policy.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_access_check_load_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_access_check_load_policy'($*)) dnl
gen_require(`
type load_policy_exec_t;
')
allow $1 load_policy_exec_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_access_check_load_policy'($*)) dnl
')
########################################
##
## Dontaudit access check on load_policy.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_dontaudit_access_check_load_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_access_check_load_policy'($*)) dnl
gen_require(`
type load_policy_exec_t;
')
dontaudit $1 load_policy_exec_t:file audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_access_check_load_policy'($*)) dnl
')
########################################
##
## Read the load_policy program file.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_read_loadpolicy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_loadpolicy'($*)) dnl
gen_require(`
type load_policy_exec_t;
')
corecmd_search_bin($1)
allow $1 load_policy_exec_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_loadpolicy'($*)) dnl
')
#######################################
##
## Execute newrole in the newole domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_newrole',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_newrole'($*)) dnl
gen_require(`
type newrole_t, newrole_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, newrole_exec_t, newrole_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_newrole'($*)) dnl
')
########################################
##
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`seutil_run_newrole',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_newrole'($*)) dnl
gen_require(`
type newrole_t;
#attribute_role newrole_roles;
')
#seutil_domtrans_newrole($1)
#roleattribute $2 newrole_roles;
seutil_domtrans_newrole($1)
role $2 types newrole_t;
auth_run_upd_passwd(newrole_t, $2)
optional_policy(`
namespace_init_run(newrole_t, $2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_newrole'($*)) dnl
')
########################################
##
## Execute newrole in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_exec_newrole',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_newrole'($*)) dnl
gen_require(`
type newrole_t, newrole_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, newrole_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_newrole'($*)) dnl
')
########################################
##
## Do not audit the caller attempts to send
## a signal to newrole.
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_signal_newrole',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_signal_newrole'($*)) dnl
gen_require(`
type newrole_t;
')
dontaudit $1 newrole_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_signal_newrole'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to newrole.
##
##
##
## Allow the specified domain to send a SIGCHLD
## signal to newrole. This signal is automatically
## sent from a process that is terminating to
## its parent. This may be needed by domains
## that are executed from newrole.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_sigchld_newrole',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_sigchld_newrole'($*)) dnl
gen_require(`
type newrole_t;
')
allow $1 newrole_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_sigchld_newrole'($*)) dnl
')
########################################
##
## Inherit and use newrole file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_use_newrole_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_use_newrole_fds'($*)) dnl
gen_require(`
type newrole_t;
')
allow $1 newrole_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_use_newrole_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit and use
## newrole file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_use_newrole_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_use_newrole_fds'($*)) dnl
gen_require(`
type newrole_t;
')
dontaudit $1 newrole_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_use_newrole_fds'($*)) dnl
')
#######################################
##
## Execute restorecon in the restorecon domain. (Deprecated)
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_restorecon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_restorecon'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.')
seutil_domtrans_setfiles($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_restorecon'($*)) dnl
')
########################################
##
## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain,
## and use the caller's terminal. (Deprecated)
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`seutil_run_restorecon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_restorecon'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.')
seutil_run_setfiles($1,$2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_restorecon'($*)) dnl
')
########################################
##
## Execute restorecon in the caller domain. (Deprecated)
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_exec_restorecon',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_restorecon'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.')
seutil_exec_setfiles($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_restorecon'($*)) dnl
')
########################################
##
## Execute restorecond in the caller domain.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_exec_restorecond',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_restorecond'($*)) dnl
gen_require(`
type restorecond_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, restorecond_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_restorecond'($*)) dnl
')
########################################
##
## Execute run_init in the run_init domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_runinit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_runinit'($*)) dnl
gen_require(`
type run_init_t, run_init_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, run_init_exec_t, run_init_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_runinit'($*)) dnl
')
########################################
##
## Execute init scripts in the run_init domain.
##
##
##
## Execute init scripts in the run_init domain.
## This is used for the Gentoo integrated run_init.
##
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_init_script_domtrans_runinit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_init_script_domtrans_runinit'($*)) dnl
gen_require(`
type run_init_t;
')
init_script_file_domtrans($1, run_init_t)
allow run_init_t $1:fd use;
allow run_init_t $1:fifo_file rw_file_perms;
allow run_init_t $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_init_script_domtrans_runinit'($*)) dnl
')
########################################
##
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`seutil_run_runinit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_runinit'($*)) dnl
gen_require(`
#attribute_role run_init_roles;
type run_init_t;
role system_r;
')
#seutil_domtrans_runinit($1)
#roleattribute $2 run_init_roles;
auth_run_chk_passwd(run_init_t, $2)
seutil_domtrans_runinit($1)
role $2 types run_init_t;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_runinit'($*)) dnl
')
########################################
##
## Execute init scripts in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
##
##
##
## Execute init scripts in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
##
##
## This is used for the Gentoo integrated run_init.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
define(`seutil_init_script_run_runinit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_init_script_run_runinit'($*)) dnl
gen_require(`
#attribute_role run_init_roles;
type run_init_t;
role system_r;
')
#seutil_init_script_domtrans_runinit($1)
#roleattribute $2 run_init_roles;
auth_run_chk_passwd(run_init_t, $2)
seutil_init_script_domtrans_runinit($1)
role $2 types run_init_t;
allow $2 system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_init_script_run_runinit'($*)) dnl
')
########################################
##
## Inherit and use run_init file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_use_runinit_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_use_runinit_fds'($*)) dnl
gen_require(`
type run_init_t;
')
allow $1 run_init_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_use_runinit_fds'($*)) dnl
')
########################################
##
## Execute setfiles in the setfiles domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_setfiles',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_setfiles'($*)) dnl
gen_require(`
type setfiles_t, setfiles_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_setfiles'($*)) dnl
')
########################################
##
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`seutil_run_setfiles',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_setfiles'($*)) dnl
gen_require(`
type setfiles_t;
')
seutil_domtrans_setfiles($1)
role $2 types setfiles_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_setfiles'($*)) dnl
')
########################################
##
## Execute setfiles in the setfiles domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_domtrans_setfiles_mac',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_setfiles_mac'($*)) dnl
gen_require(`
type setfiles_mac_t, setfiles_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_setfiles_mac'($*)) dnl
')
########################################
##
## Allow caller nnp_transition and nosuid_transition to setfiles_mac_t
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_nnp_domtrans_setfiles_mac',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_nnp_domtrans_setfiles_mac'($*)) dnl
gen_require(`
type setfiles_mac_t;
')
allow $1 setfiles_mac_t:process2 { nnp_transition nosuid_transition };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_nnp_domtrans_setfiles_mac'($*)) dnl
')
########################################
##
## Execute setfiles in the setfiles_mac domain, and
## allow the specified role the setfiles_mac domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the setfiles_mac domain.
##
##
##
#
define(`seutil_run_setfiles_mac',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_setfiles_mac'($*)) dnl
gen_require(`
type setfiles_mac_t;
')
seutil_domtrans_setfiles_mac($1)
role $2 types setfiles_mac_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_setfiles_mac'($*)) dnl
')
########################################
##
## Execute setfiles in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_exec_setfiles',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_exec_setfiles'($*)) dnl
gen_require(`
type setfiles_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, setfiles_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_exec_setfiles'($*)) dnl
')
########################################
##
## Allow access check on setfiles.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_access_check_setfiles',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_access_check_setfiles'($*)) dnl
gen_require(`
type setfiles_exec_t;
')
allow $1 setfiles_exec_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_access_check_setfiles'($*)) dnl
')
########################################
##
## Dontaudit access check on setfiles.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_dontaudit_access_check_setfiles',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_access_check_setfiles'($*)) dnl
gen_require(`
type setfiles_exec_t;
')
dontaudit $1 setfiles_exec_t:file audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_access_check_setfiles'($*)) dnl
')
########################################
##
## Do not audit attempts to search the SELinux
## configuration directory (/etc/selinux).
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_search_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_search_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
dontaudit $1 selinux_config_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_search_config'($*)) dnl
')
########################################
##
## Allow attempts to search the SELinux
## configuration directory (/etc/selinux).
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_search_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_search_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
allow $1 selinux_config_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_search_config'($*)) dnl
')
########################################
##
## Do not audit attempts to read the SELinux
## userland configuration (/etc/selinux).
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_config'($*)) dnl
')
########################################
##
## Read the general SELinux configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir list_dir_perms;
read_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_config'($*)) dnl
')
########################################
##
## Read and write the general SELinux configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_rw_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_rw_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir list_dir_perms;
rw_files_pattern($1, selinux_config_t, selinux_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_rw_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## the general selinux configuration files. (Deprecated)
##
##
##
## Create, read, write, and delete
## the general selinux configuration files.
##
##
## This interface has been deprecated, please
## use the seutil_manage_config() interface instead.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_selinux_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_selinux_config'($*)) dnl
refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.')
seutil_manage_config($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_selinux_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## the general selinux configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_config'($*)) dnl
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_config'($*)) dnl
')
######################################
##
## Create, read, write, and delete
## the general selinux configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_config_dirs'($*)) dnl
gen_require(`
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_config_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search the SELinux
## login configuration directory.
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_search_login_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_search_login_config'($*)) dnl
gen_require(`
type selinux_login_config_t;
')
dontaudit $1 selinux_login_config_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_search_login_config'($*)) dnl
')
########################################
##
## Do not audit attempts to read the SELinux
## login configuration.
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_read_login_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_login_config'($*)) dnl
gen_require(`
type selinux_login_config_t;
')
dontaudit $1 selinux_login_config_t:dir search_dir_perms;
dontaudit $1 selinux_login_config_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_login_config'($*)) dnl
')
########################################
##
## Read the SELinux login configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_read_login_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_login_config'($*)) dnl
gen_require(`
type selinux_config_t;
type selinux_login_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 selinux_login_config_t:dir list_dir_perms;
read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_login_config'($*)) dnl
')
########################################
##
## Read and write the SELinux login configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_rw_login_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_rw_login_config'($*)) dnl
gen_require(`
type selinux_config_t;
type selinux_login_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 selinux_login_config_t:dir list_dir_perms;
rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_rw_login_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete
## the general selinux configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_rw_login_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_rw_login_config_dirs'($*)) dnl
gen_require(`
type selinux_config_t;
type selinux_login_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 selinux_login_config_t:dir rw_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_rw_login_config_dirs'($*)) dnl
')
######################################
##
## Create, read, write, and delete
## the general selinux configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_manage_login_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_login_config'($*)) dnl
gen_require(`
type selinux_config_t;
type selinux_login_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_login_config'($*)) dnl
')
######################################
##
## manage the login selinux configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_manage_login_config_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_login_config_files'($*)) dnl
gen_require(`
type selinux_config_t;
type selinux_login_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_login_config_files'($*)) dnl
')
########################################
##
## Search the policy directory with default_context files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_search_default_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_search_default_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t;
')
files_search_etc($1)
search_dirs_pattern($1, selinux_config_t, default_context_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_search_default_contexts'($*)) dnl
')
########################################
##
## Read the default_contexts files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_read_default_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_default_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 default_context_t:dir list_dir_perms;
read_files_pattern($1, default_context_t, default_context_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_default_contexts'($*)) dnl
')
#######################################
##
## Read and write the default_contexts files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_rw_default_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_rw_default_contexts'($*)) dnl
gen_require(`
type default_context_t;
type selinux_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir list_dir_perms;
allow $1 default_context_t:dir list_dir_perms;
rw_files_pattern($1, default_context_t, default_context_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_rw_default_contexts'($*)) dnl
')
########################################
##
## Create, read, write, and delete the default_contexts files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_manage_default_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_default_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
manage_files_pattern($1, default_context_t, default_context_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_default_contexts'($*)) dnl
')
########################################
##
## Read the file_contexts files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_read_file_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_file_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t, file_context_t;
')
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
list_dirs_pattern($1, file_context_t, file_context_t)
read_files_pattern($1, file_context_t, file_context_t)
read_lnk_files_pattern($1, file_context_t, file_context_t)
allow $1 file_context_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_file_contexts'($*)) dnl
')
########################################
##
## Do not audit attempts to read the file_contexts files.
##
##
##
## Domain to not audit.
##
##
##
#
define(`seutil_dontaudit_read_file_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_file_contexts'($*)) dnl
gen_require(`
type selinux_config_t, default_context_t, file_context_t;
')
dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
dontaudit $1 file_context_t:file read_file_perms;
dontaudit $1 file_context_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_file_contexts'($*)) dnl
')
########################################
##
## Read and write the file_contexts files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_rw_file_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_rw_file_contexts'($*)) dnl
gen_require(`
type selinux_config_t, file_context_t, default_context_t;
')
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
rw_files_pattern($1, file_context_t, file_context_t)
allow $1 file_context_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_rw_file_contexts'($*)) dnl
')
########################################
##
## Create, read, write, and delete the file_contexts files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_file_contexts',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_file_contexts'($*)) dnl
gen_require(`
type selinux_config_t, file_context_t, default_context_t;
')
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
manage_files_pattern($1, file_context_t, file_context_t)
manage_dirs_pattern($1, file_context_t, file_context_t)
allow $1 file_context_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_file_contexts'($*)) dnl
')
########################################
##
## Read the SELinux binary policy.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_read_bin_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_bin_policy'($*)) dnl
gen_require(`
type selinux_config_t, policy_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
read_files_pattern($1, policy_config_t, policy_config_t)
allow $1 policy_config_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_bin_policy'($*)) dnl
')
########################################
##
## Create the SELinux binary policy.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_create_bin_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_create_bin_policy'($*)) dnl
gen_require(`
# attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
create_files_pattern($1, policy_config_t, policy_config_t)
write_files_pattern($1, policy_config_t, policy_config_t)
# typeattribute $1 can_write_binary_policy;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_create_bin_policy'($*)) dnl
')
########################################
##
## Allow the caller to relabel a file to the binary policy type.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_relabelto_bin_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_relabelto_bin_policy'($*)) dnl
gen_require(`
attribute can_relabelto_binary_policy;
type policy_config_t;
')
allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_relabelto_bin_policy'($*)) dnl
')
########################################
##
## Create, read, write, and delete the SELinux
## binary policy.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_manage_bin_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_bin_policy'($*)) dnl
gen_require(`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
manage_files_pattern($1, policy_config_t, policy_config_t)
typeattribute $1 can_write_binary_policy;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_bin_policy'($*)) dnl
')
########################################
##
## Read SELinux policy source files.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_read_src_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_src_policy'($*)) dnl
gen_require(`
type selinux_config_t, policy_src_t;
')
files_search_etc($1)
list_dirs_pattern($1, selinux_config_t, policy_src_t)
read_files_pattern($1, policy_src_t, policy_src_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_src_policy'($*)) dnl
')
########################################
##
## Create, read, write, and delete SELinux
## policy source files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`seutil_manage_src_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_src_policy'($*)) dnl
gen_require(`
type selinux_config_t, policy_src_t;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
manage_dirs_pattern($1, policy_src_t, policy_src_t)
manage_files_pattern($1, policy_src_t, policy_src_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_src_policy'($*)) dnl
')
########################################
##
## Execute a domain transition to run semanage.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_semanage',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_semanage'($*)) dnl
gen_require(`
type semanage_t, semanage_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, semanage_exec_t, semanage_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_semanage'($*)) dnl
')
########################################
##
## Execute a domain transition to run setsebool.
##
##
##
## Domain allowed to transition.
##
##
#
define(`seutil_domtrans_setsebool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_domtrans_setsebool'($*)) dnl
gen_require(`
type setsebool_t, setsebool_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, setsebool_exec_t, setsebool_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_domtrans_setsebool'($*)) dnl
')
########################################
##
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`seutil_run_semanage',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_semanage'($*)) dnl
gen_require(`
#attribute_role semanage_roles;
type semanage_t;
')
#seutil_domtrans_semanage($1)
#roleattribute $2 semanage_roles;
seutil_domtrans_semanage($1)
seutil_run_setfiles(semanage_t, $2)
seutil_run_loadpolicy(semanage_t, $2)
role $2 types semanage_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_semanage'($*)) dnl
')
########################################
##
## Execute setsebool in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the setsebool domain.
##
##
##
#
define(`seutil_run_setsebool',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_run_setsebool'($*)) dnl
gen_require(`
type semanage_t;
')
seutil_domtrans_setsebool($1)
role $2 types setsebool_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_run_setsebool'($*)) dnl
')
########################################
##
## List of the semanage
## module store.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_access_check_module_store',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_access_check_module_store'($*)) dnl
gen_require(`
type semanage_store_t;
')
files_search_etc($1)
allow $1 semanage_store_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_access_check_module_store'($*)) dnl
')
########################################
##
## Full management of the semanage
## module store.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_read_module_store',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_read_module_store'($*)) dnl
gen_require(`
type selinux_config_t, semanage_store_t;
')
files_search_etc($1)
list_dirs_pattern($1, selinux_config_t, semanage_store_t)
read_files_pattern($1, semanage_store_t, semanage_store_t)
read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_read_module_store'($*)) dnl
')
########################################
##
## Dontaudit read selinux module store
## module store.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_dontaudit_read_module_store',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_module_store'($*)) dnl
gen_require(`
type semanage_store_t;
')
dontaudit $1 semanage_store_t:dir list_dir_perms;
dontaudit $1 semanage_store_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_module_store'($*)) dnl
')
#######################################
##
## Dontaudit access check on module store
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_dontaudit_access_check_semanage_module_store',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_access_check_semanage_module_store'($*)) dnl
gen_require(`
type semanage_store_t;
')
dontaudit $1 semanage_store_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_access_check_semanage_module_store'($*)) dnl
')
########################################
##
## Full management of the semanage
## module store.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_manage_module_store',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_manage_module_store'($*)) dnl
gen_require(`
type selinux_config_t, semanage_store_t;
')
files_search_etc($1)
files_search_var($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_dirs_pattern($1, semanage_store_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_manage_module_store'($*)) dnl
')
#######################################
##
## Get read lock on module store
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_get_semanage_read_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_get_semanage_read_lock'($*)) dnl
gen_require(`
type selinux_config_t, semanage_read_lock_t;
')
files_search_etc($1)
rw_files_pattern($1, selinux_config_t, semanage_read_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_get_semanage_read_lock'($*)) dnl
')
#######################################
##
## Dontaudit access check on module store
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_dontaudit_access_check_semanage_read_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_access_check_semanage_read_lock'($*)) dnl
gen_require(`
type semanage_read_lock_t;
')
dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_access_check_semanage_read_lock'($*)) dnl
')
#######################################
##
## Get trans lock on module store
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_get_semanage_trans_lock',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_get_semanage_trans_lock'($*)) dnl
gen_require(`
type selinux_config_t, semanage_trans_lock_t;
')
files_search_etc($1)
rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_get_semanage_trans_lock'($*)) dnl
')
########################################
##
## SELinux-enabled program access for
## libselinux-linked programs.
##
##
##
## SELinux-enabled programs are typically
## linked to the libselinux library. This
## interface will allow access required for
## the libselinux constructor to function.
##
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_libselinux_linked',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_libselinux_linked'($*)) dnl
selinux_get_fs_mount($1)
seutil_read_config($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_libselinux_linked'($*)) dnl
')
########################################
##
## Do not audit SELinux-enabled program access for
## libselinux-linked programs.
##
##
##
## SELinux-enabled programs are typically
## linked to the libselinux library. This
## interface will dontaudit access required for
## the libselinux constructor to function.
##
##
## Generally this should not be used on anything
## but simple SELinux-enabled programs that do not
## rely on data initialized by the libselinux
## constructor.
##
##
##
##
## Domain to not audit.
##
##
#
define(`seutil_dontaudit_libselinux_linked',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_libselinux_linked'($*)) dnl
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dontaudit_libselinux_linked'($*)) dnl
')
#######################################
##
## All rules necessary to run semanage command
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_semanage_policy',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_semanage_policy'($*)) dnl
gen_require(`
type semanage_tmp_t;
type policy_config_t;
attribute policy_manager_domain;
')
typeattribute $1 policy_manager_domain;
kernel_read_system_state($1)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch($1)
mls_file_write_all_levels($1)
mls_file_read_all_levels($1)
selinux_get_enforce_mode($1)
seutil_manage_bin_policy($1)
logging_send_syslog_msg($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_semanage_policy'($*)) dnl
')
#######################################
##
## All rules necessary to run setfiles command
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_setfiles',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_setfiles'($*)) dnl
gen_require(`
attribute setfiles_domain;
')
typeattribute $1 setfiles_domain;
kernel_read_system_state($1)
seutil_libselinux_linked($1)
files_relabel_all_files($1)
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
mls_file_upgrade($1)
mls_file_downgrade($1)
# this is to satisfy the assertion:
auth_relabelto_shadow($1)
logging_send_syslog_msg($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_setfiles'($*)) dnl
')
#####################################
##
## File name transition for selinux utility content
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_filetrans_named_content'($*)) dnl
gen_require(`
type default_context_t, semanage_store_t;
type selinux_config_t, semanage_trans_lock_t;
type file_context_t, selinux_login_config_t;
')
filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK")
filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK")
filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins")
filetrans_pattern($1, default_context_t, file_context_t, dir, "files")
userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_filetrans_named_content'($*)) dnl
')
########################################
##
## Send and receive messages from
## semanage dbus server over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`seutil_dbus_chat_semanage',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `seutil_dbus_chat_semanage'($*)) dnl
gen_require(`
type semanage_t;
class dbus send_msg;
')
ps_process_pattern(semanage_t, $1)
allow $1 semanage_t:dbus send_msg;
allow semanage_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `seutil_dbus_chat_semanage'($*)) dnl
')
## SELinux MLS/MCS label translation service.
########################################
##
## Execute setrans server in the setrans domain.
##
##
##
## Domain allowed to transition.
##
##
#
#
define(`setrans_initrc_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setrans_initrc_domtrans'($*)) dnl
gen_require(`
type setrans_initrc_exec_t;
')
init_labeled_script_domtrans($1, setrans_initrc_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setrans_initrc_domtrans'($*)) dnl
')
#######################################
##
## Allow a domain to translate contexts.
##
##
##
## Domain allowed access.
##
##
#
define(`setrans_translate_context',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setrans_translate_context'($*)) dnl
gen_require(`
type setrans_t, setrans_var_run_t;
class context translate;
')
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 setrans_t:context translate;
stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
files_list_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setrans_translate_context'($*)) dnl
')
#######################################
##
## Allow a domain to manage pid files
##
##
##
## Domain allowed access.
##
##
#
define(`setrans_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `setrans_manage_pid_files'($*)) dnl
gen_require(`
type setrans_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `setrans_manage_pid_files'($*)) dnl
')
## Policy for network configuration: ifconfig and dhcp client.
#######################################
##
## Execute dhcp client in dhcpc domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sysnet_domtrans_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_domtrans_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t, dhcpc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dhcpc_exec_t, dhcpc_t)
allow $1 dhcpc_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_domtrans_dhcpc'($*)) dnl
')
########################################
##
## Execute DHCP clients in the dhcpc domain, and
## allow the specified role the dhcpc domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sysnet_run_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_run_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
attribute_role dhcpc_roles;
')
sysnet_domtrans_dhcpc($1)
roleattribute $2 dhcpc_roles;
optional_policy(`
networkmanager_run(dhcpc_t, $2)
')
optional_policy(`
nis_run_ypbind(dhcpc_t, $2)
')
optional_policy(`
nscd_run(dhcpc_t, $2)
')
optional_policy(`
ntp_run(dhcpc_t, $2)
')
seutil_run_setfiles(dhcpc_t, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_run_dhcpc'($*)) dnl
')
########################################
##
## Do not audit attempts to read and
## write dhcpc udp socket descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`sysnet_dontaudit_rw_dhcpc_udp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_rw_dhcpc_udp_sockets'($*)) dnl
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:udp_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_rw_dhcpc_udp_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## the dhcp file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`sysnet_dontaudit_use_dhcpc_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_use_dhcpc_fds'($*)) dnl
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_use_dhcpc_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to read/write to the
## dhcp unix stream socket descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_rw_dhcpc_unix_stream_sockets'($*)) dnl
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:unix_stream_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_rw_dhcpc_unix_stream_sockets'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_sigchld_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_sigchld_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_sigchld_dhcpc'($*)) dnl
')
########################################
##
## Send a kill signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysnet_kill_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_kill_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_kill_dhcpc'($*)) dnl
')
########################################
##
## Send a SIGSTOP signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_sigstop_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_sigstop_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigstop;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_sigstop_dhcpc'($*)) dnl
')
########################################
##
## Send a null signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_signull_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_signull_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_signull_dhcpc'($*)) dnl
')
########################################
##
## Send a generic signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysnet_signal_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_signal_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_signal_dhcpc'($*)) dnl
')
########################################
##
## Send and receive messages from
## dhcpc over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_dbus_chat_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dbus_chat_dhcpc'($*)) dnl
gen_require(`
type dhcpc_t;
class dbus send_msg;
')
allow $1 dhcpc_t:dbus send_msg;
allow dhcpc_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dbus_chat_dhcpc'($*)) dnl
')
########################################
##
## Read and write dhcp configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_rw_dhcp_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_rw_dhcp_config'($*)) dnl
gen_require(`
type dhcp_etc_t;
')
files_search_etc($1)
rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_rw_dhcp_config'($*)) dnl
')
########################################
##
## Search the DHCP client state
## directories.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_search_dhcpc_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_search_dhcpc_state'($*)) dnl
gen_require(`
type dhcpc_state_t;
')
files_search_var_lib($1)
allow $1 dhcpc_state_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_search_dhcpc_state'($*)) dnl
')
########################################
##
## Read dhcp client state files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_read_dhcpc_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcpc_state'($*)) dnl
gen_require(`
type dhcpc_state_t;
')
list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_read_dhcpc_state'($*)) dnl
')
#######################################
##
## Delete the dhcp client state files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_delete_dhcpc_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_delete_dhcpc_state'($*)) dnl
gen_require(`
type dhcpc_state_t;
')
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_delete_dhcpc_state'($*)) dnl
')
########################################
##
## Allow caller to relabel dhcpc_state files
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_relabelfrom_dhcpc_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_relabelfrom_dhcpc_state'($*)) dnl
gen_require(`
type dhcpc_state_t;
')
allow $1 dhcpc_state_t:file relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_relabelfrom_dhcpc_state'($*)) dnl
')
#######################################
##
## Manage the dhcp client state files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_manage_dhcpc_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_manage_dhcpc_state'($*)) dnl
gen_require(`
type dhcpc_state_t;
')
manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_manage_dhcpc_state'($*)) dnl
')
#######################################
##
## Set the attributes of network config files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_setattr_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_setattr_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file setattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_setattr_config'($*)) dnl
')
#######################################
##
## Allow caller to relabel net_conf files
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_relabelfrom_net_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_relabelfrom_net_conf'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 net_conf_t:file relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_relabelfrom_net_conf'($*)) dnl
')
######################################
##
## Allow caller to relabel net_conf files
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_relabelto_net_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_relabelto_net_conf'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 net_conf_t:file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_relabelto_net_conf'($*)) dnl
')
#######################################
##
## Read network config files.
##
##
##
## Allow the specified domain to read the
## general network configuration files. A
## common example of this is the
## /etc/resolv.conf file, which has domain
## name system (DNS) server IP addresses.
## Typically, most networking processes will
## require the access provided by this interface.
##
##
## Higher-level interfaces which involve
## networking will generally call this interface,
## for example:
##
##
## - sysnet_dns_name_resolve()
## - sysnet_use_ldap()
## - sysnet_use_portmap()
##
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_read_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_search_etc($1)
read_files_pattern($1, net_conf_t, net_conf_t)
read_lnk_files_pattern($1, net_conf_t, net_conf_t)
ifdef(`distro_debian',`
files_search_pids($1)
list_dirs_pattern($1, net_conf_t, net_conf_t)
')
ifdef(`distro_redhat',`
files_search_all_pids($1)
init_search_pid_dirs($1)
list_dirs_pattern($1, net_conf_t, net_conf_t)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_read_config'($*)) dnl
')
#######################################
##
## Do not audit attempts to read network config files.
##
##
##
## Domain to not audit.
##
##
#
define(`sysnet_dontaudit_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_read_config'($*)) dnl
gen_require(`
type net_conf_t;
')
dontaudit $1 net_conf_t:file read_file_perms;
dontaudit $1 net_conf_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_read_config'($*)) dnl
')
#######################################
##
## Write network config files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_write_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_write_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_write_config'($*)) dnl
')
#######################################
##
## Create network config files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_create_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_create_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_rw_etc_dirs($1)
allow $1 net_conf_t:file create_file_perms;
allow $1 net_conf_t:lnk_file create_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_create_config'($*)) dnl
')
#######################################
##
## Watch network config files and lnk_files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_watch_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_watch_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file watch_file_perms;
allow $1 net_conf_t:lnk_file watch_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_watch_config'($*)) dnl
')
#######################################
##
## Create files in /etc with the type used for
## the network config files.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`sysnet_etc_filetrans_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_etc_filetrans_config'($*)) dnl
gen_require(`
type net_conf_t;
')
files_etc_filetrans($1, net_conf_t, file, $2)
files_etc_filetrans($1, net_conf_t, lnk_file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_etc_filetrans_config'($*)) dnl
')
########################################
##
## Transition content to the type used for
## the network config files.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the directory to which the object will be created.
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
define(`sysnet_filetrans_config_fromdir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_config_fromdir'($*)) dnl
gen_require(`
type net_conf_t;
')
filetrans_pattern($1, $2, net_conf_t, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_filetrans_config_fromdir'($*)) dnl
')
#######################################
##
## Create, read, write, and delete network config files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_manage_config'($*)) dnl
gen_require(`
type net_conf_t;
')
sysnet_read_config($1)
manage_files_pattern($1, net_conf_t, net_conf_t)
manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_manage_config'($*)) dnl
')
#######################################
##
## Create, read, write, and delete network config dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_manage_config_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_manage_config_dirs'($*)) dnl
gen_require(`
type net_conf_t;
')
sysnet_read_config($1)
manage_dirs_pattern($1, net_conf_t, net_conf_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_manage_config_dirs'($*)) dnl
')
#######################################
##
## Read the dhcp client pid file.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_read_dhcpc_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcpc_pid'($*)) dnl
gen_require(`
type dhcpc_var_run_t;
')
files_list_pids($1)
allow $1 dhcpc_var_run_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_read_dhcpc_pid'($*)) dnl
')
#######################################
##
## Delete the dhcp client pid file.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_delete_dhcpc_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_delete_dhcpc_pid'($*)) dnl
gen_require(`
type dhcpc_var_run_t;
')
files_rw_pid_dirs($1)
allow $1 dhcpc_var_run_t:file unlink;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_delete_dhcpc_pid'($*)) dnl
')
#######################################
##
## Manage the dhcp client pid file.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_manage_dhcpc_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_manage_dhcpc_pid'($*)) dnl
gen_require(`
type dhcpc_var_run_t;
')
files_rw_pid_dirs($1)
manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_manage_dhcpc_pid'($*)) dnl
')
########################################
##
## Create specified objects in generic
## pid directories with the dhcpc pid file type.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`sysnet_filetrans_dhcpc_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_dhcpc_pid'($*)) dnl
gen_require(`
type dhcpc_var_run_t;
')
files_pid_filetrans($1, dhcpc_var_run_t, file, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_filetrans_dhcpc_pid'($*)) dnl
')
#######################################
##
## Execute ifconfig in the ifconfig domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sysnet_domtrans_ifconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_domtrans_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t, ifconfig_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_domtrans_ifconfig'($*)) dnl
')
########################################
##
## NNP Transition to ifconfig_t.
##
##
##
## Domain allowed to transition.
##
##
#
define(`sysnet_nnp_domtrans_ifconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_nnp_domtrans_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process2 { nnp_transition nosuid_transition };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_nnp_domtrans_ifconfig'($*)) dnl
')
########################################
##
## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
define(`sysnet_run_ifconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_run_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t;
')
corecmd_search_bin($1)
sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_run_ifconfig'($*)) dnl
')
#######################################
##
## Execute ifconfig in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_exec_ifconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_exec_ifconfig'($*)) dnl
gen_require(`
type ifconfig_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ifconfig_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_exec_ifconfig'($*)) dnl
')
########################################
##
## Send a generic signal to ifconfig.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysnet_signal_ifconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_signal_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_signal_ifconfig'($*)) dnl
')
########################################
##
## Send null signals to ifconfig.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysnet_signull_ifconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_signull_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_signull_ifconfig'($*)) dnl
')
########################################
##
## Send a kill signal to iconfig.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysnet_kill_ifconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_kill_ifconfig'($*)) dnl
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_kill_ifconfig'($*)) dnl
')
########################################
##
## Read the DHCP configuration files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_read_dhcp_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcp_config'($*)) dnl
gen_require(`
type dhcp_etc_t;
')
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
allow $1 dhcp_etc_t:file map;
allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_read_dhcp_config'($*)) dnl
')
########################################
##
## Search the DHCP state data directory.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_search_dhcp_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_search_dhcp_state'($*)) dnl
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
allow $1 dhcp_state_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_search_dhcp_state'($*)) dnl
')
#######################################
##
## Set the attributes of network config files.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_setattr_dhcp_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_setattr_dhcp_state'($*)) dnl
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
allow $1 dhcp_state_t:file setattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_setattr_dhcp_state'($*)) dnl
')
########################################
##
## Create DHCP state data.
##
##
##
## Create DHCP state data.
##
##
## This is added for DHCP server, as
## the server and client put their state
## files in the same directory.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
define(`sysnet_dhcp_state_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dhcp_state_filetrans'($*)) dnl
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
filetrans_pattern($1, dhcp_state_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dhcp_state_filetrans'($*)) dnl
')
########################################
##
## Perform a DNS name resolution.
##
##
##
## Domain allowed access.
##
##
##
#
define(`sysnet_dns_name_resolve',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dns_name_resolve'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
corenet_tcp_connect_dnssec_port($1)
corenet_sendrecv_dns_client_packets($1)
files_search_all_pids($1)
miscfiles_read_generic_certs($1)
miscfiles_map_generic_certs($1)
sysnet_read_config($1)
optional_policy(`
avahi_stream_connect($1)
')
optional_policy(`
dbus_stream_connect_system_dbusd($1)
')
optional_policy(`
nscd_use($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dns_name_resolve'($*)) dnl
')
########################################
##
## Connect and use a LDAP server.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_use_ldap',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_use_ldap'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
# Support for LDAPS
dev_read_rand($1)
# LDAP Configuration using encrypted requires
dev_read_urand($1)
sysnet_read_config($1)
optional_policy(`
ldap_read_certs($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_use_ldap'($*)) dnl
')
########################################
##
## Connect and use remote port mappers.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_use_portmap',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_use_portmap'($*)) dnl
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_portmap_port($1)
corenet_udp_sendrecv_portmap_port($1)
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
sysnet_read_config($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_use_portmap'($*)) dnl
')
########################################
##
## Do not audit attempts to use
## the dhcp file descriptors.
##
##
##
## Domain to not audit.
##
##
#
define(`sysnet_dontaudit_dhcpc_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_dhcpc_use_fds'($*)) dnl
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_dhcpc_use_fds'($*)) dnl
')
########################################
##
## Transition to system_r when execute an dhclient script
##
##
##
## Execute dhclient script in a specified role
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Role to transition from.
##
##
define(`sysnet_role_transition_dhcpc',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_role_transition_dhcpc'($*)) dnl
gen_require(`
type dhcpc_exec_t;
')
role_transition $1 dhcpc_exec_t system_r;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_role_transition_dhcpc'($*)) dnl
')
########################################
##
## Set up filename transitions for systemd-resolved network
## configuration content.
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_filetrans_systemd_resolved',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_systemd_resolved'($*)) dnl
gen_require(`
type net_conf_t;
')
optional_policy(`
systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")
systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_filetrans_systemd_resolved'($*)) dnl
')
########################################
##
## Transition to sysnet named content
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_named_content'($*)) dnl
gen_require(`
type net_conf_t;
')
sysnet_etc_filetrans_config($1, "resolv.conf")
files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf")
files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger")
files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger")
files_etc_filetrans($1, net_conf_t, file, "denyhosts")
files_etc_filetrans($1, net_conf_t, file, "hosts")
files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
files_etc_filetrans($1, net_conf_t, file, "ethers")
files_etc_filetrans($1, net_conf_t, file, "yp.conf")
files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
init_pid_filetrans($1, net_conf_t, dir, "network")
optional_policy(`
networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
')
sysnet_filetrans_systemd_resolved($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_filetrans_named_content'($*)) dnl
')
########################################
##
## Transition to sysnet ifconfig named content
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_manage_ifconfig_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_manage_ifconfig_run'($*)) dnl
gen_require(`
type ifconfig_var_run_t;
')
manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_manage_ifconfig_run'($*)) dnl
')
########################################
##
## Transition to sysnet ifconfig named content
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_filetrans_named_content_ifconfig',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_named_content_ifconfig'($*)) dnl
gen_require(`
type ifconfig_var_run_t;
')
files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_filetrans_named_content_ifconfig'($*)) dnl
')
########################################
##
## Transition to sysnet ifconfig named content
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_filetrans_net_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_net_conf'($*)) dnl
gen_require(`
type net_conf_t;
')
files_etc_filetrans($1, net_conf_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_filetrans_net_conf'($*)) dnl
')
########################################
##
## Transition to cloud-init named content
##
##
##
## Domain allowed access.
##
##
#
define(`sysnet_filetrans_cloud_net_conf',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_cloud_net_conf'($*)) dnl
gen_require(`
type net_conf_t;
')
files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `sysnet_filetrans_cloud_net_conf'($*)) dnl
')
## SELinux policy for systemd components
######################################
##
## Creates types and rules for a basic
## systemd domains.
##
##
##
## Prefix for the domain.
##
##
#
define(`systemd_domain_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_domain_template'($*)) dnl
gen_require(`
attribute systemd_domain;
')
type $1_t, systemd_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
init_nnp_daemon_domain($1_t)
kernel_read_system_state($1_t)
auth_use_nsswitch($1_t)
selinux_get_enforce_mode($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_domain_template'($*)) dnl
')
######################################
##
## Create a domain for processes which are started
## exuting systemctl.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_stub_unit_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_stub_unit_file'($*)) dnl
gen_require(`
type systemd_unit_file_t;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_stub_unit_file'($*)) dnl
')
#######################################
##
## Create a domain for processes which are started
## exuting systemctl.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_systemctl_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_systemctl_domain'($*)) dnl
gen_require(`
type systemd_systemctl_exec_t;
role system_r;
attribute systemctl_domain;
')
type $1_systemctl_t, systemctl_domain;
domain_type($1_systemctl_t)
domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
role system_r types $1_systemctl_t;
domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_systemctl_domain'($*)) dnl
')
########################################
##
## Execute systemctl in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_exec_systemctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_exec_systemctl'($*)) dnl
gen_require(`
type systemd_systemctl_exec_t;
')
corecmd_search_bin($1)
can_exec($1, systemd_systemctl_exec_t)
fs_list_cgroup_dirs($1)
fs_read_cgroup_files($1)
fs_read_efivarfs_files($1)
systemd_list_unit_dirs($1)
init_list_pid_dirs($1)
init_read_state($1)
init_stream_send($1)
init_stream_connect($1)
systemd_login_list_pid_dirs($1)
systemd_login_read_pid_files($1)
systemd_passwd_agent_exec($1)
dontaudit $1 self:capability { net_admin sys_ptrace };
# systemctl tries to adjust its RLIMIT_NOFILE right when it is started
dontaudit $1 self:process setrlimit;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_exec_systemctl'($*)) dnl
')
#
########################################
##
## Allow systemd_systemctl_exec_t to be an entrypoint
## of the specified domain
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_systemctl_entrypoint',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_systemctl_entrypoint'($*)) dnl
gen_require(`
type systemd_systemctl_exec_t;
')
allow $1 systemd_systemctl_exec_t:file entrypoint;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_systemctl_entrypoint'($*)) dnl
')
#######################################
##
## Create a file type used for systemd unit files.
##
##
##
## Type to be used for an unit file.
##
##
#
define(`systemd_unit_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_unit_file'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
typeattribute $1 systemd_unit_file_type;
files_type($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_unit_file'($*)) dnl
')
######################################
##
## Allow domain to search systemd unit dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_search_unit_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_search_unit_dirs'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
files_search_var_lib($1)
allow $1 systemd_unit_file_type:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_search_unit_dirs'($*)) dnl
')
######################################
##
## Allow domain to list systemd unit dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_list_unit_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_list_unit_dirs'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
files_search_var_lib($1)
allow $1 systemd_unit_file_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_list_unit_dirs'($*)) dnl
')
######################################
##
## Allow domain to list systemd unit dirs.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_create_unit_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_create_unit_dirs'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
files_search_var_lib($1)
allow $1 systemd_unit_file_type:dir create;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_create_unit_dirs'($*)) dnl
')
#####################################
##
## Allow domain to getattr all systemd unit files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_getattr_unit_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_getattr_unit_files'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
files_search_var_lib($1)
getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_getattr_unit_files'($*)) dnl
')
#####################################
##
## Allow domain to getattr all systemd unit directories.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_getattr_unit_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_getattr_unit_dirs'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
allow $1 systemd_unit_file_type:dir getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_getattr_unit_dirs'($*)) dnl
')
######################################
##
## Allow domain to read all systemd unit files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_read_unit_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_read_unit_files'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
files_search_var_lib($1)
allow $1 systemd_unit_file_type:file read_file_perms;
allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms;
allow $1 systemd_unit_file_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_read_unit_files'($*)) dnl
')
#####################################
##
## Dontaudit domain to read all systemd unit files.
##
##
##
## Domain to not audit.
##
##
#
define(`systemd_dontaudit_read_unit_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dontaudit_read_unit_files'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
dontaudit $1 systemd_unit_file_type:file read_file_perms;
dontaudit $1 systemd_unit_file_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dontaudit_read_unit_files'($*)) dnl
')
######################################
##
## Read systemd_login PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_read_pid_files'($*)) dnl
gen_require(`
type systemd_logind_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_read_pid_files'($*)) dnl
')
######################################
##
## Read systemd_resolved PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_resolved_read_pid',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_resolved_read_pid'($*)) dnl
gen_require(`
type systemd_resolved_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
read_lnk_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_resolved_read_pid'($*)) dnl
')
######################################
##
## Write to systemd_resolved PID socket files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_resolved_write_pid_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_resolved_write_pid_sock_files'($*)) dnl
gen_require(`
type systemd_resolved_var_run_t;
')
files_search_pids($1)
write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_resolved_write_pid_sock_files'($*)) dnl
')
######################################
##
## Watch systemd_resolved PID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_resolved_watch_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_resolved_watch_pid_dirs'($*)) dnl
gen_require(`
type systemd_resolved_var_run_t;
')
files_search_pids($1)
allow $1 systemd_resolved_var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_resolved_watch_pid_dirs'($*)) dnl
')
########################################
##
## Create objects in /var/run/systemd/resolve with a private
## type using a type_transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Private file type.
##
##
##
##
## Object classes to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`systemd_resolved_pid_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_resolved_pid_filetrans'($*)) dnl
gen_require(`
type systemd_resolved_var_run_t;
')
filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_resolved_pid_filetrans'($*)) dnl
')
######################################
##
## Read systemd_login PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_manage_pid_files'($*)) dnl
gen_require(`
type systemd_logind_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_manage_pid_files'($*)) dnl
')
######################################
##
## Read systemd_login PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_filetrans_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_filetrans_pid_files'($*)) dnl
gen_require(`
type systemd_logind_var_run_t;
')
files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_filetrans_pid_files'($*)) dnl
')
######################################
##
## Read systemd_login PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_list_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_list_pid_dirs'($*)) dnl
gen_require(`
type systemd_logind_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_list_pid_dirs'($*)) dnl
')
######################################
##
## Watch systemd_login PID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_watch_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_watch_pid_dirs'($*)) dnl
gen_require(`
type systemd_logind_var_run_t;
')
files_search_pids($1)
allow $1 systemd_logind_var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_watch_pid_dirs'($*)) dnl
')
######################################
##
## Watch systemd_login session directories.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_watch_session_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_watch_session_dirs'($*)) dnl
gen_require(`
type systemd_logind_sessions_t;
')
init_search_pid_dirs($1)
allow $1 systemd_logind_sessions_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_watch_session_dirs'($*)) dnl
')
######################################
##
## Mounton systemd_login PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_mounton_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_mounton_pid_dirs'($*)) dnl
gen_require(`
type systemd_logind_var_run_t;
')
allow $1 systemd_logind_var_run_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_mounton_pid_dirs'($*)) dnl
')
######################################
##
## Use and and inherited systemd
## logind file descriptors.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_use_fds_logind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_use_fds_logind'($*)) dnl
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_use_fds_logind'($*)) dnl
')
########################################
##
## Read the process state (/proc/pid) of systemd_logind_t.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_logind_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_logind_read_state'($*)) dnl
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:dir search_dir_perms;
allow $1 systemd_logind_t:file read_file_perms;
allow $1 systemd_logind_t:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_logind_read_state'($*)) dnl
')
######################################
##
## Read logind sessions files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_read_logind_sessions_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_read_logind_sessions_files'($*)) dnl
gen_require(`
type systemd_logind_sessions_t;
')
init_search_pid_dirs($1)
allow $1 systemd_logind_sessions_t:dir list_dir_perms;
read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_read_logind_sessions_files'($*)) dnl
')
######################################
##
## Mounton inherited logind sessions pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_mounton_inherited_logind_sessions_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_mounton_inherited_logind_sessions_dirs'($*)) dnl
gen_require(`
type systemd_logind_sessions_t;
')
allow $1 systemd_logind_sessions_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_mounton_inherited_logind_sessions_dirs'($*)) dnl
')
######################################
##
## Write inherited logind sessions pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_write_inherited_logind_sessions_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_write_inherited_logind_sessions_pipes'($*)) dnl
gen_require(`
type systemd_logind_sessions_t;
type systemd_logind_t;
')
allow $1 systemd_logind_t:fd use;
allow $1 systemd_logind_sessions_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_write_inherited_logind_sessions_pipes'($*)) dnl
')
######################################
##
## Dontaudit attempts to write inherited logind sessions pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`systemd_dontaudit_write_inherited_logind_sessions_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dontaudit_write_inherited_logind_sessions_pipes'($*)) dnl
gen_require(`
type systemd_logind_sessions_t;
')
dontaudit $1 systemd_logind_sessions_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dontaudit_write_inherited_logind_sessions_pipes'($*)) dnl
')
######################################
##
## Write systemd inhibit pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_write_inhibit_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_write_inhibit_pipes'($*)) dnl
gen_require(`
type systemd_logind_inhibit_var_run_t;
')
allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_write_inhibit_pipes'($*)) dnl
')
########################################
##
## Allow process to mount directory with inhibit pipes
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_mounton_inhibit_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_mounton_inhibit_dir'($*)) dnl
gen_require(`
type systemd_logind_inhibit_var_run_t;
')
allow $1 systemd_logind_inhibit_var_run_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_mounton_inhibit_dir'($*)) dnl
')
########################################
##
## Send and receive messages from
## systemd logind over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_dbus_chat_logind',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_logind'($*)) dnl
gen_require(`
type systemd_logind_t;
class dbus send_msg;
')
allow $1 systemd_logind_t:dbus send_msg;
allow systemd_logind_t $1:dbus send_msg;
ps_process_pattern(systemd_logind_t, $1)
allow systemd_logind_t $1:process signal;
allow $1 systemd_logind_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_logind'($*)) dnl
')
#######################################
##
## Execute a domain transition to run systemd-sysctl.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_domtrans_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_domtrans_sysctl'($*)) dnl
gen_require(`
type systemd_sysctl_t, systemd_sysctl_exec_t;
')
domtrans_pattern($1, systemd_sysctl_exec_t, systemd_sysctl_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_domtrans_sysctl'($*)) dnl
')
#######################################
##
## Allow a domain to execute systemd-sysctl in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_exec_sysctl',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_exec_sysctl'($*)) dnl
gen_require(`
type systemd_sysctl_exec_t;
')
can_exec($1,systemd_sysctl_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_exec_sysctl'($*)) dnl
')
#######################################
##
## Allow a domain to execute systemd-sysctl in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_tmpfiles_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_exec'($*)) dnl
gen_require(`
type systemd_tmpfiles_exec_t;
')
can_exec($1,systemd_tmpfiles_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_exec'($*)) dnl
')
#######################################
##
## Execute a domain transition to run systemd-tmpfiles.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_tmpfiles_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_domtrans'($*)) dnl
gen_require(`
type systemd_tmpfiles_t, systemd_tmpfiles_exec_t;
')
domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_domtrans'($*)) dnl
')
#######################################
##
## Allow caller nnp_transition to systemd_tmpfiles_t
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_tmpfiles_nnp_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_nnp_domtrans'($*)) dnl
gen_require(`
type systemd_tmpfiles_t;
')
allow $1 systemd_tmpfiles_t:process2 nnp_transition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_nnp_domtrans'($*)) dnl
')
#######################################
##
## Execute a domain transition to run systemd-localed.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_localed_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_localed_domtrans'($*)) dnl
gen_require(`
type systemd_localed_t, systemd_localed_exec_t;
')
domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_localed_domtrans'($*)) dnl
')
########################################
##
## Execute a domain transition to run systemd-tty-ask-password-agent.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_passwd_agent_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_domtrans'($*)) dnl
gen_require(`
type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
')
domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_domtrans'($*)) dnl
')
#######################################
##
## Execute systemd-tty-ask-password-agent in the caller domain
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_passwd_agent_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_exec'($*)) dnl
gen_require(`
type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
')
can_exec($1, systemd_passwd_agent_exec_t)
systemd_manage_passwd_run($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_exec'($*)) dnl
')
########################################
##
## Execute a domain transition to run systemd_rfkill.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_rfkill_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_rfkill_domtrans'($*)) dnl
gen_require(`
type systemd_rfkill_t, systemd_rfkill_exec_t;
')
domtrans_pattern($1, systemd_rfkill_exec_t, systemd_rfkill_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_rfkill_domtrans'($*)) dnl
')
########################################
##
## Mounton rfkill lib directory.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_rfkill_mounton_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_rfkill_mounton_var_lib'($*)) dnl
gen_require(`
type systemd_rfkill_var_lib_t;
')
allow $1 systemd_rfkill_var_lib_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_rfkill_mounton_var_lib'($*)) dnl
')
########################################
##
## Read systemd-rfkill lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_rfkill_setattr_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_rfkill_setattr_lib'($*)) dnl
gen_require(`
type systemd_rfkill_var_lib_t;
')
files_search_var_lib($1)
setattr_dirs_pattern($1, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_rfkill_setattr_lib'($*)) dnl
')
########################################
##
## read systemd rfkill dir
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_rfkill_read_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_rfkill_read_lib_dirs'($*)) dnl
gen_require(`
type systemd_rfkill_var_lib_t;
')
list_dirs_pattern($1, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_rfkill_read_lib_dirs'($*)) dnl
')
########################################
##
## manage systemd rfkill dir
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_rfkill_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_rfkill_manage_lib_dirs'($*)) dnl
gen_require(`
type systemd_rfkill_var_lib_t;
')
manage_dirs_pattern($1, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_rfkill_manage_lib_dirs'($*)) dnl
')
########################################
##
## Mounton systemd timesync directory.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_timedated_mounton_var_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_timedated_mounton_var_lib'($*)) dnl
gen_require(`
type systemd_timedated_var_lib_t;
')
allow $1 systemd_timedated_var_lib_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_timedated_mounton_var_lib'($*)) dnl
')
#######################################
##
## Get timedated service status
##
##
##
## Domain allowed to transition.
##
##
#
define(`systemd_timedated_status',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_timedated_status'($*)) dnl
gen_require(`
type systemd_timedated_unit_file_t;
')
allow $1 systemd_timedated_unit_file_t:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_timedated_status'($*)) dnl
')
########################################
##
## manage systemd timesync dir
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_timedated_manage_lib_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_timedated_manage_lib_dirs'($*)) dnl
gen_require(`
type systemd_timedated_var_lib_t;
')
manage_dirs_pattern($1, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t)
read_lnk_files_pattern($1, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_timedated_manage_lib_dirs'($*)) dnl
')
########################################
##
## Execute a domain transition to run systemd_notify.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_notify_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_notify_domtrans'($*)) dnl
gen_require(`
type systemd_notify_t, systemd_notify_exec_t;
')
domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_notify_domtrans'($*)) dnl
')
########################################
##
## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and
## allow the specified role the systemd_passwd_agent domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the systemd_passwd_agent domain.
##
##
#
define(`systemd_passwd_agent_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_run'($*)) dnl
gen_require(`
type systemd_passwd_agent_t;
')
systemd_passwd_agent_domtrans($1)
role $2 types systemd_passwd_agent_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_run'($*)) dnl
')
########################################
##
## Execute systemd-tmpfiles in the systemd_tmpfiles_t domain, and
## allow the specified role the systemd_tmpfiles domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the systemd_tmpfiles domain.
##
##
#
define(`systemd_tmpfiles_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_run'($*)) dnl
gen_require(`
type systemd_tmpfiles_t;
')
systemd_tmpfiles_domtrans($1)
role $2 types systemd_tmpfiles_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_run'($*)) dnl
')
########################################
##
## Role access for systemd_passwd_agent
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
define(`systemd_passwd_agent_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_role'($*)) dnl
gen_require(`
type systemd_passwd_agent_t;
')
role $1 types systemd_passwd_agent_t;
systemd_passwd_agent_domtrans($2)
ps_process_pattern($2, systemd_passwd_agent_t)
allow $2 systemd_passwd_agent_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_role'($*)) dnl
')
########################################
##
## Send generic signals to systemd_passwd_agent processes.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_signal_passwd_agent',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_signal_passwd_agent'($*)) dnl
gen_require(`
type systemd_passwd_agent_t;
')
allow $1 systemd_passwd_agent_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_signal_passwd_agent'($*)) dnl
')
######################################
##
## Allow to domain to read systemd-passwd pipe
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_read_fifo_file_passwd_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_read_fifo_file_passwd_run'($*)) dnl
gen_require(`
type systemd_passwd_var_run_t;
')
init_search_pid_dirs($1)
read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_read_fifo_file_passwd_run'($*)) dnl
')
########################################
##
## Relabel to user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_relabelto_fifo_file_passwd_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_relabelto_fifo_file_passwd_run'($*)) dnl
gen_require(`
type systemd_passwd_var_run_t;
')
allow $1 systemd_passwd_var_run_t:fifo_file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_relabelto_fifo_file_passwd_run'($*)) dnl
')
########################################
##
## Watch systemd-passwd pid dirs
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_passwd_watch_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_passwd_watch_pid_dirs'($*)) dnl
gen_require(`
type systemd_passwd_var_run_t;
')
allow $1 systemd_passwd_var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_passwd_watch_pid_dirs'($*)) dnl
')
#######################################
##
## Relabel systemd unit directories
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_relabel_unit_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_relabel_unit_dirs'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_relabel_unit_dirs'($*)) dnl
')
#######################################
##
## Relabel systemd unit files
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_relabel_unit_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_relabel_unit_files'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_relabel_unit_files'($*)) dnl
')
#######################################
##
## Relabel systemd unit link files
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_relabel_unit_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_relabel_unit_symlinks'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
relabel_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_relabel_unit_symlinks'($*)) dnl
')
#######################################
##
## Send generic signals to systemd_passwd_agent processes.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_manage_passwd_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_manage_passwd_run'($*)) dnl
gen_require(`
type systemd_passwd_agent_t;
type systemd_passwd_var_run_t;
')
init_search_pid_dirs($1)
manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
allow systemd_passwd_agent_t $1:process signull;
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_manage_passwd_run'($*)) dnl
')
######################################
##
## Template for temporary sockets and files in /dev/.systemd/ask-password
## which are used by systemd-passwd-agent
##
##
##
## The prefix of the domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`systemd_passwd_agent_dev_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_dev_template'($*)) dnl
gen_require(`
type systemd_passwd_agent_t;
')
type systemd_$1_device_t;
files_type(systemd_$1_device_t)
dev_associate(systemd_$1_device_t)
dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
allow $1_t systemd_$1_device_t:file manage_file_perms;
allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
allow systemd_passwd_agent_t $1_t:process signull;
allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_dev_template'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to
## systemd_logger with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_logger_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_logger_stream_connect'($*)) dnl
gen_require(`
type systemd_logger_t;
')
allow $1 systemd_logger_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_logger_stream_connect'($*)) dnl
')
########################################
##
## manage systemd unit dirs
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_manage_unit_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_manage_unit_dirs'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_manage_unit_dirs'($*)) dnl
')
########################################
##
## manage systemd unit link files
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_manage_unit_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_manage_unit_symlinks'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_manage_unit_symlinks'($*)) dnl
')
########################################
##
## manage all systemd unit files
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_manage_all_unit_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_manage_all_unit_files'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_manage_all_unit_files'($*)) dnl
')
########################################
##
## manage all systemd unit lnk_files
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_manage_all_unit_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_manage_all_unit_lnk_files'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_manage_all_unit_lnk_files'($*)) dnl
')
########################################
##
## Allow the specified domain to start all systemd services.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_start_all_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_start_all_services'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
allow $1 systemd_unit_file_type:service start;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_start_all_services'($*)) dnl
')
#######################################
##
## Allow the specified domain to reload all systemd services.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_reload_all_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_reload_all_services'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
allow $1 systemd_unit_file_type:service reload;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_reload_all_services'($*)) dnl
')
########################################
##
## Allow the specified domain to modify the systemd configuration of
## all systemd services
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_config_all_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_config_all_services'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
allow $1 systemd_unit_file_type:service all_service_perms;
init_config_all_script_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_config_all_services'($*)) dnl
')
########################################
##
## Allow the specified domain to start systemd services.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_start_systemd_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_start_systemd_services'($*)) dnl
gen_require(`
type systemd_unit_file_t;
')
allow $1 systemd_unit_file_t:service start;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_start_systemd_services'($*)) dnl
')
#######################################
##
## Allow the specified domain to reload all systemd services.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_reload_systemd_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_reload_systemd_services'($*)) dnl
gen_require(`
type systemd_unit_file_t;
')
allow $1 systemd_unit_file_t:service reload;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_reload_systemd_services'($*)) dnl
')
########################################
##
## Allow the specified domain to modify the systemd configuration of
## all systemd services
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_config_systemd_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_config_systemd_services'($*)) dnl
gen_require(`
type systemd_unit_file_t;
')
allow $1 systemd_unit_file_t:service all_service_perms;
init_config_all_script_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_config_systemd_services'($*)) dnl
')
########################################
##
## manage all systemd random seed file
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_manage_random_seed',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_manage_random_seed'($*)) dnl
gen_require(`
type random_seed_t;
')
allow $1 random_seed_t:file manage_file_perms;
files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_manage_random_seed'($*)) dnl
')
########################################
##
## Allow process to read hostname config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_hostnamed_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_hostnamed_read_config'($*)) dnl
gen_require(`
type hostname_etc_t;
')
files_search_etc($1)
allow $1 hostname_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_hostnamed_read_config'($*)) dnl
')
########################################
##
## Allow process to manage hostname config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_hostnamed_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_hostnamed_manage_config'($*)) dnl
gen_require(`
type hostname_etc_t;
')
files_search_etc($1)
allow $1 hostname_etc_t:file manage_file_perms;
files_etc_filetrans($1, hostname_etc_t, file, "hostname")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_hostnamed_manage_config'($*)) dnl
')
########################################
##
## Allow process to delete hostname config file.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_hostnamed_delete_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_hostnamed_delete_config'($*)) dnl
gen_require(`
type hostname_etc_t;
')
init_delete_pid_dir_entry($1)
allow $1 hostname_etc_t:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_hostnamed_delete_config'($*)) dnl
')
#######################################
##
## Create objects in /run/systemd/generator directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`systemd_unit_file_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_unit_file_filetrans'($*)) dnl
gen_require(`
type systemd_unit_file_t;
')
files_search_pids($1)
filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_unit_file_filetrans'($*)) dnl
')
#######################################
##
## Create a directory in the /usr/lib/systemd/system directory.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_create_unit_file_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_create_unit_file_dirs'($*)) dnl
gen_require(`
type systemd_unit_file_t;
')
create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_create_unit_file_dirs'($*)) dnl
')
#######################################
##
## Create a link in the /usr/lib/systemd/system directory.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_create_unit_file_lnk',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_create_unit_file_lnk'($*)) dnl
gen_require(`
type systemd_unit_file_t;
')
create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_create_unit_file_lnk'($*)) dnl
')
########################################
##
## Transition to systemd named content
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_filetrans_named_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_filetrans_named_content'($*)) dnl
gen_require(`
type systemd_passwd_var_run_t;
type systemd_logind_var_run_t;
type hostname_etc_t;
type systemd_home_t;
type systemd_rfkill_var_lib_t;
')
files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
files_pid_filetrans($1, systemd_logind_var_run_t, file, "shutdown")
init_named_pid_filetrans($1, hostname_etc_t, file, "default-hostname")
init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
init_var_lib_filetrans($1, systemd_rfkill_var_lib_t, dir, "rfkill" )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_filetrans_named_content'($*)) dnl
')
########################################
##
## read systemd homedir content
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_read_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_read_home_content'($*)) dnl
gen_require(`
type systemd_home_t;
')
optional_policy(`
gnome_search_gconf_data_dir($1)
')
read_files_pattern($1, systemd_home_t, systemd_home_t)
read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_read_home_content'($*)) dnl
')
########################################
##
## Manage systemd homedir content
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_manage_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_manage_home_content'($*)) dnl
gen_require(`
type systemd_home_t;
')
optional_policy(`
gnome_search_gconf_data_dir($1)
')
manage_dirs_pattern($1, systemd_home_t, systemd_home_t)
manage_files_pattern($1, systemd_home_t, systemd_home_t)
manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
systemd_filetrans_home_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_manage_home_content'($*)) dnl
')
########################################
##
## Transition to systemd named content
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_filetrans_home_content'($*)) dnl
gen_require(`
type systemd_home_t;
')
optional_policy(`
gnome_data_filetrans($1, systemd_home_t, dir, "systemd")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_filetrans_home_content'($*)) dnl
')
########################################
##
## Transition to systemd named content for /etc/hostname
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_filetrans_named_hostname',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_filetrans_named_hostname'($*)) dnl
gen_require(`
type hostname_etc_t;
')
files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_filetrans_named_hostname'($*)) dnl
')
########################################
##
## Get the system status information from systemd_login
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_status',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_status'($*)) dnl
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:system status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_status'($*)) dnl
')
########################################
##
## Send systemd_login a null signal.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_signull'($*)) dnl
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_signull'($*)) dnl
')
########################################
##
## Send systemd_hostnamed a null signal.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_hostnamed_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_hostnamed_signull'($*)) dnl
gen_require(`
type systemd_hostnamed_t;
')
allow $1 systemd_hostnamed_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_hostnamed_signull'($*)) dnl
')
########################################
##
## Tell systemd_login to reboot the system.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_reboot',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_reboot'($*)) dnl
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:system reboot;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_reboot'($*)) dnl
')
########################################
##
## Tell systemd_login to halt the system.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_halt',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_halt'($*)) dnl
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:system halt;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_halt'($*)) dnl
')
########################################
##
## Tell systemd_login to do an unknown access.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_login_undefined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_login_undefined'($*)) dnl
gen_require(`
type systemd_logind_t;
')
allow $1 systemd_logind_t:system undefined;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_login_undefined'($*)) dnl
')
########################################
##
## Configure generic unit files domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`systemd_config_generic_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_config_generic_services'($*)) dnl
gen_require(`
type systemd_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 systemd_unit_file_t:file read_file_perms;
allow $1 systemd_unit_file_t:service manage_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_config_generic_services'($*)) dnl
')
########################################
##
## Configure power unit files domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`systemd_config_power_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_config_power_services'($*)) dnl
gen_require(`
type power_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 power_unit_file_t:file read_file_perms;
allow $1 power_unit_file_t:service manage_service_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_config_power_services'($*)) dnl
')
########################################
##
## Start power unit files domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`systemd_start_power_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_start_power_services'($*)) dnl
gen_require(`
type power_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 power_unit_file_t:service start;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_start_power_services'($*)) dnl
')
########################################
##
## Status power unit files domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`systemd_status_power_services',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_status_power_services'($*)) dnl
gen_require(`
type power_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 power_unit_file_t:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_status_power_services'($*)) dnl
')
#######################################
##
## Start power unit files domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`systemd_start_all_unit_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_start_all_unit_files'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
systemd_exec_systemctl($1)
allow $1 systemd_unit_file_type:service start;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_start_all_unit_files'($*)) dnl
')
#######################################
##
## Start power unit files domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`systemd_status_all_unit_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_status_all_unit_files'($*)) dnl
gen_require(`
attribute systemd_unit_file_type;
')
systemd_exec_systemctl($1)
allow $1 systemd_unit_file_type:service status;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_status_all_unit_files'($*)) dnl
')
########################################
##
## Send and receive messages from
## systemd timedated over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_dbus_chat_timedated',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_timedated'($*)) dnl
gen_require(`
type systemd_timedated_t;
class dbus send_msg;
')
allow $1 systemd_timedated_t:dbus send_msg;
allow systemd_timedated_t $1:dbus send_msg;
ps_process_pattern(systemd_timedated_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_timedated'($*)) dnl
')
########################################
##
## Send and receive messages from
## systemd hostnamed over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_dbus_chat_hostnamed',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_hostnamed'($*)) dnl
gen_require(`
type systemd_hostnamed_t;
class dbus send_msg;
')
allow $1 systemd_hostnamed_t:dbus send_msg;
allow systemd_hostnamed_t $1:dbus send_msg;
ps_process_pattern(systemd_hostnamed_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_hostnamed'($*)) dnl
')
########################################
##
## Send and receive messages from
## systemd localed over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_dbus_chat_localed',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_localed'($*)) dnl
gen_require(`
type systemd_localed_t;
class dbus send_msg;
')
allow $1 systemd_localed_t:dbus send_msg;
allow systemd_localed_t $1:dbus send_msg;
ps_process_pattern(systemd_localed_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_localed'($*)) dnl
')
########################################
##
## Dontaudit attempts to send dbus domains chat messages
##
##
##
## Domain to not audit.
##
##
#
define(`systemd_dontaudit_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dontaudit_dbus_chat'($*)) dnl
gen_require(`
attribute systemd_domain;
class dbus send_msg;
')
dontaudit $1 systemd_domain:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dontaudit_dbus_chat'($*)) dnl
')
######################################
##
## Read systemd-machined PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_read_pid_files'($*)) dnl
gen_require(`
type systemd_machined_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
read_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_read_pid_files'($*)) dnl
')
######################################
##
## Manage systemd-machined PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_manage_pid_files'($*)) dnl
gen_require(`
type systemd_machined_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
manage_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_manage_pid_files'($*)) dnl
')
######################################
##
## List systemd-machined PID files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_list_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_list_pid_dirs'($*)) dnl
gen_require(`
type systemd_machined_var_run_t;
')
files_search_pids($1)
list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_list_pid_dirs'($*)) dnl
')
######################################
##
## Watch systemd-machined PID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_watch_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_watch_pid_dirs'($*)) dnl
gen_require(`
type systemd_machined_var_run_t;
')
files_search_pids($1)
allow $1 systemd_machined_var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_watch_pid_dirs'($*)) dnl
')
########################################
##
## Search systemd-machined lib directories.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_search_lib',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_search_lib'($*)) dnl
gen_require(`
type systemd_machined_var_lib_t;
')
allow $1 systemd_machined_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_search_lib'($*)) dnl
')
########################################
##
## Read systemd-machined lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_read_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_read_lib_files'($*)) dnl
gen_require(`
type systemd_machined_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_read_lib_files'($*)) dnl
')
########################################
##
## Manage systemd-machined lib files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_manage_lib_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_manage_lib_files'($*)) dnl
gen_require(`
type systemd_machined_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_manage_lib_files'($*)) dnl
')
########################################
##
## Read and write systemd-machined devpts character nodes.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_rw_devpts_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_rw_devpts_chr_files'($*)) dnl
gen_require(`
type devpts_t, systemd_machined_devpts_t;
')
rw_chr_files_pattern($1, devpts_t, systemd_machined_devpts_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_rw_devpts_chr_files'($*)) dnl
')
########################################
##
## Allow the specified domain to connect to
## systemd_machined with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_machined_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_machined_stream_connect'($*)) dnl
gen_require(`
type systemd_machined_t;
')
allow $1 systemd_machined_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_machined_stream_connect'($*)) dnl
')
########################################
##
## Send and receive messages from
## systemd machined over dbus.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_dbus_chat_machined',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_machined'($*)) dnl
gen_require(`
type systemd_machined_t;
class dbus send_msg;
')
allow $1 systemd_machined_t:dbus send_msg;
allow systemd_machined_t $1:dbus send_msg;
ps_process_pattern(systemd_machined_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_machined'($*)) dnl
')
#######################################
##
## Execute a domain transition to run systemd-coredump.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_coredump_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_coredump_domtrans'($*)) dnl
gen_require(`
type systemd_coredump_t, systemd_coredump_exec_t;
')
domtrans_pattern($1, systemd_coredump_exec_t, systemd_coredump_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_coredump_domtrans'($*)) dnl
')
########################################
##
## Mmap to systemd-coredump temporary file system.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_map_coredump_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_map_coredump_tmpfs_files'($*)) dnl
gen_require(`
type systemd_coredump_tmpfs_t;
')
allow $1 systemd_coredump_tmpfs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_map_coredump_tmpfs_files'($*)) dnl
')
########################################
##
## Read and write to systemd-coredump temporary file system.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_rw_coredump_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_rw_coredump_tmpfs_files'($*)) dnl
gen_require(`
type systemd_coredump_tmpfs_t;
')
allow $1 systemd_coredump_tmpfs_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_rw_coredump_tmpfs_files'($*)) dnl
')
########################################
##
## Mmap to systemd-bootchart temporary file system.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_map_bootchart_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_map_bootchart_tmpfs_files'($*)) dnl
gen_require(`
type systemd_bootchart_tmpfs_t;
')
allow $1 systemd_bootchart_tmpfs_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_map_bootchart_tmpfs_files'($*)) dnl
')
########################################
##
## Read and write to systemd-bootchart temporary file system.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_rw_bootchart_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_rw_bootchart_tmpfs_files'($*)) dnl
gen_require(`
type systemd_bootchart_tmpfs_t;
')
allow $1 systemd_bootchart_tmpfs_t:file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_rw_bootchart_tmpfs_files'($*)) dnl
')
########################################
##
## Allow process to read hwdb config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_hwdb_read_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_hwdb_read_config'($*)) dnl
gen_require(`
type systemd_hwdb_etc_t;
')
files_search_etc($1)
allow $1 systemd_hwdb_etc_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_hwdb_read_config'($*)) dnl
')
########################################
##
## Allow process to mmap hwdb config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_hwdb_mmap_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_hwdb_mmap_config'($*)) dnl
gen_require(`
type systemd_hwdb_etc_t;
')
allow $1 systemd_hwdb_etc_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_hwdb_mmap_config'($*)) dnl
')
########################################
##
## Allow process to manage hwdb config file.
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_hwdb_manage_config',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_hwdb_manage_config'($*)) dnl
gen_require(`
type systemd_hwdb_etc_t;
')
files_search_etc($1)
manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
mmap_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto};
files_etc_filetrans($1, systemd_hwdb_etc_t, file)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_hwdb_manage_config'($*)) dnl
')
########################################
##
## Allow process to mount directory configured in a
## systemd unit as ReadWriteDirectory or ReadOnlyDirectory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_allow_mount_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_allow_mount_dir'($*)) dnl
gen_require(`
attribute systemd_mount_directory;
')
allow $1 systemd_mount_directory:dir { list_dir_perms mounton };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_allow_mount_dir'($*)) dnl
')
########################################
##
## Allow process to create directory configured in a
## systemd unit as ReadWriteDirectory or ReadOnlyDirectory.
##
##
##
## Domain allowed access.
##
##
##
#
define(`systemd_allow_create_mount_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_allow_create_mount_dir'($*)) dnl
gen_require(`
attribute systemd_mount_directory;
')
allow $1 systemd_mount_directory:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_allow_create_mount_dir'($*)) dnl
')
########################################
##
## Mark the following type as mountable by systemd.
##
##
##
## Type to be authorized to be mounted
##
##
##
#
define(`systemd_mount_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_mount_dir'($*)) dnl
gen_require(`
attribute systemd_mount_directory;
')
files_type($1)
typeattribute $1 systemd_mount_directory;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_mount_dir'($*)) dnl
')
########################################
##
## Mmap systemd_networkd_exec_t files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_map_networkd_exec_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_map_networkd_exec_files'($*)) dnl
gen_require(`
type systemd_networkd_exec_t;
')
allow $1 systemd_networkd_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_map_networkd_exec_files'($*)) dnl
')
########################################
##
## Watch systemd_networkd PID directories.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_networkd_watch_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_networkd_watch_pid_dirs'($*)) dnl
gen_require(`
type systemd_networkd_var_run_t;
')
init_search_pid_dirs($1)
allow $1 systemd_networkd_var_run_t:dir watch_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_networkd_watch_pid_dirs'($*)) dnl
')
########################################
##
## Mmap systemd_resolved_exec_t files.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_map_resolved_exec_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_map_resolved_exec_files'($*)) dnl
gen_require(`
type systemd_resolved_exec_t;
')
allow $1 systemd_resolved_exec_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_map_resolved_exec_files'($*)) dnl
')
########################################
##
## Exchange messages with
## systemd resolved over dbus or varlink.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_chat_resolved',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_chat_resolved'($*)) dnl
gen_require(`
type systemd_resolved_t;
class dbus send_msg;
')
allow $1 systemd_resolved_t:dbus send_msg;
allow $1 systemd_resolved_t:unix_stream_socket connectto;
allow systemd_resolved_t $1:dbus send_msg;
ps_process_pattern(systemd_resolved_t, $1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_chat_resolved'($*)) dnl
')
########################################
##
## Exchange messages with
## systemd resolved over dbus (deprecated)
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_dbus_chat_resolved',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_resolved'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use systemd_chat_resolved() instead.')
systemd_chat_resolved($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_resolved'($*)) dnl
')
######################################
##
## Make the specified type usable as a systemd private tmp type.
##
##
##
## Type to be used as a private tmp type.
##
##
#
define(`systemd_private_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_private_tmp'($*)) dnl
gen_require(`
attribute systemd_private_tmp_type;
')
typeattribute $1 systemd_private_tmp_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_private_tmp'($*)) dnl
')
#######################################
##
## Delete filesystem objects with systemd_delete_private_tmp attribute
##
##
##
## Domain allowed access
##
##
#
define(`systemd_delete_private_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_delete_private_tmp'($*)) dnl
gen_require(`
attribute systemd_private_tmp_type;
')
delete_dirs_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type)
delete_fifo_files_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type)
delete_files_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type)
delete_lnk_files_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type)
delete_sock_files_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_delete_private_tmp'($*)) dnl
')
#
######################################
##
## Make the specified type usable as a systemd read efivarfs type.
##
##
##
## Type to be used as a read efivarfs type.
##
##
#
define(`systemd_read_efivarfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_read_efivarfs'($*)) dnl
gen_require(`
attribute systemd_read_efivarfs_type;
')
typeattribute $1 systemd_read_efivarfs_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_read_efivarfs'($*)) dnl
')
#######################################
##
## Create objects in the pid directory
## with a private type with a type transition.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_userdbd_runtime_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_userdbd_runtime_filetrans'($*)) dnl
gen_require(`
type init_var_run_t;
type systemd_userdbd_runtime_t;
')
filetrans_pattern($1, init_var_run_t, systemd_userdbd_runtime_t, dir, "userdb")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_userdbd_runtime_filetrans'($*)) dnl
')
#######################################
##
## Manage systemd-userdbd data symlinks.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_userdbd_runtime_manage_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_userdbd_runtime_manage_symlinks'($*)) dnl
gen_require(`
type systemd_userdbd_runtime_t;
')
manage_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t);
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_userdbd_runtime_manage_symlinks'($*)) dnl
')
#######################################
##
## Connect to systemd-userdbd with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_userdbd_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_userdbd_stream_connect'($*)) dnl
gen_require(`
type systemd_userdbd_t;
type systemd_userdbd_runtime_t;
')
files_search_pids($1)
list_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
read_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
write_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
allow $1 systemd_userdbd_t:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_userdbd_stream_connect'($*)) dnl
')
#######################################
##
## Manage named sockets in userdbd runtime directory
##
##
##
## Domain allowed access.
##
##
#
define(`systemd_manage_userdbd_runtime_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `systemd_manage_userdbd_runtime_sock_files'($*)) dnl
gen_require(`
type systemd_userdbd_runtime_t;
')
manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `systemd_manage_userdbd_runtime_sock_files'($*)) dnl
')
## Policy for udev.
########################################
##
## Send generic signals to udev.
##
##
##
## Domain allowed access.
##
##
#
define(`udev_signal',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_signal'($*)) dnl
gen_require(`
type udev_t;
')
allow $1 udev_t:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_signal'($*)) dnl
')
########################################
##
## Execute udev in the udev domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`udev_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_domtrans'($*)) dnl
gen_require(`
type udev_t, udev_exec_t;
')
domtrans_pattern($1, udev_exec_t, udev_t)
allow $1 udev_t:process noatsecure;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_domtrans'($*)) dnl
')
########################################
##
## Execute udev in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
define(`udev_exec',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_exec'($*)) dnl
gen_require(`
type udev_exec_t;
')
can_exec($1, udev_exec_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_exec'($*)) dnl
')
########################################
##
## Execute a udev helper in the udev domain.
##
##
##
## Domain allowed to transition.
##
##
#
define(`udev_helper_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_helper_domtrans'($*)) dnl
gen_require(`
type udev_t, udev_helper_exec_t;
')
domtrans_pattern($1, udev_helper_exec_t, udev_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_helper_domtrans'($*)) dnl
')
########################################
##
## Allow process to read udev process state.
##
##
##
## Domain allowed access.
##
##
#
define(`udev_read_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_read_state'($*)) dnl
gen_require(`
type udev_t;
')
kernel_search_proc($1)
ps_process_pattern($1, udev_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_read_state'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit a
## udev file descriptor.
##
##
##
## Domain to not audit.
##
##
#
define(`udev_dontaudit_use_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_dontaudit_use_fds'($*)) dnl
gen_require(`
type udev_t;
')
dontaudit $1 udev_t:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_dontaudit_use_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to read or write
## to a udev unix datagram socket.
##
##
##
## Domain to not audit.
##
##
#
define(`udev_dontaudit_rw_dgram_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_dontaudit_rw_dgram_sockets'($*)) dnl
gen_require(`
type udev_t;
')
dontaudit $1 udev_t:unix_dgram_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_dontaudit_rw_dgram_sockets'($*)) dnl
')
########################################
##
## Getattr udev rules chr files
##
##
##
## Domain allowed access.
##
##
#
define(`udev_getattr_rules_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_getattr_rules_chr_files'($*)) dnl
gen_require(`
type udev_rules_t;
')
getattr_chr_files_pattern($1, udev_rules_t, udev_rules_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_getattr_rules_chr_files'($*)) dnl
')
########################################
##
## Manage udev rules files
##
##
##
## Domain allowed access.
##
##
#
define(`udev_manage_rules_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_manage_rules_files'($*)) dnl
gen_require(`
type udev_rules_t;
')
manage_files_pattern($1, udev_rules_t, udev_rules_t)
files_search_etc($1)
udev_search_pids($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_manage_rules_files'($*)) dnl
')
########################################
##
## Do not audit search of udev database directories.
##
##
##
## Domain to not audit.
##
##
#
define(`udev_dontaudit_search_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_dontaudit_search_db'($*)) dnl
gen_require(`
type udev_var_run_t;
')
dontaudit $1 udev_var_run_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_dontaudit_search_db'($*)) dnl
')
########################################
##
## Read the udev device table.
##
##
##
## Allow the specified domain to read the udev device table.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`udev_read_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_read_db'($*)) dnl
udev_read_pid_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_read_db'($*)) dnl
')
########################################
##
## Allow process to modify list of devices.
##
##
##
## Domain allowed access.
##
##
#
define(`udev_rw_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_rw_db'($*)) dnl
gen_require(`
type udev_var_run_t;
')
files_search_pids($1)
dev_list_all_dev_nodes($1)
rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_rw_db'($*)) dnl
')
########################################
##
## Allow process to modify relabelto udev database
##
##
##
## Domain allowed access.
##
##
#
define(`udev_relabelto_db',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_relabelto_db'($*)) dnl
gen_require(`
type udev_var_run_t;
')
files_search_pids($1)
allow $1 udev_var_run_t:file relabelto_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_relabelto_db'($*)) dnl
')
########################################
##
## Relabel the udev sock_file.
##
##
##
## Domain allowed access.
##
##
#
define(`udev_relabel_pid_sockfile',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_relabel_pid_sockfile'($*)) dnl
gen_require(`
type udev_var_run_t;
')
allow $1 udev_var_run_t:sock_file relabel_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_relabel_pid_sockfile'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## udev pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`udev_read_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_read_pid_files'($*)) dnl
gen_require(`
type udev_var_run_t;
')
dev_list_all_dev_nodes($1)
files_search_pids($1)
allow $1 udev_var_run_t:dir list_dir_perms;
read_files_pattern($1, udev_var_run_t, udev_var_run_t)
read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_read_pid_files'($*)) dnl
')
########################################
##
## Search through udev pid content
##
##
##
## Domain allowed access.
##
##
#
define(`udev_search_pids',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_search_pids'($*)) dnl
gen_require(`
type udev_var_run_t;
')
files_search_pids($1)
search_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_search_pids'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## udev pid directories
##
##
##
## Domain allowed access.
##
##
#
define(`udev_manage_pid_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_manage_pid_dirs'($*)) dnl
gen_require(`
type udev_var_run_t;
')
files_search_var($1)
manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_manage_pid_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete
## udev pid files.
##
##
##
## Domain allowed access.
##
##
#
define(`udev_manage_pid_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_manage_pid_files'($*)) dnl
gen_require(`
type udev_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_manage_pid_files'($*)) dnl
')
#######################################
##
## Execute udev in the udev domain, and
## allow the specified role the udev domain.
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed the iptables domain.
##
##
##
#
define(`udev_run',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_run'($*)) dnl
gen_require(`
type udev_t;
')
udev_domtrans($1)
role $2 types udev_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_run'($*)) dnl
')
#######################################
##
## Allow caller to create kobject uevent socket for udev
##
##
##
## Domain allowed access.
##
##
#
define(`udev_create_kobject_uevent_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_create_kobject_uevent_socket'($*)) dnl
gen_require(`
type udev_t;
role system_r;
')
allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_create_kobject_uevent_socket'($*)) dnl
')
########################################
##
## Create a domain for processes
## which can be started by udev.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
define(`udev_system_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_system_domain'($*)) dnl
gen_require(`
type udev_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(udev_t, $2, $1)
dontaudit $1 udev_t:unix_dgram_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_system_domain'($*)) dnl
')
########################################
##
## Create directories in the run location with udev_var_run_t type
##
##
##
## Domain allowed access.
##
##
##
##
## Name of the directory that is created
##
##
#
define(`udev_generic_pid_filetrans_run_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `udev_generic_pid_filetrans_run_dirs'($*)) dnl
gen_require(`
type udev_var_run_t;
')
files_pid_filetrans($1, udev_var_run_t, dir, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `udev_generic_pid_filetrans_run_dirs'($*)) dnl
')
## The unconfined domain.
########################################
##
## Make the specified domain unconfined.
##
##
##
## Domain to make unconfined.
##
##
#
define(`unconfined_domain_noaudit',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_domain_noaudit'($*)) dnl
gen_require(`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
')
# Use any Linux capability.
allow $1 self:capability ~{ sys_module };
allow $1 self:capability2 ~{ mac_admin mac_override };
allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process { dyntransition transition };
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file manage_file_perms;
allow $1 self:dir rw_dir_perms;
allow $1 self:lockdown { confidentiality integrity };
# Userland object managers
allow $1 self:nscd all_nscd_perms;
allow $1 self:dbus all_dbus_perms;
allow $1 self:passwd all_passwd_perms;
allow $1 self:association all_association_perms;
allow $1 self:socket_class_set create_socket_perms;
kernel_unconfined($1)
corenet_unconfined($1)
dev_unconfined($1)
domain_unconfined($1)
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
systemd_config_all_services($1)
domain_mmap_low($1)
domain_named_filetrans($1)
ubac_process_exempt($1)
tunable_policy(`selinuxuser_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
')
tunable_policy(`deny_execmem',`',`
# Allow making anonymous memory executable, e.g.
# for runtime-code generation or executable stack.
allow $1 self:process execmem;
')
tunable_policy(`selinuxuser_execstack',`
allow $1 self:process execstack;
# auditallow $1 self:process execstack;
')
optional_policy(`
auth_unconfined($1)
')
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
dbus_unconfined($1)
')
optional_policy(`
ipsec_setcontext_default_spd($1)
ipsec_match_default_spd($1)
')
optional_policy(`
nscd_unconfined($1)
')
optional_policy(`
postgresql_unconfined($1)
')
optional_policy(`
seutil_create_bin_policy($1)
seutil_relabelto_bin_policy($1)
')
optional_policy(`
storage_unconfined($1)
')
optional_policy(`
xserver_unconfined($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_domain_noaudit'($*)) dnl
')
########################################
##
## Make the specified domain unconfined and
## audit executable heap usage.
##
##
##
## Make the specified domain unconfined and
## audit executable heap usage. With exception
## of memory protections, usage of this interface
## will result in the level of access the domain has
## is like SELinux was not being used.
##
##
## Only completely trusted domains should use this interface.
##
##
##
##
## Domain to make unconfined.
##
##
#
define(`unconfined_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_domain'($*)) dnl
gen_require(`
attribute unconfined_services;
')
unconfined_domain_noaudit($1)
tunable_policy(`selinuxuser_execheap',`
auditallow $1 self:process execheap;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_domain'($*)) dnl
')
########################################
##
## Add an alias type to the unconfined domain. (Deprecated)
##
##
##
## Add an alias type to the unconfined domain. (Deprecated)
##
##
## This is added to support targeted policy. Its
## use should be limited. It has no effect
## on the strict policy.
##
##
##
##
## New alias of the unconfined domain.
##
##
#
define(`unconfined_alias_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_alias_domain'($*)) dnl
refpolicywarn(`$0() has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_alias_domain'($*)) dnl
')
########################################
##
## Add an alias type to the unconfined execmem
## program file type. (Deprecated)
##
##
##
## Add an alias type to the unconfined execmem
## program file type. (Deprecated)
##
##
## This is added to support targeted policy. Its
## use should be limited. It has no effect
## on the strict policy.
##
##
##
##
## New alias of the unconfined execmem program type.
##
##
#
define(`unconfined_execmem_alias_program',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_execmem_alias_program'($*)) dnl
refpolicywarn(`$0() has been deprecated.')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_execmem_alias_program'($*)) dnl
')
########################################
##
## Connect to unconfined_server with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_server_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_stream_connect'($*)) dnl
gen_require(`
type unconfined_service_t;
')
files_search_pids($1)
files_write_generic_pid_pipes($1)
allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_stream_connect'($*)) dnl
')
########################################
##
## Connect to unconfined_server with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_server_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_domtrans'($*)) dnl
gen_require(`
type unconfined_service_t;
')
corecmd_bin_domtrans($1, unconfined_service_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_domtrans'($*)) dnl
')
########################################
##
## Allow caller domain to dbus chat unconfined_server.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_server_dbus_chat',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_dbus_chat'($*)) dnl
gen_require(`
type unconfined_service_t;
class dbus send_msg;
')
allow $1 unconfined_service_t:dbus send_msg;
allow unconfined_service_t $1:dbus send_msg;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_dbus_chat'($*)) dnl
')
########################################
##
## Send signull to unconfined_service_t.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_server_signull',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_signull'($*)) dnl
gen_require(`
type unconfined_service_t;
')
allow $1 unconfined_service_t:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_signull'($*)) dnl
')
########################################
##
## Allow noatsecure.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_server_noatsecure',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_noatsecure'($*)) dnl
gen_require(`
type unconfined_service_t;
')
allow $1 unconfined_service_t:process { noatsecure };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_noatsecure'($*)) dnl
')
########################################
##
## Create unconfined_service_t TCP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_server_create_tcp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_create_tcp_sockets'($*)) dnl
gen_require(`
type unconfined_service_t;
')
allow $1 unconfined_service_t:tcp_socket create_stream_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_create_tcp_sockets'($*)) dnl
')
########################################
##
## Create unconfined_service_t UDP sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_server_create_udp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_create_udp_sockets'($*)) dnl
gen_require(`
type unconfined_service_t;
')
allow $1 unconfined_service_t:udp_socket create_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_create_udp_sockets'($*)) dnl
')
########################################
##
## Create unconfined_service_t UNIX sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`unconfined_server_create_unix_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_create_unix_sockets'($*)) dnl
gen_require(`
type unconfined_service_t;
')
allow $1 unconfined_service_t:unix_stream_socket create_stream_socket_perms;
allow $1 unconfined_service_t:unix_dgram_socket create_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_create_unix_sockets'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
# unconfined service domain unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
define(`unconfined_server_dontaudit_rw_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `unconfined_server_dontaudit_rw_pipes'($*)) dnl
gen_require(`
type unconfined_service_t;
')
dontaudit $1 unconfined_service_t:fifo_file rw_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `unconfined_server_dontaudit_rw_pipes'($*)) dnl
')
## Policy for user domains
#######################################
##
## The template containing the most basic rules common to all users.
##
##
##
## The template containing the most basic rules common to all users.
##
##
## This template creates a user domain, types, and
## rules for the user's tty and pty.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_base_user_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_base_user_template'($*)) dnl
gen_require(`
attribute userdomain;
type user_devpts_t, user_tty_device_t;
class context contains;
')
attribute $1_file_type;
attribute $1_usertype;
type $1_t, userdomain, $1_usertype;
domain_type($1_t)
role $1_r;
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
ubac_constrained($1_t)
role $1_r;
role $1_r types $1_t;
allow system_r $1_r;
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
term_dontaudit_getattr_generic_ptys($1_t)
allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
tunable_policy(`deny_ptrace',`',`
allow $1_usertype $1_usertype:process ptrace;
')
allow $1_usertype $1_usertype:fd use;
allow $1_usertype $1_t:key { create view read write search link setattr };
allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_usertype $1_usertype:shm create_shm_perms;
allow $1_usertype $1_usertype:sem create_sem_perms;
allow $1_usertype $1_usertype:msgq create_msgq_perms;
allow $1_usertype $1_usertype:msg { send receive };
allow $1_usertype $1_usertype:context contains;
dontaudit $1_usertype $1_usertype:socket create;
allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
term_create_pty($1_usertype, user_devpts_t)
# avoid annoying messages on terminal hangup on role change
dontaudit $1_usertype user_devpts_t:chr_file ioctl;
allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
# avoid annoying messages on terminal hangup on role change
dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
application_exec_all($1_usertype)
kernel_read_kernel_sysctls($1_usertype)
kernel_read_all_sysctls($1_usertype)
kernel_dontaudit_list_unlabeled($1_usertype)
kernel_dontaudit_getattr_unlabeled_files($1_usertype)
kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
kernel_dontaudit_list_proc($1_usertype)
dev_dontaudit_getattr_all_blk_files($1_usertype)
dev_dontaudit_getattr_all_chr_files($1_usertype)
dev_getattr_mtrr_dev($1_t)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_usertype)
domain_dontaudit_getattr_all_domains($1_usertype)
domain_dontaudit_getsession_all_domains($1_usertype)
dev_dontaudit_all_access_check($1_usertype)
files_read_etc_files($1_usertype)
files_list_mnt($1_usertype)
files_list_var($1_usertype)
files_read_mnt_files($1_usertype)
files_dontaudit_all_access_check($1_usertype)
files_read_etc_runtime_files($1_usertype)
files_read_usr_files($1_usertype)
files_read_usr_src_files($1_usertype)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_usertype)
files_read_world_readable_files($1_usertype)
files_read_world_readable_symlinks($1_usertype)
files_read_world_readable_pipes($1_usertype)
files_read_world_readable_sockets($1_usertype)
# old broswer_domain():
files_dontaudit_getattr_all_dirs($1_usertype)
files_dontaudit_list_non_security($1_usertype)
files_dontaudit_getattr_all_files($1_usertype)
files_dontaudit_getattr_non_security_symlinks($1_usertype)
files_dontaudit_getattr_non_security_pipes($1_usertype)
files_dontaudit_getattr_non_security_sockets($1_usertype)
files_dontaudit_setattr_etc_runtime_files($1_usertype)
files_exec_usr_files($1_t)
fs_list_cgroup_dirs($1_usertype)
fs_dontaudit_rw_cgroup_files($1_usertype)
fs_read_tmpfs_symlinks($1_usertype)
storage_rw_fuse($1_usertype)
init_stream_connect($1_usertype)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_rw_utmp($1_usertype)
libs_exec_ld_so($1_usertype)
miscfiles_read_generic_certs($1_t)
miscfiles_read_all_certs($1_usertype)
miscfiles_read_public_files($1_usertype)
systemd_dbus_chat_logind($1_usertype)
systemd_read_logind_sessions_files($1_usertype)
systemd_write_inhibit_pipes($1_usertype)
systemd_write_inherited_logind_sessions_pipes($1_usertype)
systemd_login_read_pid_files($1_usertype)
tunable_policy(`deny_execmem',`', `
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
')
tunable_policy(`selinuxuser_execstack',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
optional_policy(`
abrt_stream_connect($1_usertype)
')
optional_policy(`
fs_list_cgroup_dirs($1_usertype)
')
optional_policy(`
ssh_rw_stream_sockets($1_usertype)
ssh_rw_dgram_sockets($1_usertype)
ssh_delete_tmp($1_t)
ssh_signal($1_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_base_user_template'($*)) dnl
')
#######################################
##
## Allow a home directory for which the
## role has read-only access.
##
##
##
## Allow a home directory for which the
## role has read-only access.
##
##
## This does not allow execute access.
##
##
##
##
## The user role
##
##
##
##
## The user domain
##
##
##
#
define(`userdom_ro_home_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_ro_home_role'($*)) dnl
gen_require(`
type user_home_t, user_home_dir_t;
')
role $1 types { user_home_t user_home_dir_t };
##############################
#
# Domain access to home dir
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
allow $2 user_home_t:dir list_dir_perms;
allow $2 user_home_t:file entrypoint;
read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_ro_home_role'($*)) dnl
')
#######################################
##
## Allow a home directory for which the
## role has full access.
##
##
##
## Allow a home directory for which the
## role has full access.
##
##
## This does not allow execute access.
##
##
##
##
## The user role
##
##
##
##
## The user domain
##
##
##
#
define(`userdom_manage_home_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_home_role'($*)) dnl
gen_require(`
type user_home_t, user_home_dir_t;
attribute user_home_type;
')
role $1 types { user_home_type user_home_dir_t };
##############################
#
# Domain access to home dir
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
allow $2 user_home_t:dir mounton;
allow $2 user_home_t:file entrypoint;
allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
userdom_filetrans_home_content($2)
files_list_home($2)
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
fs_mount_nfs($2)
fs_mounton_nfs($2)
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
fs_manage_nfs_symlinks($2)
fs_manage_nfs_named_sockets($2)
fs_manage_nfs_named_pipes($2)
')
tunable_policy(`use_samba_home_dirs',`
fs_mount_cifs($2)
fs_mounton_cifs($2)
fs_manage_cifs_dirs($2)
fs_manage_cifs_files($2)
fs_manage_cifs_symlinks($2)
fs_manage_cifs_named_sockets($2)
fs_manage_cifs_named_pipes($2)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_home_role'($*)) dnl
')
#######################################
##
## Manage user temporary files
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_manage_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_files_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_files'($*)) dnl
')
#######################################
##
## Watch user temporary directories
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_watch_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_watch_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
watch_dirs_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_watch_tmp_dirs'($*)) dnl
')
#######################################
##
## Watch_mount user temporary directories
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_watch_mount_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_watch_mount_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
watch_mount_dirs_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_watch_mount_tmp_dirs'($*)) dnl
')
#######################################
##
## Watch_with_perm user temporary directories
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_watch_with_perm_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_watch_with_perm_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
watch_with_perm_dirs_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_watch_with_perm_tmp_dirs'($*)) dnl
')
#######################################
##
## Mmap user temporary files
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_map_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_map_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_map_tmp_files'($*)) dnl
')
#######################################
##
## Manage user temporary sockets
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_manage_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_sockets'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_sockets'($*)) dnl
')
#######################################
##
## Manage user temporary directories
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_manage_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_dirs'($*)) dnl
')
#######################################
##
## Manage user temporary directories
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_mounton_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_mounton_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir mounton;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_mounton_tmp_dirs'($*)) dnl
')
#######################################
##
## Manage user temporary files
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_manage_tmp_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_role'($*)) dnl
gen_require(`
attribute user_tmp_type;
type user_tmp_t;
')
role $1 types user_tmp_t;
files_poly_member_tmp($2, user_tmp_t)
allow $2 user_tmp_type:dir mounton;
manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
manage_files_pattern($2, user_tmp_type, user_tmp_type)
manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
relabel_files_pattern($2, user_tmp_type, user_tmp_type)
relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
allow $2 user_tmp_type:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_role'($*)) dnl
')
#######################################
##
## Dontaudit search of user bin dirs.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_search_user_bin_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_bin_dirs'($*)) dnl
gen_require(`
type home_bin_t;
')
dontaudit $1 home_bin_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_bin_dirs'($*)) dnl
')
#######################################
##
## Execute user bin files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_exec_user_bin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec_user_bin_files'($*)) dnl
gen_require(`
attribute user_home_type;
type home_bin_t, user_home_dir_t;
')
exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec_user_bin_files'($*)) dnl
')
#######################################
##
## The execute access user temporary files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_exec_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
dontaudit $1 user_tmp_t:sock_file execute;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec_user_tmp_files'($*)) dnl
')
#######################################
##
## Manage user temporary file system files
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_manage_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_tmpfs_files'($*)) dnl
gen_require(`
type user_tmpfs_t;
')
manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_tmpfs_files'($*)) dnl
')
#######################################
##
## Role access for the user tmpfs type
## that the user has full access.
##
##
##
## Role access for the user tmpfs type
## that the user has full access.
##
##
## This does not allow execute access.
##
##
##
##
## Role allowed access.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_manage_tmpfs_role',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_tmpfs_role'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.')
userdom_manage_tmp_role($1,$2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_tmpfs_role'($*)) dnl
')
#######################################
##
## The interface allowing the user basic
## network permissions
##
##
##
## The user domain
##
##
##
#
define(`userdom_basic_networking',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_basic_networking'($*)) dnl
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_ports($1)
corenet_sendrecv_all_client_packets($1)
optional_policy(`
init_tcp_recvfrom_all_daemons($1)
init_udp_recvfrom_all_daemons($1)
')
optional_policy(`
ipsec_match_default_spd($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_basic_networking'($*)) dnl
')
#######################################
##
## The template for creating a user xwindows client. (Deprecated)
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_xwindows_client_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_xwindows_client_template'($*)) dnl
refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
gen_require(`
type $1_t, user_tmpfs_t;
')
dev_rw_xserver_misc($1_t)
dev_rw_power_management($1_t)
dev_read_input($1_t)
dev_read_misc($1_t)
dev_write_misc($1_t)
# open office is looking for the following
dev_getattr_agp_dev($1_t)
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
dev_rw_generic_usb_dev($1_t)
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
xserver_dontaudit_write_log($1_t)
xserver_stream_connect_xdm($1_t)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($1_t)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_xwindows_client_template'($*)) dnl
')
#######################################
##
## The template for allowing the user to change passwords.
## NOTE! This template also allows the user to change shell.
## If you want to only allow changing passwords, you should
## use usermanage_run_passwd() instead.
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_change_password_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_change_password_template'($*)) dnl
gen_require(`
type $1_t;
role $1_r;
')
optional_policy(`
usermanage_run_chfn($1_t,$1_r)
usermanage_run_passwd($1_t,$1_r)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_change_password_template'($*)) dnl
')
#######################################
##
## The template containing rules common to unprivileged
## users and administrative users.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_common_user_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_common_user_template'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
userdom_basic_networking($1_usertype)
corenet_all_recvfrom_netlabel($1_t)
##############################
#
# User domain Local policy
#
allow $1_t self:packet_socket create_socket_perms;
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t self:netlink_selinux_socket create_socket_perms;
allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
allow $1_t self:socket create_socket_perms;
allow $1_usertype unpriv_userdomain:fd use;
kernel_read_system_state($1_t)
kernel_read_network_state($1_usertype)
kernel_read_software_raid_state($1_usertype)
kernel_read_net_sysctls($1_usertype)
kernel_read_afs_state($1_usertype)
# Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
kernel_read_device_sysctls($1_usertype)
kernel_request_load_module($1_usertype)
corenet_udp_bind_generic_node($1_usertype)
corenet_udp_bind_generic_port($1_usertype)
dev_read_rand($1_usertype)
dev_write_sound($1_usertype)
dev_read_sound($1_usertype)
dev_read_sound_mixer($1_usertype)
dev_write_sound_mixer($1_usertype)
dev_rw_inherited_input_dev($1_usertype)
files_exec_etc_files($1_usertype)
files_search_locks($1_usertype)
# Check to see if cdrom is mounted
files_search_mnt($1_usertype)
# cjp: perhaps should cut back on file reads:
files_read_var_files($1_usertype)
files_read_var_symlinks($1_usertype)
files_read_generic_spool($1_usertype)
files_read_var_lib_files($1_usertype)
# Stat lost+found.
files_getattr_lost_found_dirs($1_usertype)
files_read_config_files($1_usertype)
fs_read_noxattr_fs_files($1_usertype)
fs_read_noxattr_fs_symlinks($1_usertype)
fs_rw_cgroup_files($1_usertype)
application_getattr_socket($1_usertype)
ifdef(`enable_mls',`
init_rw_tcp_sockets($1_t)
')
logging_send_syslog_msg($1_t)
selinux_get_enforce_mode($1_t)
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
selinux_compute_access_vector($1_t)
selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
# for eject
storage_getattr_fixed_disk_dev($1_usertype)
auth_read_login_records($1_usertype)
auth_run_pam_timestamp($1_t,$1_r)
auth_run_utempter($1_t,$1_r)
auth_filetrans_admin_home_content($1_t)
init_read_utmp($1_usertype)
seutil_read_file_contexts($1_usertype)
seutil_read_default_contexts($1_usertype)
seutil_run_newrole($1_t,$1_r)
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_usertype)
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
seutil_dontaudit_signal_newrole($1_t)
term_getattr_all_ttys($1_t)
optional_policy(`
afs_read_config($1_t)
')
optional_policy(`
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_usertype)
')
optional_policy(`
chrome_role($1_r, $1_usertype)
')
optional_policy(`
canna_stream_connect($1_usertype)
')
optional_policy(`
colord_read_lib_files($1_usertype)
')
optional_policy(`
dbus_system_bus_client($1_usertype)
allow $1_usertype $1_usertype:dbus send_msg;
optional_policy(`
avahi_dbus_chat($1_usertype)
')
optional_policy(`
bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
consolekit_dbus_chat($1_usertype)
consolekit_read_log($1_usertype)
')
optional_policy(`
devicekit_dbus_chat($1_usertype)
devicekit_dbus_chat_power($1_usertype)
devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
evolution_dbus_chat($1_usertype)
evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
firewalld_dbus_chat($1_usertype)
')
optional_policy(`
geoclue_dbus_chat($1_usertype)
')
optional_policy(`
gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
optional_policy(`
memcached_stream_connect($1_usertype)
')
optional_policy(`
modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
networkmanager_dbus_chat($1_usertype)
networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
policykit_dbus_chat($1_usertype)
')
optional_policy(`
vpn_dbus_chat($1_usertype)
')
')
optional_policy(`
git_role($1_r, $1_t)
')
optional_policy(`
inetd_use_fds($1_usertype)
inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
inn_read_config($1_usertype)
inn_read_news_lib($1_usertype)
inn_read_news_spool($1_usertype)
')
optional_policy(`
lircd_stream_connect($1_usertype)
')
optional_policy(`
locate_read_lib_files($1_t)
')
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
mpd_stream_connect($1_t)
')
# for running depmod as part of the kernel packaging process
optional_policy(`
modutils_read_module_config($1_usertype)
')
optional_policy(`
mta_rw_spool($1_usertype)
mta_manage_queue($1_usertype)
')
optional_policy(`
tunable_policy(`selinuxuser_mysql_connect_enabled',`
mysql_stream_connect($1_t)
')
')
optional_policy(`
oident_manage_user_content($1_t)
oident_relabel_user_content($1_t)
oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf")
')
optional_policy(`
# to allow monitoring of pcmcia status
pcmcia_read_pid($1_usertype)
')
optional_policy(`
pcscd_read_pid_files($1_t)
pcscd_stream_connect($1_t)
')
optional_policy(`
tunable_policy(`selinuxuser_postgresql_connect_enabled',`
postgresql_stream_connect($1_usertype)
postgresql_tcp_connect($1_usertype)
')
')
optional_policy(`
ppp_manage_home_files($1_t)
ppp_relabel_home_files($1_t)
ppp_home_filetrans_ppp_home($1_t, file, ".ppprc")
')
optional_policy(`
resmgr_stream_connect($1_usertype)
')
optional_policy(`
rpc_dontaudit_getattr_exports($1_usertype)
')
optional_policy(`
rpcbind_stream_connect($1_usertype)
')
optional_policy(`
samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
slrnpull_search_spool($1_usertype)
')
optional_policy(`
thumb_role($1_r, $1_usertype)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_common_user_template'($*)) dnl
')
#######################################
##
## The template for creating a login user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_login_user_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_login_user_template'($*)) dnl
gen_require(`
class context contains;
attribute login_userdomain;
')
userdom_base_user_template($1)
typeattribute $1_t login_userdomain;
userdom_manage_home_role($1_r, $1_t)
userdom_manage_tmp_role($1_r, $1_usertype)
ifelse(`$1',`unconfined',`',`
gen_tunable(`$1_exec_content', true)
tunable_policy(`$1_exec_content',`
userdom_exec_user_tmp_files($1_usertype)
userdom_exec_user_home_content_files($1_usertype)
')
tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
fs_exec_nfs_files($1_usertype)
')
tunable_policy(`$1_exec_content && use_samba_home_dirs',`
fs_exec_cifs_files($1_usertype)
')
')
# NOTE! This template also allows user to change shell.
userdom_change_password_template($1)
##############################
#
# User domain Local policy
#
dontaudit $1_t self:capability { sys_nice fsetid };
allow $1_t self:process ~{ ptrace execmem execstack execheap };
tunable_policy(`selinuxuser_use_ssh_chroot',`
allow $1_t self:capability { setuid setgid sys_chroot };
')
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
domain_dyntrans_type($1_t)
allow $1_t self:context contains;
kernel_dontaudit_read_system_state($1_usertype)
kernel_dontaudit_list_all_proc($1_usertype)
dev_read_sysfs($1_usertype)
dev_read_rand($1_usertype)
dev_read_urand($1_usertype)
domain_use_interactive_fds($1_usertype)
# Command completion can fire hundreds of denials
domain_dontaudit_exec_all_entry_files($1_usertype)
files_dontaudit_list_default($1_usertype)
files_dontaudit_read_default_files($1_usertype)
# Stat lost+found.
files_getattr_lost_found_dirs($1_usertype)
fs_get_all_fs_quotas($1_usertype)
fs_getattr_all_fs($1_usertype)
fs_search_all($1_usertype)
auth_read_passwd($1_t)
auth_role($1_r, $1_t)
auth_create_cache($1_t)
auth_rw_cache($1_t)
auth_search_pam_console_data($1_t)
auth_dontaudit_read_login_records($1_t)
auth_dontaudit_write_login_records($1_t)
application_exec_all($1_t)
# Allow login user type to run systemd user session
init_signal($1_usertype)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
init_dontaudit_rw_utmp($1_t)
# Stop warnings about access to /dev/console
init_dontaudit_use_fds($1_usertype)
init_dontaudit_use_script_fds($1_usertype)
# Needed by pam_selinux.so calling in systemd-users
init_entrypoint_exec(login_userdomain)
libs_exec_lib_files($1_usertype)
logging_dontaudit_getattr_all_logs($1_usertype)
# for running TeX programs
miscfiles_read_tetex_data($1_usertype)
miscfiles_exec_tetex_data($1_usertype)
seutil_read_config($1_usertype)
seutil_read_file_contexts($1_usertype)
seutil_read_default_contexts($1_usertype)
seutil_exec_setfiles($1_usertype)
optional_policy(`
cups_read_config($1_usertype)
cups_stream_connect($1_usertype)
cups_stream_connect_ptal($1_usertype)
')
optional_policy(`
kerberos_use($1_usertype)
init_write_key($1_usertype)
')
optional_policy(`
mysql_filetrans_named_content($1_usertype)
')
optional_policy(`
mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
rpm_read_db($1_usertype)
rpm_dontaudit_manage_db($1_usertype)
rpm_read_cache($1_usertype)
')
optional_policy(`
oddjob_run_mkhomedir($1_t, $1_r)
oddjob_run($1_t, $1_r)
')
optional_policy(`
chronyd_run_chronyc($1_t, $1_r)
')
optional_policy(`
ipa_run_helper($1_t, $1_r)
')
optional_policy(`
wine_filetrans_named_content($1_usertype)
')
optional_policy(`
sssd_stream_connect($1_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_login_user_template'($*)) dnl
')
#######################################
##
## The template for creating a unprivileged login user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_restricted_user_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_restricted_user_template'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
userdom_login_user_template($1)
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
##############################
#
# Local policy
#
optional_policy(`
loadkeys_run($1_t, $1_r)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_restricted_user_template'($*)) dnl
')
#######################################
##
## The template for creating a unprivileged xwindows login user.
##
##
##
## The template for creating a unprivileged xwindows login user.
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_restricted_xwindows_user_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_restricted_xwindows_user_template'($*)) dnl
userdom_restricted_user_template($1)
##############################
#
# Local policy
#
allow $1_usertype self:cap_userns { sys_admin sys_chroot };
dontaudit $1_usertype self:cap_userns sys_ptrace;
allow $1_usertype self:dir { add_name write };
kernel_stream_connect($1_usertype)
fs_associate_proc($1_usertype)
dev_read_sound($1_usertype)
dev_write_sound($1_usertype)
# gnome keyring wants to read this.
dev_dontaudit_read_rand($1_usertype)
# temporarily allow since openoffice requires this
dev_read_rand($1_usertype)
dev_read_video_dev($1_usertype)
dev_write_video_dev($1_usertype)
dev_rw_wireless($1_usertype)
libs_dontaudit_setattr_lib_files($1_usertype)
init_read_state($1_usertype)
init_signal($1_usertype)
tunable_policy(`selinuxuser_rw_noexattrfile',`
dev_rw_usbfs($1_t)
dev_rw_generic_usb_dev($1_usertype)
fs_manage_noxattr_fs_files($1_usertype)
fs_manage_noxattr_fs_dirs($1_usertype)
fs_manage_dos_dirs($1_usertype)
fs_manage_dos_files($1_usertype)
storage_raw_read_removable_device($1_usertype)
storage_raw_write_removable_device($1_usertype)
')
logging_send_syslog_msg($1_t)
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
selinux_get_enforce_mode($1_t)
seutil_exec_restorecond($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
xserver_restricted_role($1_r, $1_t)
optional_policy(`
alsa_read_rw_config($1_usertype)
')
# cjp: needed by KDE apps
# bug: #682499
optional_policy(`
gnome_read_usr_config($1_usertype)
# cjp: telepathy F15 bugs
telepathy_role($1_r, $1_t, $1)
')
optional_policy(`
obex_role($1_r, $1_t, $1)
')
optional_policy(`
dbus_role_template($1, $1_r, $1_usertype)
dbus_system_bus_client($1_usertype)
allow $1_usertype $1_usertype:dbus send_msg;
optional_policy(`
abrt_dbus_chat($1_usertype)
abrt_run_helper($1_usertype, $1_r)
')
optional_policy(`
accountsd_dbus_chat($1_usertype)
')
optional_policy(`
consolekit_dontaudit_read_log($1_usertype)
consolekit_dbus_chat($1_usertype)
')
optional_policy(`
cups_dbus_chat($1_usertype)
cups_dbus_chat_config($1_usertype)
')
optional_policy(`
devicekit_dbus_chat($1_usertype)
devicekit_dbus_chat_disk($1_usertype)
devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
fprintd_dbus_chat($1_t)
')
optional_policy(`
realmd_dbus_chat($1_t)
')
optional_policy(`
gnome_role_template($1, $1_r, $1_t)
')
optional_policy(`
wm_role_template($1, $1_r, $1_t)
')
')
optional_policy(`
policykit_role($1_r, $1_usertype)
')
optional_policy(`
pulseaudio_role($1_r, $1_usertype)
pulseaudio_filetrans_home_content($1_usertype)
')
optional_policy(`
rtkit_scheduled($1_usertype)
')
optional_policy(`
systemd_filetrans_home_content($1_usertype)
')
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
optional_policy(`
udev_read_db($1_usertype)
')
optional_policy(`
xserver_xdm_ioctl_log($1_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_restricted_xwindows_user_template'($*)) dnl
')
#######################################
##
## The template for creating a unprivileged user roughly
## equivalent to a regular linux user.
##
##
##
## The template for creating a unprivileged user roughly
## equivalent to a regular linux user.
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
#
define(`userdom_unpriv_user_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_unpriv_user_template'($*)) dnl
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
userdom_restricted_xwindows_user_template($1)
userdom_common_user_template($1)
##############################
#
# Local policy
#
allow $1_t self:capability { setgid chown fowner };
allow $1_t self:alg_socket create_socket_perms;
allow $1_t self:dccp_socket create_socket_perms;
allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
dontaudit $1_t self:capability { setuid };
dontaudit $1_t self:netlink_selinux_socket create_socket_perms;
allow $1_t self:bpf { map_create map_read map_write prog_load prog_run };
allow $1_t $1_t:system all_system_perms;
tunable_policy(`deny_bluetooth',`',`
allow $1_t self:bluetooth_socket create_socket_perms;
')
auth_use_nsswitch($1_t)
corecmd_exec_chroot($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
corenet_tcp_bind_generic_node($1_usertype)
init_domtrans($1_t)
init_rw_stream_sockets($1_t)
storage_rw_fuse($1_t)
files_exec_usr_files($1_t)
# cjp: why?
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
fs_exec_noxattr($1_t)
tunable_policy(`selinuxuser_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
',`
storage_raw_read_removable_device($1_t)
')
')
miscfiles_read_hwdata($1_usertype)
fs_manage_cgroup_dirs($1_t)
fs_mounton_fusefs($1_usertype)
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`selinuxuser_share_music',`
corenet_tcp_bind_daap_port($1_usertype)
')
tunable_policy(`selinuxuser_tcp_server',`
corenet_tcp_bind_all_unreserved_ports($1_usertype)
')
tunable_policy(`selinuxuser_udp_server',`
corenet_udp_bind_all_unreserved_ports($1_usertype)
')
optional_policy(`
cdrecord_role($1_r, $1_t)
')
optional_policy(`
cron_role($1_r, $1)
')
optional_policy(`
games_manage_data_files($1_usertype)
')
optional_policy(`
gpg_role($1_r, $1_usertype)
')
optional_policy(`
systemd_dbus_chat_timedated($1_t)
systemd_dbus_chat_hostnamed($1_t)
systemd_dbus_chat_localed($1_t)
systemd_config_all_services($1_t)
')
optional_policy(`
gpm_stream_connect($1_usertype)
')
optional_policy(`
mount_run_fusermount($1_t, $1_r)
mount_read_pid_files($1_t)
')
optional_policy(`
wine_role_template($1, $1_r, $1_t)
')
optional_policy(`
postfix_run_postdrop($1_t, $1_r)
postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
optional_policy(`
ppp_run_cond($1_t, $1_r)
')
optional_policy(`
vdagent_getattr_log($1_t)
vdagent_getattr_exec_files($1_t)
vdagent_stream_connect($1_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_unpriv_user_template'($*)) dnl
')
#######################################
##
## The template for creating an administrative user.
##
##
##
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
##
## The privileges given to administrative users are:
##
## - Raw disk access
## - Set all sysctls
## - All kernel ring buffer controls
## - Create, read, write, and delete all files but shadow
## - Manage source and binary format SELinux policy
## - Run insmod
##
##
##
##
##
## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t).
##
##
#
define(`userdom_admin_user_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_admin_user_template'($*)) dnl
gen_require(`
attribute admindomain;
attribute confined_admindomain;
class passwd { passwd chfn chsh rootok crontab };
')
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
userdom_login_user_template($1)
userdom_common_user_template($1)
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
typeattribute $1_t admindomain;
typeattribute $1_t confined_admindomain;
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
')
##############################
#
# $1_t local policy
#
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
allow $1_t self:bpf { map_create map_read map_write prog_load prog_run };
allow $1_t self:alg_socket create_stream_socket_perms;
allow $1_t self:dccp_socket create_stream_socket_perms;
allow $1_t self:cap_userns sys_ptrace;
tunable_policy(`deny_bluetooth',`',`
allow $1_t self:bluetooth_socket create_stream_socket_perms;
')
auth_use_nsswitch($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_change_ring_buffer_level($1_t)
kernel_clear_ring_buffer($1_t)
kernel_read_ring_buffer($1_t)
kernel_read_afs_state($1_t)
kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctls($1_t)
# signal unlabeled processes:
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
kernel_signal($1_t)
kernel_stream_connect($1_t)
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
corenet_rw_tun_tap_dev($1_t)
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
# for lsof
dev_getattr_mtrr_dev($1_t)
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
dev_delete_all_blk_files($1_t)
dev_delete_all_chr_files($1_t)
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
dev_rw_generic_usb_dev($1_t)
dev_rw_usbfs($1_t)
dev_read_kmsg($1_t)
dev_read_cpuid($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
domain_getattr_all_domains($1_t)
domain_getcap_all_domains($1_t)
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t)
domain_signull_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
domain_dontaudit_getattr_all_sockets($1_t)
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
fs_getattr_all_files($1_t)
fs_list_all($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
storage_dontaudit_read_fixed_disk($1_t)
term_use_all_inherited_terms($1_t)
term_use_unallocated_ttys($1_t)
auth_getattr_shadow($1_t)
# Manage almost all files
files_manage_non_security_dirs($1_t)
files_manage_non_security_files($1_t)
# Map almost all files
files_map_non_security_files($1_t)
# Relabel almost all files
files_relabel_non_security_files($1_t)
files_mounton_rootfs($1_t)
init_telinit($1_t)
logging_send_syslog_msg($1_t)
optional_policy(`
modutils_domtrans_kmod($1_t)
')
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
seutil_manage_src_policy($1_t)
# Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
systemd_config_all_services($1_t)
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
userdom_manage_user_home_content_pipes($1_t)
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`selinuxuser_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
',`
fs_read_noxattr_fs_files($1_t)
')
tunable_policy(`selinuxuser_tcp_server',`
corenet_tcp_bind_all_unreserved_ports($1_t)
')
tunable_policy(`selinuxuser_udp_server',`
corenet_udp_bind_all_unreserved_ports($1_t)
')
optional_policy(`
afs_read_config($1_t)
')
optional_policy(`
abrt_dbus_chat($1_t)
abrt_run_helper($1_t, $1_r)
')
optional_policy(`
postgresql_unconfined($1_t)
')
optional_policy(`
userhelper_exec($1_t)
')
optional_policy(`
vdagent_getattr_log($1_t)
vdagent_getattr_exec_files($1_t)
vdagent_stream_connect($1_t)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_admin_user_template'($*)) dnl
')
########################################
##
## Allow user to run as a secadm
##
##
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The role of the object to create.
##
##
#
define(`userdom_security_admin',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_security_admin'($*)) dnl
allow $1 self:capability { audit_control dac_read_search };
allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms };
corecmd_exec_shell($1)
domain_obj_id_change_exemption($1)
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
files_create_default_dir($1)
files_root_filetrans_default($1, dir)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
mls_process_read_up($1)
mls_file_read_all_levels($1)
mls_file_upgrade($1)
mls_file_downgrade($1)
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
selinux_read_policy($1)
files_relabel_all_files($1)
auth_relabel_shadow($1)
init_exec($1)
logging_send_syslog_msg($1)
logging_read_audit_log($1)
logging_read_generic_logs($1)
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
seutil_manage_default_contexts($1)
seutil_manage_file_contexts($1)
seutil_manage_module_store($1)
seutil_manage_config($1)
seutil_manage_login_config($1)
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
seutil_run_setsebool($1,$2)
seutil_run_setfiles($1, $2)
optional_policy(`
aide_run($1,$2)
')
optional_policy(`
consoletype_exec($1)
')
optional_policy(`
ipsec_run_setkey($1,$2)
')
optional_policy(`
netlabel_run_mgmt($1,$2)
')
optional_policy(`
samhain_run($1, $2)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_security_admin'($*)) dnl
')
########################################
##
## Make the specified type usable as
## a user application domain type.
##
##
##
## Type to be used as a user application domain.
##
##
#
define(`userdom_user_application_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_application_type'($*)) dnl
application_type($1)
ubac_constrained($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_application_type'($*)) dnl
')
########################################
##
## Make the specified type usable as
## a user application domain.
##
##
##
## Type to be used as a user application domain.
##
##
##
##
## Type to be used as the domain entry point.
##
##
#
define(`userdom_user_application_domain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_application_domain'($*)) dnl
application_domain($1, $2)
ubac_constrained($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_application_domain'($*)) dnl
')
########################################
##
## Make the specified type usable in a
## user home directory.
##
##
##
## Type to be used as a file in the
## user home directory.
##
##
#
define(`userdom_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_content'($*)) dnl
gen_require(`
attribute user_home_content_type;
type user_home_t;
attribute user_home_type;
')
typeattribute $1 user_home_content_type;
allow $1 user_home_t:filesystem associate;
files_type($1)
ubac_constrained($1)
files_poly_member($1)
typeattribute $1 user_home_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_content'($*)) dnl
')
########################################
##
## Make the specified type usable as a
## user temporary file.
##
##
##
## Type to be used as a file in the
## temporary directories.
##
##
#
define(`userdom_user_tmp_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_file'($*)) dnl
files_tmp_file($1)
ubac_constrained($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_tmp_file'($*)) dnl
')
########################################
##
## Make the specified type usable as a
## user tmpfs file.
##
##
##
## Type to be used as a file in
## tmpfs directories.
##
##
#
define(`userdom_user_tmpfs_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_tmpfs_file'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.')
userdom_user_tmp_file($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_tmpfs_file'($*)) dnl
')
########################################
##
## Make the specified type usable as
## user temporary content.
##
##
##
## Type to be used as a file in the
## generic temporary directory.
##
##
#
define(`userdom_user_tmp_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_content'($*)) dnl
gen_require(`
attribute user_tmp_type;
')
typeattribute $1 user_tmp_type;
files_tmp_file($1)
ubac_constrained($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_tmp_content'($*)) dnl
')
########################################
##
## Make the specified type usable in a
## generic tmpfs_t directory.
##
##
##
## Type to be used as a file in the
## generic temporary directory.
##
##
#
define(`userdom_user_tmpfs_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_tmpfs_content'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.')
userdom_user_tmp_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_tmpfs_content'($*)) dnl
')
########################################
##
## Allow domain to attach to TUN devices created by administrative users.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_attach_admin_tun_iface',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_attach_admin_tun_iface'($*)) dnl
gen_require(`
attribute admindomain;
')
allow $1 admindomain:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_attach_admin_tun_iface'($*)) dnl
')
########################################
##
## Set the attributes of a user pty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_setattr_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_ptys'($*)) dnl
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_setattr_user_ptys'($*)) dnl
')
########################################
##
## Create a user pty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_create_user_pty',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_create_user_pty'($*)) dnl
gen_require(`
type user_devpts_t;
')
term_create_pty($1, user_devpts_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_create_user_pty'($*)) dnl
')
########################################
##
## Get the attributes of user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_getattr_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir getattr_dir_perms;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_user_home_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of user home directories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_getattr_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_user_home_dirs'($*)) dnl
')
########################################
##
## Search user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_user_home_dirs'($*)) dnl
')
########################################
##
## Search user tmp directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_user_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_user_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
files_search_tmp($1)
allow $1 user_tmp_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_user_tmp_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to search user home directories.
##
##
##
## Do not audit attempts to search user home directories.
## This will supress SELinux denial messages when the specified
## domain is denied the permission to search these directories.
##
##
##
##
## Domain to not audit.
##
##
##
#
define(`userdom_dontaudit_search_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_home_dirs'($*)) dnl
')
########################################
##
## List user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs($1)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs($1)
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_user_home_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to list user home subdirectories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_list_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
type user_home_t;
')
dontaudit $1 user_home_dir_t:dir list_dir_perms;
dontaudit $1 user_home_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_home_dirs'($*)) dnl
')
########################################
##
## Create user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_create_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_create_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_create_user_home_dirs'($*)) dnl
')
########################################
##
## Create user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_dirs'($*)) dnl
')
########################################
##
## Create user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_manage_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_home_dirs'($*)) dnl
')
########################################
##
## Relabel to user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabelto_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_dir_t:dir relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_home_dirs'($*)) dnl
')
########################################
##
## Relabel to user home files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabelto_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_home_files'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_home_files'($*)) dnl
')
########################################
##
## Relabel user home files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabel_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_home_files'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabel_user_home_files'($*)) dnl
')
########################################
##
## Relabel user home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabel_user_home_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_home_dirs'($*)) dnl
gen_require(`
type user_home_dir_t;
')
allow $1 user_home_t:dir relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabel_user_home_dirs'($*)) dnl
')
########################################
##
## Create directories in the home dir root with
## the user home directory type.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_home_filetrans_user_home_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_home_filetrans_user_home_dir'($*)) dnl
gen_require(`
type user_home_dir_t;
')
files_home_filetrans($1, user_home_dir_t, dir, $2)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_home_filetrans_user_home_dir'($*)) dnl
')
########################################
##
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
##
##
##
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Domain to transition to.
##
##
#
define(`userdom_user_home_domtrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_domtrans'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
domain_auto_trans($1, user_home_t, $2)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_domtrans'($*)) dnl
')
########################################
##
## Do not audit attempts to search user home content directories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_search_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_home_content'($*)) dnl
gen_require(`
attribute user_home_type;
')
dontaudit $1 user_home_type:dir search_dir_perms;
fs_dontaudit_list_nfs($1)
fs_dontaudit_list_cifs($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_home_content'($*)) dnl
')
########################################
##
## List all users home content directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_all_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_all_user_home_content'($*)) dnl
gen_require(`
attribute user_home_content_type;
')
userdom_search_user_home_dirs($1)
allow $1 user_home_content_type:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_all_user_home_content'($*)) dnl
')
########################################
##
## List contents of users home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_user_home_content'($*)) dnl
gen_require(`
type user_home_dir_t;
attribute user_home_type;
')
files_list_home($1)
allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_user_home_content'($*)) dnl
')
########################################
##
## Create, read, write, and delete directories
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_dirs'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_dirs'($*)) dnl
')
########################################
##
## Delete directories in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_user_home_content_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_dirs'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:dir delete_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_dirs'($*)) dnl
')
########################################
##
## Delete files in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_files'($*)) dnl
')
########################################
##
## Delete all directories in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_user_home_content_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_dirs'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:dir delete_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_dirs'($*)) dnl
')
########################################
##
## Set the attributes of user home files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_setattr_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_setattr_user_home_content_files'($*)) dnl
')
########################################
##
## Set the attributes of user tmp files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_setattr_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_setattr_user_tmp_files'($*)) dnl
')
########################################
##
## Create a user tmp sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_create_user_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_create_user_tmp_sockets'($*)) dnl
gen_require(`
type user_tmp_t;
')
files_search_tmp($1)
allow $1 user_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_create_user_tmp_sockets'($*)) dnl
')
########################################
##
## Dontaudit getattr on user tmp sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`usedom_dontaudit_user_getattr_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `usedom_dontaudit_user_getattr_tmp_sockets'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
userdom_getattr_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `usedom_dontaudit_user_getattr_tmp_sockets'($*)) dnl
')
########################################
##
## Dontaudit getattr on user tmp sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dontaudit_user_getattr_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_user_getattr_tmp_sockets'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_user_getattr_tmp_sockets'($*)) dnl
')
########################################
##
## Relabel user tmp files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_relabel_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabel_user_tmp_files'($*)) dnl
')
########################################
##
## Relabel user tmp files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_relabel_user_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir relabel_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabel_user_tmp_dirs'($*)) dnl
')
########################################
##
## Do not audit attempts to set the
## attributes of user home files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_setattr_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file setattr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_home_content_files'($*)) dnl
')
########################################
##
## Set the attributes of all user home directories.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_setattr_all_user_home_content_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_setattr_all_user_home_content_dirs'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:dir setattr_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_setattr_all_user_home_content_dirs'($*)) dnl
')
########################################
##
## Mmap user home files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_mmap_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_mmap_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file map;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_mmap_user_home_content_files'($*)) dnl
')
########################################
##
## map user home files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_map_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_map_user_home_files'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_map_user_home_files'($*)) dnl
')
########################################
##
## Read user home files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_home_content_files'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
attribute user_home_type;
')
allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to getattr user home files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_getattr_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_user_home_content'($*)) dnl
gen_require(`
attribute user_home_type;
')
dontaudit $1 user_home_type:dir getattr;
dontaudit $1 user_home_type:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_user_home_content'($*)) dnl
')
########################################
##
## Do not audit attempts to read user home files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_home_content_files'($*)) dnl
gen_require(`
attribute user_home_type;
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir list_dir_perms;
dontaudit $1 user_home_type:dir list_dir_perms;
dontaudit $1 user_home_type:file read_file_perms;
dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to mmap user home files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_mmap_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_mmap_user_home_content_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
dontaudit $1 user_home_type:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_mmap_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to append user home files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_append_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write user home files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_write_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file write_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_user_home_content_files'($*)) dnl
')
########################################
##
## Delete all files in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_files'($*)) dnl
')
########################################
##
## Delete sock files in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_user_home_content_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_sock_files'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:sock_file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_sock_files'($*)) dnl
')
########################################
##
## Delete all sock files in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_user_home_content_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_sock_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:sock_file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_sock_files'($*)) dnl
')
########################################
##
## Delete all files in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:dir_file_class_set delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content'($*)) dnl
')
########################################
##
## Do not audit attempts to write user home files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_relabel_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_relabel_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file relabel_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_relabel_user_home_content_files'($*)) dnl
')
########################################
##
## Read user home subdirectory symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_home_content_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_home_content_symlinks'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_home_content_symlinks'($*)) dnl
')
########################################
##
## Execute user home files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_exec_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec_user_home_content_files'($*)) dnl
gen_require(`
type user_home_dir_t;
attribute user_home_type;
')
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
dontaudit $1 user_home_type:sock_file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to execute user home files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_exec_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_exec_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
dontaudit $1 user_home_t:file exec_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_exec_user_home_content_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete files
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_files'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
allow $1 user_home_t:file map;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to create, read, write, and delete directories
## in a user home subdirectory.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_manage_user_home_content_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_home_content_dirs'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
dontaudit $1 user_home_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_home_content_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete symbolic links
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_symlinks'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_lnk_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_symlinks'($*)) dnl
')
########################################
##
## Delete symbolic links in a user home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_user_home_content_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_symlinks'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:lnk_file delete_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_symlinks'($*)) dnl
')
########################################
##
## Delete all symbolic links in a user home directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_user_home_content_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_symlinks'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:lnk_file delete_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_pipes'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
manage_fifo_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete named sockets
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_home_content_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_sockets'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
allow $1 user_home_dir_t:dir search_dir_perms;
manage_sock_files_pattern($1, user_home_t, user_home_t)
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_sockets'($*)) dnl
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_user_home_dir_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans'($*)) dnl
gen_require(`
type user_home_dir_t;
')
filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans'($*)) dnl
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_user_home_content_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_content_filetrans'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
filetrans_pattern($1, user_home_t, $2, $3, $4)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_content_filetrans'($*)) dnl
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## the user home file type.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_user_home_dir_filetrans_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans_user_home_content'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
filetrans_pattern($1, user_home_dir_t, user_home_t, $2, $3)
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans_user_home_content'($*)) dnl
')
########################################
##
## Write to user temporary named sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_write_user_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_sockets'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:sock_file write_sock_file_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_sockets'($*)) dnl
')
########################################
##
## List user temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_user_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_user_tmp'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_user_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to list user
## temporary directories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_list_user_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_tmp'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to manage users
## temporary directories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_manage_user_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_tmp_dirs'($*)) dnl
')
########################################
##
## Read user temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_getattr_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_tmp_files'($*)) dnl
gen_require(`
attribute user_tmp_type;
')
getattr_files_pattern($1, user_tmp_type, user_tmp_type)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_user_tmp_files'($*)) dnl
')
########################################
##
## Read user temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_files'($*)) dnl
gen_require(`
attribute user_tmp_type;
')
read_files_pattern($1, user_tmp_type, user_tmp_type)
allow $1 user_tmp_type:dir list_dir_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_files'($*)) dnl
')
########################################
##
## Read user temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_append_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_append_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file append_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_append_user_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read users
## temporary files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to append users
## temporary files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_append_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file append_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_user_tmp_files'($*)) dnl
')
########################################
##
## Read and write user temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmp_files'($*)) dnl
')
########################################
##
## Read and write user temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_user_tmp_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmp_sock_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:dir list_dir_perms;
allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmp_sock_files'($*)) dnl
')
########################################
##
## Do not audit attempts to manage users
## temporary files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_manage_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_tmp_files'($*)) dnl
')
########################################
##
## Read user temporary symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_tmp_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_symlinks'($*)) dnl
gen_require(`
type user_tmp_t;
')
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
allow $1 user_tmp_t:dir list_dir_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_dirs'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_filetrans_named_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_filetrans_named_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_filetrans_named_user_tmp_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary symbolic links.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_symlinks',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_symlinks'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_symlinks'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_inherited_user_tmp_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_tmp_pipes'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_tmp_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary named pipes.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_pipes'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_pipes'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary named sockets.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_sockets',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_sockets'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_sockets'($*)) dnl
')
########################################
##
## Create objects in a user temporary directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_user_tmp_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_filetrans'($*)) dnl
gen_require(`
type user_tmp_t;
')
filetrans_pattern($1, user_tmp_t, $2, $3, $4)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_tmp_filetrans'($*)) dnl
')
########################################
##
## Create objects in the temporary directory
## with an automatic type transition to
## the user temporary type.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_tmp_filetrans_user_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_tmp_filetrans_user_tmp'($*)) dnl
gen_require(`
type user_tmp_t;
')
files_tmp_filetrans($1, user_tmp_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_tmp_filetrans_user_tmp'($*)) dnl
')
#######################################
##
## Getattr user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_getattr_user_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_tmpfs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
userdom_getattr_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_user_tmpfs_files'($*)) dnl
')
########################################
##
## Read user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_user_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmpfs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.')
userdom_read_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_user_tmpfs_files'($*)) dnl
')
########################################
##
## Read/Write user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_user_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmpfs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.')
userdom_rw_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmpfs_files'($*)) dnl
')
########################################
##
## Manage user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmpfs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.')
userdom_manage_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmpfs_files'($*)) dnl
')
########################################
##
## Read/Write inherited user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_inherited_user_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_tmpfs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.')
userdom_rw_inherited_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_tmpfs_files'($*)) dnl
')
########################################
##
## Execute user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_execute_user_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_execute_user_tmpfs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.')
userdom_execute_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_execute_user_tmpfs_files'($*)) dnl
')
########################################
##
## Execute user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_execute_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_execute_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file execute;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_execute_user_tmp_files'($*)) dnl
')
########################################
##
## Get the attributes of a user domain tty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_getattr_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_ttys'($*)) dnl
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_user_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to get the attributes of a user domain tty.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_getattr_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_user_ttys'($*)) dnl
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_user_ttys'($*)) dnl
')
########################################
##
## Set the attributes of a user domain tty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_setattr_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_ttys'($*)) dnl
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_setattr_user_ttys'($*)) dnl
')
########################################
##
## Do not audit attempts to set the attributes of a user domain tty.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_setattr_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_ttys'($*)) dnl
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_ttys'($*)) dnl
')
########################################
##
## Read and write a user domain tty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_user_ttys'($*)) dnl
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_user_ttys'($*)) dnl
')
########################################
##
## Read and write a inherited user domain tty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_inherited_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_inherited_user_ttys'($*)) dnl
gen_require(`
type user_tty_device_t;
')
allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_inherited_user_ttys'($*)) dnl
')
########################################
##
## Read and write a user domain pty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_user_ptys'($*)) dnl
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_user_ptys'($*)) dnl
')
########################################
##
## Read and write a inherited user domain pty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_inherited_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_inherited_user_ptys'($*)) dnl
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_inherited_user_ptys'($*)) dnl
')
########################################
##
## Read and write a inherited user TTYs and PTYs.
##
##
##
## Allow the specified domain to read and write inherited user
## TTYs and PTYs. This will allow the domain to
## interact with the user via the terminal. Typically
## all interactive applications will require this
## access.
##
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_use_inherited_user_terminals',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_inherited_user_terminals'($*)) dnl
gen_require(`
type user_tty_device_t, user_devpts_t;
')
allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_inherited_user_terminals'($*)) dnl
')
#######################################
##
## Allow attempts to read and write
## a user domain tty and pty.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_use_user_terminals',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_user_terminals'($*)) dnl
gen_require(`
type user_tty_device_t, user_devpts_t;
')
allow $1 user_tty_device_t:chr_file rw_term_perms;
allow $1 user_devpts_t:chr_file rw_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_user_terminals'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## a user domain tty and pty.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_user_terminals',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_terminals'($*)) dnl
gen_require(`
type user_tty_device_t, user_devpts_t;
')
dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_terminals'($*)) dnl
')
########################################
##
## Get attributes of user domain tty and pty.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_getattr_user_terminals',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_terminals'($*)) dnl
gen_require(`
type user_tty_device_t, user_devpts_t;
')
allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_user_terminals'($*)) dnl
')
########################################
##
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
define(`userdom_spec_domtrans_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_spec_domtrans_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
corecmd_shell_spec_domtrans($1, userdomain)
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_spec_domtrans_all_users'($*)) dnl
')
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
define(`userdom_xsession_spec_domtrans_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_xsession_spec_domtrans_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
xserver_xsession_spec_domtrans($1, userdomain)
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_xsession_spec_domtrans_all_users'($*)) dnl
')
########################################
##
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
define(`userdom_spec_domtrans_unpriv_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
corecmd_shell_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_spec_domtrans_unpriv_users'($*)) dnl
')
#####################################
##
## Allow domain dyntrans to unpriv userdomain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dyntransition_unpriv_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dyntransition_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:process dyntransition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dyntransition_unpriv_users'($*)) dnl
')
####################################
##
## Allow domain dyntrans to admin userdomain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dyntransition_admin_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dyntransition_admin_users'($*)) dnl
gen_require(`
attribute admindomain;
')
allow $1 admindomain:process dyntransition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dyntransition_admin_users'($*)) dnl
')
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
define(`userdom_xsession_spec_domtrans_unpriv_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_xsession_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
xserver_xsession_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_xsession_spec_domtrans_unpriv_users'($*)) dnl
')
########################################
##
## Manage unpriviledged user SysV sempaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_unpriv_user_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_user_semaphores'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:sem create_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_user_semaphores'($*)) dnl
')
########################################
##
## Manage unpriviledged user SysV shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_unpriv_user_shared_mem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_user_shared_mem'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:shm create_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_user_shared_mem'($*)) dnl
')
########################################
##
## Destroy unpriviledged user SysV shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_destroy_unpriv_user_shared_mem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_destroy_unpriv_user_shared_mem'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:shm destroy;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_destroy_unpriv_user_shared_mem'($*)) dnl
')
########################################
##
## Destroy unpriviledged user's message queue entries.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_destroy_unpriv_user_msgq',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_destroy_unpriv_user_msgq'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:msgq destroy;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_destroy_unpriv_user_msgq'($*)) dnl
')
########################################
##
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed to transition.
##
##
#
define(`userdom_bin_spec_domtrans_unpriv_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_bin_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
corecmd_bin_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_bin_spec_domtrans_unpriv_users'($*)) dnl
')
########################################
##
## Execute all entrypoint files in unprivileged user
## domains. This is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_entry_spec_domtrans_unpriv_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_entry_spec_domtrans_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
allow unpriv_userdomain $1:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_entry_spec_domtrans_unpriv_users'($*)) dnl
')
########################################
##
## Search users home directories.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_user_home_content'($*)) dnl
gen_require(`
type user_home_dir_t;
attribute user_home_type;
')
files_list_home($1)
allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_user_home_content'($*)) dnl
')
########################################
##
## Send general signals to unprivileged user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_signal_unpriv_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_signal_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_signal_unpriv_users'($*)) dnl
')
########################################
##
## Inherit the file descriptors from unprivileged user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_unpriv_users_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_unpriv_users_fds'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_unpriv_users_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit the file descriptors
## from unprivileged user domains.
##
##
##
## Do not audit attempts to inherit the file descriptors
## from unprivileged user domains. This will supress
## SELinux denial messages when the specified domain is denied
## the permission to inherit these file descriptors.
##
##
##
##
## Domain to not audit.
##
##
##
#
define(`userdom_dontaudit_use_unpriv_user_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_unpriv_user_fds'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
dontaudit $1 unpriv_userdomain:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_unpriv_user_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to use user ptys.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_ptys'($*)) dnl
gen_require(`
type user_devpts_t;
')
dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to open user ptys.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_open_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_open_user_ptys'($*)) dnl
gen_require(`
type user_devpts_t;
')
dontaudit $1 user_devpts_t:chr_file open;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_open_user_ptys'($*)) dnl
')
########################################
##
## Relabel files to unprivileged user pty types.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_relabelto_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_ptys'($*)) dnl
gen_require(`
type user_devpts_t;
')
allow $1 user_devpts_t:chr_file relabelto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_ptys'($*)) dnl
')
########################################
##
## Do not audit attempts to relabel files from
## user pty types.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_relabelfrom_user_ptys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_relabelfrom_user_ptys'($*)) dnl
gen_require(`
type user_devpts_t;
')
dontaudit $1 user_devpts_t:chr_file relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_relabelfrom_user_ptys'($*)) dnl
')
########################################
##
## Write all users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_write_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
write_files_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write users
## temporary files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_write_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_user_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to delete users
## temporary files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_delete_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_delete_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_delete_user_tmp_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read/write users
## temporary fifo files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_rw_user_tmp_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_rw_user_tmp_pipes'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_rw_user_tmp_pipes'($*)) dnl
')
########################################
##
## Allow domain to read/write inherited users
## fifo files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_inherited_user_pipes',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_pipes'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_pipes'($*)) dnl
')
########################################
##
## Do not audit attempts to use user ttys.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_user_ttys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_ttys'($*)) dnl
gen_require(`
type user_tty_device_t;
')
dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_ttys'($*)) dnl
')
########################################
##
## Read the process state of all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_all_users_state',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_state'($*)) dnl
gen_require(`
attribute userdomain;
')
read_files_pattern($1, userdomain, userdomain)
read_lnk_files_pattern($1,userdomain,userdomain)
kernel_search_proc($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_all_users_state'($*)) dnl
')
########################################
##
## Get the attributes of all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_getattr_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_getattr_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_getattr_all_users'($*)) dnl
')
########################################
##
## Inherit the file descriptors from all user domains
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_use_all_users_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_use_all_users_fds'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_use_all_users_fds'($*)) dnl
')
########################################
##
## Do not audit attempts to inherit the file
## descriptors from any user domains.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_use_all_users_fds',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_all_users_fds'($*)) dnl
gen_require(`
attribute userdomain;
')
dontaudit $1 userdomain:fd use;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_all_users_fds'($*)) dnl
')
########################################
##
## Send general signals to all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_signal_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_signal_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process signal;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_signal_all_users'($*)) dnl
')
#######################################
##
## Send signull to all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_signull_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_signull_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_signull_all_users'($*)) dnl
')
########################################
##
## Send kill signals to all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_kill_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_kill_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process sigkill;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_kill_all_users'($*)) dnl
')
########################################
##
## Send a SIGCHLD signal to all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_sigchld_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_sigchld_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_sigchld_all_users'($*)) dnl
')
########################################
##
## Read keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_all_users_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_keys'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:key read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_all_users_keys'($*)) dnl
')
########################################
##
## Write keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_write_all_users_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_write_all_users_keys'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:key write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_write_all_users_keys'($*)) dnl
')
########################################
##
## Read and write keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_all_users_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_all_users_keys'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:key { read view write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_all_users_keys'($*)) dnl
')
########################################
##
## Create keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_create_all_users_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_create_all_users_keys'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:key create;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_create_all_users_keys'($*)) dnl
')
########################################
##
## Send a dbus message to all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dbus_send_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dbus_send_all_users'($*)) dnl
gen_require(`
attribute userdomain;
class dbus send_msg;
')
allow $1 userdomain:dbus send_msg;
ps_process_pattern($1, userdomain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dbus_send_all_users'($*)) dnl
')
########################################
##
## Allow apps to set rlimits on userdomain
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_set_rlimitnh',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_set_rlimitnh'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process rlimitinh;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_set_rlimitnh'($*)) dnl
')
########################################
##
## Define this type as a Allow apps to set rlimits on userdomain
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_unpriv_usertype',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_unpriv_usertype'($*)) dnl
gen_require(`
attribute unpriv_userdomain, userdomain;
attribute $1_usertype;
')
typeattribute $2 $1_usertype;
typeattribute $2 unpriv_userdomain;
typeattribute $2 userdomain;
auth_use_nsswitch($2)
ubac_constrained($2)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_unpriv_usertype'($*)) dnl
')
#######################################
##
## Define this type as a Allow apps to set rlimits on userdomain
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_unpriv_type',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_unpriv_type'($*)) dnl
gen_require(`
attribute userdomain;
')
typeattribute $1 userdomain;
auth_use_nsswitch($1)
ubac_constrained($1)
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_unpriv_type'($*)) dnl
')
########################################
##
## Connect to users over a unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_stream_connect',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_stream_connect'($*)) dnl
gen_require(`
type user_tmp_t;
attribute userdomain;
')
stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_stream_connect'($*)) dnl
')
########################################
##
## Ptrace user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_ptrace_all_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_ptrace_all_users'($*)) dnl
gen_require(`
attribute userdomain;
')
tunable_policy(`deny_ptrace',`',`
allow $1 userdomain:process ptrace;
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_ptrace_all_users'($*)) dnl
')
########################################
##
## dontaudit Search /root
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_search_admin_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_admin_dir'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
dontaudit $1 admin_home_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_admin_dir'($*)) dnl
')
########################################
##
## dontaudit list /root
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_list_admin_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_admin_dir'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
dontaudit $1 admin_home_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_admin_dir'($*)) dnl
')
########################################
##
## Allow domain to list /root
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_admin_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_admin_dir'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:lnk_file read_lnk_file_perms;
allow $1 admin_home_t:dir list_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_admin_dir'($*)) dnl
')
########################################
##
## Allow Search /root
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_search_admin_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_search_admin_dir'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:lnk_file read_lnk_file_perms;
allow $1 admin_home_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_search_admin_dir'($*)) dnl
')
########################################
##
## dontaudit create dirs /root
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_create_admin_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_create_admin_dir'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:dir create_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_create_admin_dir'($*)) dnl
')
########################################
##
## allow manage dirs /root
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_manage_admin_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_admin_dirs'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_admin_dirs'($*)) dnl
')
########################################
##
## allow manage files /root
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_manage_admin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_admin_files'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_admin_files'($*)) dnl
')
########################################
##
## dontaudit manage dirs /root
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_manage_admin_dir',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_admin_dir'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:dir manage_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_admin_dir'($*)) dnl
')
########################################
##
## dontaudit manage files /root
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_manage_admin_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_admin_files'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:file manage_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_admin_files'($*)) dnl
')
########################################
##
## RW unpriviledged user SysV sempaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_semaphores'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_semaphores'($*)) dnl
')
########################################
##
## Send a message to unpriv users over a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dgram_send'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dgram_send'($*)) dnl
')
######################################
##
## Send a message to users over a unix domain
## datagram socket.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_users_dgram_send',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_users_dgram_send'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:unix_dgram_socket sendto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_users_dgram_send'($*)) dnl
')
#######################################
##
## Allow execmod on files in homedirectory
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_execmod_user_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_execmod_user_home_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:file execmod;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_execmod_user_home_files'($*)) dnl
')
########################################
##
## Read admin home files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_read_admin_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_admin_home_files'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, admin_home_t, admin_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_admin_home_files'($*)) dnl
')
########################################
##
## Delete admin home files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_delete_admin_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_admin_home_files'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:lnk_file read_lnk_file_perms;
allow $1 admin_home_t:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_admin_home_files'($*)) dnl
')
########################################
##
## Execute admin home files.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_exec_admin_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_exec_admin_home_files'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:lnk_file read_lnk_file_perms;
exec_files_pattern($1, admin_home_t, admin_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_exec_admin_home_files'($*)) dnl
')
########################################
##
## Append files inherited
## in the /root directory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_inherit_append_admin_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_inherit_append_admin_home_files'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:file { getattr append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_inherit_append_admin_home_files'($*)) dnl
')
#######################################
##
## Manage all files/directories in the homedir
##
##
##
## The user domain
##
##
##
#
define(`userdom_manage_user_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
attribute user_home_type;
')
files_list_home($1)
manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content'($*)) dnl
')
######################################
##
## Manage all dirs in the homedir
##
##
##
## The user domain
##
##
#
define(`userdom_manage_all_user_home_type_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_home_type_dirs'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
attribute user_home_type;
')
files_list_home($1)
manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_home_type_dirs'($*)) dnl
')
######################################
##
## Manage all files in the homedir
##
##
##
## The user domain
##
##
#
define(`userdom_manage_all_user_home_type_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_home_type_files'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
attribute user_home_type;
')
files_list_home($1)
manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_home_type_files'($*)) dnl
')
########################################
##
## Create objects in a user home directory
## with an automatic type transition to
## the user home file type.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
##
##
#
define(`userdom_user_home_dir_filetrans_pattern',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans_pattern'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
type_transition $1 user_home_dir_t:$2 user_home_t;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans_pattern'($*)) dnl
')
########################################
##
## Create objects in the /root directory
## with an automatic type transition to
## a specified private type.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to create.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_admin_home_dir_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_admin_home_dir_filetrans'($*)) dnl
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:lnk_file read_lnk_file_perms;
filetrans_pattern($1, admin_home_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_admin_home_dir_filetrans'($*)) dnl
')
########################################
##
## Send signull to unprivileged user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_signull_unpriv_users',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_signull_unpriv_users'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:process signull;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_signull_unpriv_users'($*)) dnl
')
########################################
##
## Write all users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_write_user_tmp_dirs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_dirs'($*)) dnl
gen_require(`
type user_tmp_t;
')
list_dirs_pattern($1, user_tmp_t, user_tmp_t)
rw_dirs_pattern($1, user_tmp_t, user_tmp_t)
write_files_pattern($1, user_tmp_t, user_tmp_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_dirs'($*)) dnl
')
########################################
##
## Manage keys for all user domains.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_all_users_keys',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_all_users_keys'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:key manage_key_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_all_users_keys'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## userdomain stream.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_rw_stream',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_rw_stream'($*)) dnl
gen_require(`
attribute userdomain;
')
dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_rw_stream'($*)) dnl
')
########################################
##
## Read and write userdomain stream.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_stream',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_stream'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:unix_stream_socket rw_socket_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_stream'($*)) dnl
')
########################################
##
## Read and write userdomain stream.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_connectto_stream',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_connectto_stream'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:unix_stream_socket connectto;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_connectto_stream'($*)) dnl
')
########################################
##
## Do not audit attempts to read and write
## unserdomain datagram socket.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_rw_dgram_socket',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_rw_dgram_socket'($*)) dnl
gen_require(`
attribute userdomain;
')
dontaudit $1 userdomain:unix_dgram_socket { read write };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_rw_dgram_socket'($*)) dnl
')
########################################
##
## Append files
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_append_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_append_user_home_content_files'($*)) dnl
gen_require(`
type user_home_dir_t, user_home_t;
')
append_files_pattern($1, user_home_t, user_home_t)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_append_user_home_content_files'($*)) dnl
')
########################################
##
## Read files inherited
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_inherited_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_inherited_user_home_content_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:file { getattr read };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_inherited_user_home_content_files'($*)) dnl
')
########################################
##
## Dontaudit Read files inherited from the admin home dir.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_inherited_admin_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_inherited_admin_home_files'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_inherited_admin_home_files'($*)) dnl
')
########################################
##
## Dontaudit append files inherited from the admin home dir.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_append_inherited_admin_home_file',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_inherited_admin_home_file'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:file append_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_inherited_admin_home_file'($*)) dnl
')
########################################
##
## Read/Write files inherited
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_inherited_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_home_content_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_home_content_files'($*)) dnl
')
########################################
##
## Append files inherited
## in a user home subdirectory.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_inherit_append_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_inherit_append_user_home_content_files'($*)) dnl
gen_require(`
type user_home_t;
')
allow $1 user_home_t:file { getattr append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_inherit_append_user_home_content_files'($*)) dnl
')
########################################
##
## Append files inherited
## in a user tmp files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_inherit_append_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_inherit_append_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file { getattr append };
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_inherit_append_user_tmp_files'($*)) dnl
')
######################################
##
## Read audio files in the users homedir.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_read_home_audio_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_home_audio_files'($*)) dnl
gen_require(`
type audio_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 audio_home_t:dir list_dir_perms;
read_files_pattern($1, audio_home_t, audio_home_t)
read_lnk_files_pattern($1, audio_home_t, audio_home_t)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_home_audio_files'($*)) dnl
')
######################################
##
## Manage texlive content in the users homedir.
##
##
##
## Domain allowed access.
##
##
##
#
define(`userdom_manage_home_texlive',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_home_texlive'($*)) dnl
gen_require(`
type texlive_home_t;
')
userdom_search_user_home_dirs($1)
userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
manage_files_pattern($1, texlive_home_t, texlive_home_t)
manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
allow $1 texlive_home_t:file relabelfrom;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_home_texlive'($*)) dnl
')
########################################
##
## Do not audit attempts to write all user home content files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_write_all_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_all_user_home_content_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
dontaudit $1 user_home_type:file write_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_all_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to write all user tmp content files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_write_all_user_tmp_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_all_user_tmp_content_files'($*)) dnl
gen_require(`
attribute user_tmp_type;
')
dontaudit $1 user_tmp_type:file write_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_all_user_tmp_content_files'($*)) dnl
')
########################################
##
## Manage all user temporary content.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_all_user_tmp_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_tmp_content'($*)) dnl
gen_require(`
attribute user_tmp_type;
')
manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
manage_files_pattern($1, user_tmp_type, user_tmp_type)
manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_tmp_content'($*)) dnl
')
########################################
##
## List all user temporary content.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_list_all_user_tmp_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_list_all_user_tmp_content'($*)) dnl
gen_require(`
attribute user_tmp_type;
')
list_dirs_pattern($1, user_tmp_type, user_tmp_type)
getattr_files_pattern($1, user_tmp_type, user_tmp_type)
read_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type)
getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
files_search_var($1)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_list_all_user_tmp_content'($*)) dnl
')
########################################
##
## Manage all user tmpfs content.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_all_user_tmpfs_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_tmpfs_content'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.')
userdom_manage_all_user_tmp_content($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_tmpfs_content'($*)) dnl
')
########################################
##
## Delete all user temporary content.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_all_user_tmp_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_tmp_content'($*)) dnl
gen_require(`
attribute user_tmp_type;
')
delete_dirs_pattern($1, user_tmp_type, user_tmp_type)
delete_files_pattern($1, user_tmp_type, user_tmp_type)
delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
delete_sock_files_pattern($1, user_tmp_type, user_tmp_type)
delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
# /var/tmp
files_search_var($1)
files_delete_tmp_dir_entry($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_tmp_content'($*)) dnl
')
########################################
##
## Read system SSL certificates in the users homedir.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_home_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_home_certs'($*)) dnl
gen_require(`
attribute userdom_home_reader_certs_type;
')
typeattribute $1 userdom_home_reader_certs_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_home_certs'($*)) dnl
')
########################################
##
## mmap system SSL certificates in the users homedir.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_map_home_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_map_home_certs'($*)) dnl
gen_require(`
type home_cert_t;
')
allow $1 home_cert_t:file map;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_map_home_certs'($*)) dnl
')
########################################
##
## Manage system SSL certificates in the users homedir.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_home_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_home_certs'($*)) dnl
gen_require(`
type home_cert_t;
')
allow $1 home_cert_t:dir list_dir_perms;
manage_dirs_pattern($1, home_cert_t, home_cert_t)
manage_files_pattern($1, home_cert_t, home_cert_t)
manage_lnk_files_pattern($1, home_cert_t, home_cert_t)
userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki")
userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert")
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_home_certs'($*)) dnl
')
#######################################
##
## Dontaudit Write system SSL certificates in the users homedir.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_write_home_certs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_home_certs'($*)) dnl
gen_require(`
type home_cert_t;
')
dontaudit $1 home_cert_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_home_certs'($*)) dnl
')
########################################
##
## dontaudit Search getatrr /root files
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_getattr_admin_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_admin_home_files'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:file getattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_admin_home_files'($*)) dnl
')
########################################
##
## dontaudit read /root lnk files
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_admin_home_lnk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_admin_home_lnk_files'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:lnk_file read;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_admin_home_lnk_files'($*)) dnl
')
########################################
##
## dontaudit read /root files
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_admin_home_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_admin_home_files'($*)) dnl
gen_require(`
type admin_home_t;
')
dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
dontaudit $1 admin_home_t:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_admin_home_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary chr files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_chr_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_chr_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_chr_files'($*)) dnl
')
########################################
##
## Create, read, write, and delete user
## temporary blk files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_manage_user_tmp_blk_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_blk_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_blk_files'($*)) dnl
')
########################################
##
## Dontaudit attempt to set attributes on user temporary directories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_setattr_user_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_tmp'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:dir setattr;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_tmp'($*)) dnl
')
########################################
##
## Dontaudit attempt to set attributes on user temporary file system files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_setattr_user_tmpfs',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_tmpfs'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.')
userdom_dontaudit_setattr_user_tmp($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_tmpfs'($*)) dnl
')
########################################
##
## Read all inherited users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_read_inherited_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_read_inherited_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file read_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_read_inherited_user_tmp_files'($*)) dnl
')
########################################
##
## Read/write/mmap all inherited users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_mmap_rw_inherited_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_mmap_rw_inherited_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file mmap_rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_mmap_rw_inherited_user_tmp_files'($*)) dnl
')
########################################
##
## Read/write all inherited users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_inherited_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file rw_inherited_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_tmp_files'($*)) dnl
')
########################################
##
## Write all inherited users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_write_inherited_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_write_inherited_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_write_inherited_user_tmp_files'($*)) dnl
')
########################################
##
## Write all inherited users home files
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_inherited_user_home_sock_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_home_sock_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
allow $1 user_home_type:sock_file write;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_home_sock_files'($*)) dnl
')
########################################
##
## Delete all users files in /tmp
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_user_tmp_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmp_files'($*)) dnl
gen_require(`
type user_tmp_t;
')
allow $1 user_tmp_t:file delete_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmp_files'($*)) dnl
')
########################################
##
## Delete user tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_delete_user_tmpfs_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmpfs_files'($*)) dnl
refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmp_files instead.')
userdom_delete_user_tmp_files($1)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmpfs_files'($*)) dnl
')
########################################
##
## Read/Write unpriviledged user SysV shared
## memory segments.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_unpriv_user_shared_mem',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_unpriv_user_shared_mem'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:shm rw_shm_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_unpriv_user_shared_mem'($*)) dnl
')
########################################
##
## Do not audit attempts to search user
## temporary directories.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_search_user_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_tmp'($*)) dnl
gen_require(`
type user_tmp_t;
')
dontaudit $1 user_tmp_t:dir search_dir_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_tmp'($*)) dnl
')
########################################
##
## Execute a file in a user home directory
## in the specified domain.
##
##
##
## Execute a file in a user home directory
## in the specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`userdom_domtrans_user_home',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_domtrans_user_home'($*)) dnl
gen_require(`
type user_home_t;
')
read_lnk_files_pattern($1, user_home_t, user_home_t)
domain_transition_pattern($1, user_home_t, $2)
type_transition $1 user_home_t:process $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_domtrans_user_home'($*)) dnl
')
########################################
##
## Execute a file in a user tmp directory
## in the specified domain.
##
##
##
## Execute a file in a user tmp directory
## in the specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
define(`userdom_domtrans_user_tmp',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_domtrans_user_tmp'($*)) dnl
gen_require(`
type user_tmp_t;
')
files_search_tmp($1)
read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
domain_transition_pattern($1, user_tmp_t, $2)
type_transition $1 user_tmp_t:process $2;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_domtrans_user_tmp'($*)) dnl
')
########################################
##
## Do not audit attempts to read all user home content files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_all_user_home_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_all_user_home_content_files'($*)) dnl
gen_require(`
attribute user_home_type;
')
dontaudit $1 user_home_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_all_user_home_content_files'($*)) dnl
')
########################################
##
## Do not audit attempts to read all user tmp content files.
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_read_all_user_tmp_content_files',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_all_user_tmp_content_files'($*)) dnl
gen_require(`
attribute user_tmp_type;
')
dontaudit $1 user_tmp_type:file read_file_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_all_user_tmp_content_files'($*)) dnl
')
#######################################
##
## Read and write unpriviledged user SysV sempaphores.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_rw_unpriv_user_semaphores',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_rw_unpriv_user_semaphores'($*)) dnl
gen_require(`
attribute unpriv_userdomain;
')
allow $1 unpriv_userdomain:sem rw_sem_perms;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_rw_unpriv_user_semaphores'($*)) dnl
')
########################################
##
## Transition to userdom named content
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_filetrans_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_filetrans_home_content'($*)) dnl
gen_require(`
attribute userdom_filetrans_type;
')
typeattribute $1 userdom_filetrans_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_filetrans_home_content'($*)) dnl
')
########################################
##
## Make the specified type able to read content in user home dirs
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_home_reader',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_home_reader'($*)) dnl
gen_require(`
attribute userdom_home_reader_type;
')
typeattribute $1 userdom_home_reader_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_home_reader'($*)) dnl
')
########################################
##
## Make the specified type able to manage content in user home dirs
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_home_manager',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_home_manager'($*)) dnl
gen_require(`
attribute userdom_home_manager_type;
')
typeattribute $1 userdom_home_manager_type;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_home_manager'($*)) dnl
')
########################################
##
## Create objects in the temporary filesystem directory
## with an automatic type transition to
## the user temporary filesystem type.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_tmpfs_filetrans',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_tmpfs_filetrans'($*)) dnl
gen_require(`
type user_tmpfs_t;
')
fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_tmpfs_filetrans'($*)) dnl
')
#######################################
##
## Create objects in the temporary filesystem directory
## with an automatic type transition to
## the user temporary filesystem type.
##
##
##
## Domain allowed access.
##
##
##
##
## The class of the object to be created.
##
##
##
##
## The name of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
define(`userdom_tmpfs_filetrans_to',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_tmpfs_filetrans_to'($*)) dnl
gen_require(`
type user_tmpfs_t;
')
filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_tmpfs_filetrans_to'($*)) dnl
')
######################################
##
## File name transition for generic home content files.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_filetrans_generic_home_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_filetrans_generic_home_content'($*)) dnl
gen_require(`
type home_bin_t;
type audio_home_t;
type home_cert_t;
type user_tmp_t;
')
userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio")
userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp")
userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp")
optional_policy(`
gnome_data_filetrans($1, home_cert_t, dir, "certificates")
')
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_filetrans_generic_home_content'($*)) dnl
')
########################################
##
## Allow caller to transition to any userdomain
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_transition',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_transition'($*)) dnl
gen_require(`
attribute userdomain;
')
allow $1 userdomain:process transition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_transition'($*)) dnl
')
########################################
##
## Allow caller to nnp_transition to login userdomain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_nnp_transition_login_userdomain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_nnp_transition_login_userdomain'($*)) dnl
gen_require(`
attribute login_userdomain;
')
allow $1 login_userdomain:process2 nnp_transition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_nnp_transition_login_userdomain'($*)) dnl
')
########################################
##
## Allow caller to transition to login userdomain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_transition_login_userdomain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_transition_login_userdomain'($*)) dnl
gen_require(`
attribute login_userdomain;
')
allow $1 login_userdomain:process transition;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_transition_login_userdomain'($*)) dnl
')
########################################
##
## Allow caller noatsecure permission.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_noatsecure_login_userdomain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_noatsecure_login_userdomain'($*)) dnl
gen_require(`
attribute login_userdomain;
')
allow $1 login_userdomain:process noatsecure ;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_noatsecure_login_userdomain'($*)) dnl
')
########################################
##
## Allow caller to send sigchld to login userdomain.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_sigchld_login_userdomain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_sigchld_login_userdomain'($*)) dnl
gen_require(`
attribute login_userdomain;
')
allow $1 login_userdomain:process sigchld;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_sigchld_login_userdomain'($*)) dnl
')
########################################
##
## Add caller login userdomain attribute.
##
##
##
## Domain allowed access.
##
##
#
define(`userdom_login_userdomain',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_login_userdomain'($*)) dnl
gen_require(`
attribute login_userdomain;
')
typeattribute $1 login_userdomain;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_login_userdomain'($*)) dnl
')
########################################
##
## Do not audit attempts to check the
## access on user content files
##
##
##
## Domain to not audit.
##
##
#
define(`userdom_dontaudit_access_check_user_content',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_access_check_user_content'($*)) dnl
gen_require(`
attribute user_home_type;
')
dontaudit $1 user_home_type:dir_file_class_set audit_access;
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_dontaudit_access_check_user_content'($*)) dnl
')
#######################################
##
## The template containing the most basic rules common to confined admin.
##
##
##
## The template containing the most basic rules common to all users.
##
##
## This template creates a user domain, types, and
## rules for the user's tty and pty.
##
##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
##
#
define(`userdom_confined_admin_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_confined_admin_template'($*)) dnl
gen_require(`
attribute confined_admindomain;
attribute userdomain;
type user_devpts_t, user_tty_device_t;
class context contains;
')
type $1_t, userdomain, confined_admindomain;
role $1_r;
role $1_r types $1_t;
domain_type($1_t)
domain_user_exemption_target($1_t)
ubac_constrained($1_t)
auth_use_nsswitch($1_t)
ifelse(`$1',`unconfined',`',`
gen_tunable(`$1_exec_content', true)
tunable_policy(`$1_exec_content',`
userdom_exec_user_tmp_files($1_t)
userdom_exec_user_home_content_files($1_t)
')
tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
fs_exec_nfs_files($1_t)
')
tunable_policy(`$1_exec_content && use_samba_home_dirs',`
fs_exec_cifs_files($1_t)
')
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_confined_admin_template'($*)) dnl
')
########################################
##
## Allow user to run as a secadm
##
##
##
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
##
##
## This is a templated interface, and should only
## be called from a per-userdomain template.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The role of the object to create.
##
##
#
define(`userdom_security_admin_template',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
policy_m4_comment(policy_call_depth,begin `userdom_security_admin_template'($*)) dnl
allow $1 self:capability { audit_control dac_read_search };
allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms };
corecmd_exec_shell($1)
domain_obj_id_change_exemption($1)
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
files_create_default_dir($1)
files_root_filetrans_default($1, dir)
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
mls_process_read_up($1)
mls_file_read_all_levels($1)
mls_file_upgrade($1)
mls_file_downgrade($1)
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
selinux_read_policy($1)
files_relabel_all_files($1)
auth_relabel_shadow($1)
init_exec($1)
logging_send_syslog_msg($1)
logging_read_audit_log($1)
logging_read_generic_logs($1)
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
seutil_manage_default_contexts($1)
seutil_manage_file_contexts($1)
seutil_manage_module_store($1)
seutil_manage_config($1)
seutil_manage_login_config($1)
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
seutil_run_setsebool($1,$2)
seutil_run_setfiles($1, $2)
optional_policy(`
aide_run($1,$2)
')
optional_policy(`
consoletype_exec($1)
')
optional_policy(`
ipsec_run_setkey($1,$2)
')
optional_policy(`
netlabel_run_mgmt($1,$2)
')
optional_policy(`
samhain_run($1, $2)
')
dnl
popdef(`policy_call_depth') dnl
policy_m4_comment(policy_call_depth,end `userdom_security_admin_template'($*)) dnl
')
##
divert